Introduction

In July 2015, the French Constitutional Council validated the Surveillance Law as a whole, except for a few provisions including the paramount issue of international surveillance. According to the Constitutional Council, this provision, mute on the conditions of use, of retention, and the destruction of information collected as well as on the control exercised by the national commission on the control of intelligence techniques (CNCTR), did not provide adequate guarantees for citizens.

On 1 July, L'Obs published an article unmasking the existence of a secret decree by Nicolas Sarkozy in 2008, authorising the GDSE to spy on international communications transiting by the undersea cables that link Europe with the rest of the world. This decree had no legal basis whatever, and La Quadrature du Net, the FDN Federation and the French Data Network (FDN) therefore decided to attack it on 31 August before the Council of State via two procedures, one for interim suspension and the other at its basis. On 9 September, the Council of State rendered its decision rejecting the appeal, thereby establishing its intention not to give respect for privacy [private life] absolute urgency.

On 10 September, that is, the day following the rejection of the appeal, a bill on international surveillance was filed by two deputies. This bill, in reality, comes from the government, which -- to avoid publishing an impact study and a budgetary study -- preferred to have it presented as a proposed law.

This proposed law very clearly seems to have as its object to legalise existing practises disclosed by L'Obs. The vocabulary is interesting because it speaks no longer of an intelligence law but of international surveillance. It deals with massive surveillance of international communications, unrelated to possible threats. And oversight of the CNCTR, too weak in the framework of national intelligence, is next to nonexistent in this new bill. The text omits even a mention of agreements made among the various intelligence services of different countries (dealing with the exchange of data on their respective citizens, for example), leaving a gaping legal hole in agreements which can have severe ipacts on fundamental rights and on civil liberties.

The text consists of only two articles, one to add a chapter IV on measures for surveillance of international communications to the internal security law, and the other to fill out the law of administrative justice.

Disproportionate and unintelligible conclusions

The text refers to article L. 811-3 of the law of internal security, introduced by the intelligence law. Surveillance may be authorized "for the sole purpose of defense and of promoting the nation's fundamental interests". These are extremely broad conclusions, including the following list:

• National security;
• The essential interests of foreign policy and the execution of France's European and internal engagements;
• France's essential economic and scientific interests;
• The prevention of terrorism;
• Preventing the reconstitution or maintenance of groups dissolved in application of article L. 212-1;
• The prevention of organized criminality and delinquance;
• The prevention of collective violence which seriously harms the public peace.

In their amicus curiae submitted to the Constitutional Council to support the parliamentary referral of the intelligence law, FDN, FFDN and LQDN have brought to light the disproportionality of certain conclusions as well as their unintelligibility. These conclusions are all reprised by the proposed law on international surveillance, permitting massive surveillance of communications for each of these conclusions, thus legalising all activities of counterespionage, economic espionage, but also espionage on civic organizations, broadly referred to by the text.

Mass surveillance

The text foresees the possibility for the intelligence services to massively collect all data on the communication systems designated by the Prime Minister (Art. L. 854-1 II). It leaves to the Prime Minister to decide which communication systems are covered. Nothing is specified in the law. So these authorizations will evolve along with the evolutions of communication techniques, without the citizens' being able to have a clear view of what techniques may be put in place by the intelligence services. No limit is foreseen to their duration.

Thus all data passing through these communication systems will be collected, and the Prime Minister's authorisations affect only the use of intercepted data. These authorisations will be extremely broad:

• For a renewable period of one year for the non-individualised use of metadata for one or more of the conclusions given and the types of use set in place. This therefore means massive analysis of collected metadata with no prior goal; and the totality of all metadata (not relatable to France), including European citizens, can be massively gathered and used with no prior control.
• For a renewable period of four months for communications or metadata originating from geographical zones (all of Africa, all of North America, all of South America), organisations (all of company X, all of NGO X), persons, or defined groups of persons. This measure allows putting in place massive surveillance of communications more or less target according to need. The argument of battling terrorism does not suffice to justify such surveillance; and the broad goals are economic espionage, counterespionage, or spying on civic organisations. Contrary to the black boxes which are restricted to the fight against terrorism, all these conclusions are valuable here.

