The newly enacted French legislation on intelligence services ("Loi relative au renseignement") has been almost entirely approved by the French Constitutional Court and shall fully enter into force by December 2015, at the time of the publication of the forthcoming implementation decrees.
The main purposes of the Act are to reinforce surveillance techniques and to provide a comprehensive legal framework applicable to the French intelligence services notably – but not only – in the context of terrorism prevention.
The Act encompasses a wide range of issues from wiretapping to the creation of a new control authority (Commission nationale de contrôle des techniques de renseignement). It particularly reinforces obligations bearing on providers of electronic communications services (e.g. telecom operators), internet service providers, and web-hosting service providers (altogether the "Operators") to cooperate with the French intelligence community.
Requirement to provide intelligence services with metadata on a real-time basis
Although the data retention directive was found invalid by the European Court of Justice, Operators remain required by French law to retain a wide variety of metadata.
French intelligence services could already require to be provided with "information and documents" processed and retained by the Operators notably consisting of technical data (e.g. location of devices used). Although the French legal framework has been criticized for such vague wording, the French Constitutional Court ruled that the description of the data that may have been collected was accurate enough.
The Act extends this surveillance technique and provides for the possibility of real-time collection of "information and documents" for the sole purpose of terrorism prevention. This has raised concerns about whether intelligence services would be able to directly access "information and documents". The French government, however, explicitly stated in a brief submitted to the French Constitutional Court that only Operators will conduct the collection of data on their own, and then transmit the data to the relevant services.
Requirement to implement automatic data processing on the networks
The Act also sets out a new data collection technique: Operators may be required, for the sole purpose of preventing/ countering terrorism, to implement on their network, automatic data processing designed to detect terrorism threats based on the collected "information and documents" (i.e. black boxes). The technical arrangements of such data processing remain unclear at this stage without the implementation decrees.
Even in the absence of more specific information, this new data-collection technique has attracted substantial attention, notably from the French telecom regulator which believes that such technique may affect the Operators' networks' integrity and their quality of service.
Response times, reinforced sanctions, and financial implications
The Act requires Operators to respond to request of the French intelligence service in a timely manner.
Operators are subject to a non-disclosure obligation and shall not inform any person that a surveillance measure has been carried out. Failure to comply with such requirement is punishable by a fine of up to 75,000€ and by imprisonment of up to 1 year. In addition, Operators that fail to cooperate and provide the requested data are subject to a fine of up to 750,000€ and an imprisonment term of up to 1 year.
Finally, Operators will bear the costs of these new and more stringent requirements, though they will receive financial compensation for the transfer of the requested "information and documents".
Enacted as an answer to the dramatic Charlie Hebdo attack, this new Act on intelligence services may yet result in a reduction of the public's trust in the Operators' ability to protect online privacy.