On 18 December 2013, a new law came into force in France giving the intelligence services increased access to data on telephone calls made by French citizens, for the purposes of preventing terrorism and organised crime. The new law has privacy implications for individuals and will mean that telecommunications companies and internet service providers operating in France will be subject to an increased burden to retain and provide access to telephone data on request.
Access to communications data by public authorities remains a sensitive issue in France, particularly in light of recent allegations of misuse of data by intelligence services around the world. However, it is widely accepted that such access, when properly regulated, is essential for the protection of national security. The challenge is getting the balance right between protecting individual privacy and preventing serious crime. In two recent cases, the criminal chamber of the French Supreme Court (the Cour de Cassation) was asked to consider where the balance lies.
The communications data in issue in these cases was GPS and other surveillance technology which had been used to track a number of individuals suspected of involvement in criminal activity, including terrorism and drug trafficking – Cass.Crim 22 October 2013, decision n° 13-81.945 and decision n° 13-81.949.
In the first of these cases, the court ruled that such surveillance was lawful. It was not an infringement of the suspect’s rights when carried out pursuant to an order by the investigating judge (juge d’instruction). In contrast, however, in the second case the surveillance, which had been ordered by the State Prosecutor (Procureur de la République), was held to be unlawful. The court distinguished the cases by holding that, here, it was the prosecuting authority that had approved the surveillance and that authority could not be independent or impartial. The judgments illustrate the fine line between justified access to and use of communications data and access constituting a breach to the right to a private life.
The new law
Access to communications data is the subject of a new law in France – the law of 18 December 2013 on military planning for the period 2014-2019. The new law gives increased powers to French domestic intelligence services, including the police, the gendarmerie and customs officials. These agencies will now have increased access to telephone data to facilitate the prevention of terrorism and organised crime. In addition, the new law allows the intelligence services of three government ministries (the interior, defence and economy) to access telephone data for the purposes of preventing terrorism and organised crime and in order to safeguard national security and essential data relating to scientific and economic developments in France. All of these agencies will be able to access subscription, traffic and location data. Significantly, they will also have access to connection data in real time. This will enable them to pinpoint exactly where a mobile device, such as smartphone, is being used at any given time. The new law does build in some privacy safeguards. A request to access the data must be pre-approved by a ‘qualified person’ (an individual appointed for 3 years by the National Commission for the Control of Security Interventions ‘CNCIS’) under the authority of the French Prime Minister. A request for real time monitoring is subject to a more stringent pre-approval procedure similar to that which must be followed currently if communications are to be intercepted.
The new law has provoked extensive debate. It will undoubtedly increase the administrative burden, and costs, for telecommunications companies and ISPs operating in France. Although they will not be required to retain any additional communications data than they do already under the EU Data Retention Directive, they will have to deal with a significantly increased number of access requests from intelligence agencies. This will require them to initially assess the legality of the request and then locate the relevant data. They may also be subject to an increased number of legal challenges by individuals to the disclosure of data relating to their communications.
The French data protection authority (CNIL) had publicly expressed concern before the new law was enacted as it had not been consulted on this part of the new law which did impact adversely on the privacy of French citizens. The CNIL was, however, able to have its recommended changes relayed by other means. It is interesting to note that the new law came into force shortly after a press release from the Court of Justice of the European Union in which Advocate General Mr Villalón stated that, in his opinion, the EU Data Retention Directive was incompatible with the European Charter of Fundamental rights – read the press release in English and French.