Necessary amendments:

• Include in the law the list of communication systems that may be uses
• Exclude the possibility to put in place non-individualised use of intercepted metadata
• Authorise only targeted collection and targeted use concerning specific groups or persons to be watched

Modifications by the Senate:

• Only the Prime Minister will be able through a motivated decision, to select the networks of electronic communications on which the interceptions will be authorised. It will not be allowed to the persons selected by the PM. However, this modification does not bring a supplementary guarantee.
• The authorisation of exploitation of the "non-individualised" connection data were about "the objectives pursued" and "the type of automatic processes that can be applied". The Senate added "the motivations of the measures" as well as "the service or services (...) in charge of this exploitation". The authorisation is always given for one year renewable. The modifications will allow to force to more precision on every given authorisation but do not give a major amelioration.
• The same precisions were given by the authorisation of the exploitation for the communication or connection data.
• The proposition included the possibility to exclude some subscription numbers or technical user identifications of all type of surveillance or in particular access conditions to communications. This proposal was deleted by the Senate. It was aiming at processing differently identified individuals (such as politicians for instance).

Inadequate protection for communication related to the national territory

The proposed law foresees the wholesale collection of all international communications, including those originating or received abroad. This implies collection by default of communications among persons whose identifiers can be connected to the national territory (French telephone number or French IP address), but whose communications will pass through a foreign country (using services whose servers are situated abroad like Google, Hotmail, and Skype, for example. For more details, see especially §9.1 of the amicus curiae brief.

It is specified that individual communication surveillance of persons using subscription numbeers whose technical identifiers can be connected to the national territory are not subject to this rule (French telephone number, French IP address). It will therefore be possible to collect these persons' communications, but those will be "instantaneously destroyed". The implies specific intervention to destroy communications connected to France -- automatic or manual, the text specifies nothing.

On the other hand, "French citizens" whose communications are not connected to the national territory do not benefit from the protection reserved for persons whose communications are connected to the national territory. The text introduces a rupture in the universality of rights between French citizens connected to the national territory and French citizen not connected to the national territory but also regarding European citizen who are not protected by the text. The instant destruction of the those communications (as soon as it is noticed that there are not connected to the national territory, i.e. after collecting and stocking) does not constitute a guarantee to the respect of privacy and liberties of communication and information.

Electronic communication between a person or an equipment connected to the national territory or another person not connected to the national territory are subject to common law but with a lengthening of the period of conservation of communication, lengthening totally unjustified.

Two exceptions are specified in the text and allowing intelligence services to put in place their international surveillance technique for communication connected to French territory. The persons who communicate from abroad who are:

• subject to a security authorisation in application of the article L. 852-1 on the date who they left the French territory,
• or identified as representing a threat to the fundamental interest of the Nation under the article L. 811-3.

On the one hand, it gives to the different intelligence services a right of communication, even the possibility for the DGSI (French National Services) to use DGSE techniques (French Foreign Services), without a prior notice of the CNCTR (Independent authority controlling the Services). On the other hand, the Prime Minister can decide alone and without any control that a person represents a threat regarding the fundamental interests of the Nation (notion that appears in the article 851-2 of the French Surveillance Law).

Necessary amendments:

• Delete the second exception for the identified individuals representing a threat, considering the absence of definition of this notion
• Forbid the massive collection of communications
• In case of the precedent amendment wouldn't be adopted, foresee to bring back the length of conservation of communications when at least one person is connected to the national territory at the same length that provided in common law.

Insufficient guarantees from professions whose confidentiality is protected

In order to respect the jurisprudence Digital Rights of the CJUE, French Law must provide special protection for communications of person subject to professional secrecy such as journalist (whose sources' confidentiality is protected) or lawyer. French surveillance law brings a deficient protection to lawyers, journalists, MPs and magistrates only regarding their professional correspondences. Now it is impossible to sort out a priori the private communications from the professional communication. This involves collection, processing and an "omission" from the intelligence services if the communications are private.

The bill on international surveillance provides that only persons exercising in France a warrant or a profession mentioned in Article L. 821-7 (lawyer, journalist, MP, magistrate) cannot have their communications monitored individually because of the exercise of the warrant of profession.

