Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

French Surveillance Law Permits Data Mining, Drawing Criticism from Privacy Advocates

French BinaryAdopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015.  France’s Constitutional Court (“Court”) reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles.  However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats.  To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision.

Background to the New Law

The French government presented the new surveillance law in the aftermath of the January 11, 2015 Paris terrorist attacks.  The law’s principal accomplishment is to create a single legal framework for intelligence gathering activities.  Previously, the legal provisions relating to intelligence gathering were scattered throughout different provisions of the French Internal Security Code, and there was little coherence between the various provisions.  Moreover, there has been no single overall supervisory authority for intelligence gathering activities.  The existing oversight commission, the CNCIS, lacked authority for certain data-gathering activities. (For an overview of French law before the reform, see this article.)

Intelligence Oversight Commission

The new law cures that defect by creating a new independent commission called the Commission for Oversight of Intelligence Gathering Techniques (the CNCTR or “Commission”).  Under the new law, intelligence gathering measures can be implemented only when a specific authorization is given by the Prime Minister or his or her designee.  The Prime Minister’s authorization is granted only after the Commission has rendered an opinion on the compatibility of the measure with the principles set forth in the law.  But the Commission’s opinion is not binding on the Prime Minister.  The new Commission therefore has less authority than the FISA Court in the United States, whose decisions are binding (see our international study on the subject).  Nevertheless, if the Prime Minister decides to ignore the recommendation of the Commission, the Prime Minister must be prepared to explain his or her reasons.  Moreover, the Commission can file an appeal with France’s Supreme Administrative Court, the Conseil d’Etat, to challenge the Prime Minister’s decision.

Intelligence Gathering Includes the Protection of France’s Economic Interests

The law defines intelligence gathering activity as a measure necessary to protect France’s national defense, major foreign policy interests, major economic, industrial and scientific interests, to prevent terrorism, immediate threats to public order, organized crime and the proliferation of weapons of mass destruction.  Economic espionage is expressly recognized as falling within the remit of the law.

General Monitoring of Airwaves

The new law maintains a provision in the Internal Security Code stating that the general monitoring of over-the-air radio transmissions falls outside the code.  In other words, untargeted listening of the airwaves by intelligence authorities is permitted without prior authorization.

Access to Metadata

As was the case before, intelligence agencies can obtain access to traffic data from telecom operators and to log data kept by hosting providers, including social media services.  France imposes broad data retention obligations on telecom operators and on hosting providers, and has not attempted to modify its laws since the CJEU’s Digital Rights Ireland decision.  Following the Digital Rights Ireland decision, France’s laws on data retention are probably contrary to Articles 7 and 8 of the EU Charter on Fundamental Rights.  However, to date no court in France has issued a decision on the subject, and the data retention rules remain on the books.  The Constitutional Court decision made no mention of the Digital Rights Ireland decision.

The new law permits intelligence agencies to collect traffic data and log data in real time from telecom operators and hosting providers, but only for the prevention of terrorism.  The collection of location data in real time is also permitted.

Algorithms to Detect Suspicious Activity

The most controversial provision in the new law relates to so-called black boxes that intelligence agencies can require operators and hosting providers to install.  The law permits intelligence agencies, after authorization from the Prime Minister, to analyze all traffic and log data on an anonymized basis to identify potential terrorist threats.  This analysis is done using algorithms designed to detect suspicious patterns of behavior.  When it originally presented this provision, the government argued that the data was anonymous and therefore presented no threat to privacy.  It is only when suspicious activity is identified that authorities could ask permission to identify the relevant person, and deploy more targeted surveillance.  The French data protection authority disagreed, stating that the analysis of metadata involves the processing of personal data and therefore presents a risk for privacy that had to be analyzed under strict rules on proportionality.  The Digital Rights Ireland case said that the retention of traffic data involving the entire population is a disproportionate infringement of privacy.  Consequently, many observers thought that the black box provision of the French law would also be considered disproportionate insofar as it permits analysis of metadata involving all users of telecom services or social media services, including persons for whom there is no reason to believe that they are linked to illegal activity.

The Constitutional Court did not seem troubled by the black box provision.  The Court pointed out that the algorithm only deals with metadata and does not permit the identification of individuals.  Moreover, the procedure can only be implemented after an authorization from the Prime Minister and an opinion from the Commission.  The authorization is only granted for a period of two months and its renewal is subject to certain conditions to ensure that the algorithm does not create too many false positives.  Finally, the Court points out that this provision is only allowed in connection with anti-terrorism activities.  On balance, the Court felt that the black box provision does not represent a disproportionate restriction on the right to privacy. It is troubling, however, that the Court did not even attempt to reconcile the French black box provision with the principles of Digital Rights Ireland.

The French Court’s lack of analysis contrasts with the recent UK High Court decision, in which the court directly confronted the UK Data Retention and Investigatory Powers Act 2014 (DRIPA) with the principles set forth in the Digital Rights Ireland decision. In that decision, commented on by my partner Eduardo Ustaran, the court found that DRIPA violated fundamental rights principles.