New surveillance laws in France and the implications for civil liberties and basic procedural safeguards

Law makers in European democracies are challenged to draft legislations which strike a balance between the protection of citizens on one side and the ever increasing and pervasive threats of terrorism on the other side. In many instances, the application of the principle of proportionality to the States’ response to such threat is being challenged by the development of new communications technologies which while allowing for more efficient and unprecedented quality and quantity of data which constitute new threats to privacy and individual liberties. All surveillance laws passed these past couple of years in the EU and in France and in the UK in particular have somehow “normalised” the system of mass surveillance and retention of personal data by the state which was first brought to the attention of the public by Edward Snowden’s reports in June 2013.

In the wake of the terrorist attacks at the Charlie Hebdo offices on 7 January 2015, France adopted a very controversial Law on Intelligence of 24 July 2015 (Law no2015-912) reflecting the will of the government to gain increased powers of control potentially at the expense of civil liberties, in the name of national security but also surprisingly other state interests.

Admittedly, the law has the merit to provide France with a single legal framework for its intelligence gathering activities, by defining applicable principles, the different techniques that are used and by reinforcing control by the state and its agencies. While the government argued that the law was needed to take account of changes in communications technology, the law was heavily criticised by privacy activists as opening the door to a dangerous extension of mass surveillance by the state and threatening the independence of the digital economy.

The law established a new independent commission called the Commission for Oversight of Intelligence Gathering Techniques (the CNCTR or “Commission”). A few features of the law drew serious criticism for failing to submit the government’s powers to judicial review. Under the law, intelligence gathering activities can only be implemented subject to the Prime Minister’s specific authorisation. Although such authorisation may only be granted after the Commission’s approval, the Commission’s opinion does not bind the Prime Minister. Nevertheless, if the Prime Minister decides to ignore the recommendation of the Commission, the Prime Minister must be prepared to explain his or her reasons. There is in theory however the possibility for the Commission to challenge and appeal the Prime Minister’s decision before France’s Supreme Administrative Court, the Conseil d’Etat.

The law drew comparison with the US Patriot Act which grants broad surveillance powers to the state with state-approved eavesdropping and computer-hacking. Indeed, like the Patriot Act, the French law allows the government to monitor phone calls and emails of terrorism suspects without obtaining a warrant.

In doing so, France was merely joining countries such as the US or the UK where the authorities have the right to intercept and access people’s communications at will. Such practices although tolerated for national security reasons are still clearly perceived as a violation of the international human rights to privacy and free speech.

The most controversial provision in the new law relates probably to the so-called black boxes that intelligence agencies can require operators and hosting providers to install. Indeed, the law allows intelligence agencies to deploy algorithms to analyse traffic and log data on an anonymised basis to detect suspicious activity and potential terrorist threats, after authorization from the Prime Minister. Clearly analysing the traffic and log data of the entire population of France may constitute a violation of the proportionality principle as defined in the European Court of Justice’s Digital Rights Ireland decision (Judgment of the Court (Grand Chamber), 8 April 2014).

Dr Nathalie Moreno is an experienced commercial technology lawyer specialising in advising technology-enabled businesses on IT transactions, commercial agreements and privacy in EMEA and globally.

She advises multinational clients on UK, French and EU data protection, privacy and cyber security issues including on UK and multi-jurisdictional compliance programmes and audit projects. She also regularly advises on services, supply, distribution and licensing arrangements, internet and other e-commerce issues in the European Union. She provides advice under both English and French law after practicing in several jurisdictions including Belgium, France, USA and the UK.

She is a regular speaker at industry and legal conferences and is well known amongst UK, France and EMEA General Counsels in Europe for her expertise. She is one of the Ambassadors of the FrenchTech London group and is a French Foreign Trade advisor regularly advising French companies entering the UK market. She has recently been appointed Head of the Brexit Task Force at Lewis Silkin.