Therefore:

• firstly, it is necessary that people are practising in France. Thus, parliamentarians, journalists and European lawyers (and a fortiori those working outside the EU) can be surveilled individually under this law. The protection of journalists' sources is totally violated under that provision. Additionally, this article introduces a breach of equality for lawyers practising in Europe or elsewhere because they can ensure professional secrecy.
• on the other hand, people working in France are still protected in the context of the exercise of the warrant of their profession. But, it is impossible to recognise in advance if the communications are within the mandate or profession and such a provision, already criticized in the French surveillance law, implies an authorisation of surveilling all communication in order to make a distinction between those within the private sphere and those within the professional sphere.
• Finally, it is specified that only the individual surveillance is excluded for people working in France. Thus, the massive collection of data and communications is possible.

Necessary amendments

• "People practising under a mandate of a profession mentioned in the article 821-7 cannot have their communication individually surveilled."

This amendment replaces the conformity with the Universality of Rights.

• The words "regarding the exercise of a mandate of a profession concerned" are deleted.

Modifications made in the Senate: No modifications.

Non justification for an extension of the data retention period

In their explanatory statement, MPs Patricia Adam and Philippe Nauche justify an extension of the data retention period with the common law, by "the different situations in which people are under surveillance residing abroad, on which the French state response capabilities are more limited than for persons residing in France". This explanation cannot justify such an extension of the retention period, already extremely generous in the common law. Thus he would have to remain in the already significant deadlines for national collections, in order to respect the principle of Universality of Rights.

As for the French Surveillance Law, it is left to the discretion of the services the need to keep or not the collected data, within the deadlines. Without effective control, that discretion leaves too much leeway for services regarding the violations of rights and freedoms that constitute mass collection of data.

Necessary amendments:

• Correspondences: Going back to 30 days from the collection (the text tables 1 year form the exploitation and 4 years top from the collection)
• Connection data: Going back to 4 years from collection (the text tables 6 years from the collection)
• Encryption: Going back to 6 years after collection (the text tables 8 years from collection)

Modification from the National Assembly: The information collected can be kept beyond the periods mentioned in the law if they contain elements of cyber attack or if they are encrypted, or if they are decrypted elements to encrypted information. No limit of time is mentioned. This information can be retained only for the purposes of technical analysis including decryption. This addition takes over the wording of Article L.822-2 of §1 the French Interior Code, established by the Law of 24 July 2015 concerning the intelligence.

Limited a posteriori control

The National Commission of Monitoring of Intelligence techniques (CNCTR) created by the French Surveillance law is the controlling body of international surveillance. However, if it has the right to be informed of any given permissions, its opinion is not necessary to set up international surveillance techniques. So there is no a priori control. The CNCTR has access to traceability systems and collected information. It can control a posteriori and to inform the Prime Minister of any breaches. In case of abuse, it may bring it before the French Council of State.

It was revealed repeatedly the agreements between different intelligence services for example on the exchange of data from their respective citizens. The possibility for French services to sign such agreements is not even mentioned in the text. It is absolutely necessary to provide for a priori control of such agreements, as well as their implementation by the CNCTR.

This bill seems very clear aim to legalize existing practices revealed by The Obs. The wording is interesting because we no longer talk of a law on intelligence but on international surveillance. It is indeed a massive surveillance of international communications regardless of possible threats. And control from the CNCTR, too weak in the context of national intelligence, is almost nonexistent in this new proposal. The text fails to mention the conclusion of agreements between the various intelligence services of different countries (covering... for example), leaving a gaping loophole on agreements that can be extremely detrimental to the civil rights and freedoms.

'Necessary amendments: "The CNCTR receives <insert> 'immediately</insert> information of all the authorizations referred to in II." This amendment aims to allow immediate reaction of the CNCTR, failing to be consulted as part of the authorization. It might as well quickly oppose the authorisation of permissions.

• At the conclusion of cooperation agreements between the French intelligence services and those from other countries, the proposal is subject to CNCTR which must give its opinion within a maximum of two weeks. If despite a negative opinion of the CNCTR the agreement is concluded, the CNCTR may inform the Council of State. The CNCTR has a direct and permanent access to information and exchanges made under these agreements.
• Provide sufficient human and financial resources for the CNCTR for an effective control.