The French Constitutional Court (Conseil Constitutionnel) issued its decision n°2015-713 DC on the recently adopted Law on intelligence on 23 July 2015. Reading its decision after having read the Davis judgment of the English High Court, one wonders whether legal syllogism has suddenly been replaced by useless tautology.

The newly adopted law on intelligence is rich in hotly debated provisions. The purpose of this post is not to discuss all of them, but to focus upon Article L.851-3 and its implications in terms of data retention, data processing and data access in the light of the Court of Justice of the European Union (CJEU)’s judgment in Digital Rights Ireland, and the English High Court’s judgement in Davis (commented upon in my previous post).

To borrow from the words (while transforming them slightly) of Lord Justice Bean in Davis, the main upshots of Digital Rights Ireland are the following:

1. The use of communications data retained pursuant to data retention laws should not be permitted for purposes other than the preventing and detection of serious offences or the conduct of criminal prosecutions relating to such offences; and
2. Access to the data shall be made dependent on a prior review by a court or an independent administrative body whose decision limits access to and use of the data to what is strictly necessary for the purpose of attaining the objective pursued (See [122]).

So far so good!

The new Article L.851-3 of the French Code of Interior Security is quite long. Here is the French version:

“I. – Dans les conditions prévues au chapitre I^er du titre II du présent livre et pour les seuls besoins de la prévention du terrorisme, il peut être imposé aux opérateurs et aux personnes mentionnés à l’article L. 851-1 la mise en œuvre sur leurs réseaux de traitements automatisés destinés, en fonction de paramètres précisés dans l’autorisation, à détecter des connexions susceptibles de révéler une menace terroriste.

« Ces traitements automatisés utilisent exclusivement les informations ou documents mentionnés à l’article L. 851-1, sans recueillir d’autres données que celles qui répondent à leurs paramètres de conception et sans permettre l’identification des personnes auxquelles les informations ou documents se rapportent.

« Dans le respect du principe de proportionnalité, l’autorisation du Premier ministre précise le champ technique de la mise en œuvre de ces traitements.

« II. – La Commission nationale de contrôle des techniques de renseignement émet un avis sur la demande d’autorisation relative aux traitements automatisés et les paramètres de détection retenus. Elle dispose d’un accès permanent, complet et direct à ces traitements ainsi qu’aux informations et données recueillies. Elle est informée de toute modification apportée aux traitements et paramètres et peut émettre des recommandations.

« La première autorisation de mise en œuvre des traitements automatisés prévue au I du présent article est délivrée pour une durée de deux mois. L’autorisation est renouvelable dans les conditions de durée prévues au chapitre I^er du titre II du présent livre. La demande de renouvellement comporte un relevé du nombre d’identifiants signalés par le traitement automatisé et une analyse de la pertinence de ces signalements.

« III. – Les conditions prévues à l’article L. 871-6 sont applicables aux opérations matérielles effectuées pour cette mise en œuvre par les opérateurs et les personnes mentionnés à l’article L. 851-1.

« IV. – Lorsque les traitements mentionnés au I du présent article détectent des données susceptibles de caractériser l’existence d’une menace à caractère terroriste, le Premier ministre ou l’une des personnes déléguées par lui peut autoriser, après avis de la Commission nationale de contrôle des techniques de renseignement donné dans les conditions prévues au chapitre I^er du titre II du présent livre, l’identification de la ou des personnes concernées et le recueil des données y afférentes. Ces données sont exploitées dans un délai de soixante jours à compter de ce recueil et sont détruites à l’expiration de ce délai, sauf en cas d’éléments sérieux confirmant l’existence d’une menace terroriste attachée à une ou plusieurs des personnes concernées”.

In a nutshell, it provides that for the purposes of preventing terrorism, the Prime Minister can impose an obligation upon Internet intermediaries (and more precisely operators of electronic communications, including access providers) to process in an automated way the data on their system in order to detect connections likely to reveal terrorist threats. It is added that the processing of such data shall not allow the identifications of the persons to whom the data relates to. However, a few paragraphs later, it is provided that when the processing detects data susceptible of characterising the existence of a terrorist threat, the Prime Minister or a delegated person can, after a (non-binding) advisory opinion of an independent administrative authority (la Commission nationale de contrôle des techniques de renseignement) authorise the identification of the persons to whom the data relates.

To streamline even further the French provision, Article L.851-3 imposes a retention obligation followed by a processing obligation upon operators of electronic communications, as well as a data transfer obligation.

Such a provision is problematic for several reasons and yet the French Constitutional Court had no problem with it. According to the Constitutional Court, the provision complies with the French Constitution because: the obligation at stake can only be imposed for the purposes of preventing terrorism; two authorisations are actually needed to identify individuals; and an independent administrative authority oversees the process (while its opinion is not binding on the Prime Minister, it has the possibility of appealing the decision of the Prime Minister before the highest administrative court: the Conseil d’Etat).

Why is the provision problematic? Because of at least 4 reasons:

1. What really guarantees that the data processed will not be used for other purposes than the prevention of terrorism? In Weber, the European Court of Human Rights (ECtHR) for example had noted that the data produced by the strategic monitoring put in place had to be marked and bound up with the purposes which had justified their collection.
2. Not only does Article L. 851-1 impose a retention obligation but also a processing obligation on private parties. Nothing guarantees the transparency of the processing obviously! The potential interference with the right to privacy and to the right to the protection of personal data is thus particularly serious. This is all the more true as, looking carefully at the text, it is not clear whether the domain of the retention and processing obligations is limited to ‘traffic data’ or even ‘communications data’ (using UK law concepts).
3. When bulk data retention obligations are imposed, it is crucial to put in place a proper access regime. More precisely, access to the data shall be dependent on a prior review by an independent body that is given the ability to restrict access to and use of the data. How can a non-binding opinion really restrict access to and use of the data?
4. Article L.851-3 starts by stating that the processing should not allow the identification of individuals. But then it mentions further that identification is possible upon the Prime Minister’s request. What does this mean? The data will obviously not be anonymised, as per its standard de-identification definition anonymisation would render the whole exercise pointless! What could this mean therefore? That the derived data would need to be pseudonymised? This should imply that all operators of electronic communications will act as data controllers. Or could they be characterised as ‘mere’ data processors?

To conclude, I am speechless…

Sophie Stalla-Bourdillon