Copyright AFP 2017-2022. Reproduction rights reserved.
A decree that took effect on October 21, 2022 would allow the government to “monitor all of your Internet, computer and mobile communications,” alarmed netizens in posts shared thousands of times on Facebook and Twitter since that date. Some even present this text as a means for the police to “listen to all our phone conversations”. If Prime Minister Elisabeth Borne’s decree came into effect on October 21, it would order telecom operators, web hosts and website publishers to keep “traffic and location data” for a year. It does not introduce any new obligation to protect this metadata, regarding the technical details of a communication, this practice has been in place for years to facilitate possible legal investigations, as explained by several digital law specialists at AFP . A member of the association for the protection of Internet liberties, La Quadrature du Net, however, recalls that this metadata makes possible the “cross-checking of many elements in private life”, which explains why the question of their protection gave trigger, on a European scale, a “judicial saga”.
“The government organizes a tool for the general control and monitoring of exchanges [téléphoniques] and internet among citizens for one year“From OCTOBER 21, the state will monitor all your communications on the Internet, computer and mobile”, have been alerted by Internet users in Facebook publications.1) or Twitter (2, 3) accumulating thousands of shares as of October 21, 2022.
They cite, as a source, a decree of Prime Minister Elisabeth Borne issued on October 17, 2022 and available on the Légifrance website or an article from the “Planetes360” website. repeating the content of this text.
“Want to talk unattended? You were already, but there, from October 21, 2022, it will be legal“, meanwhile ahead on his Facebook page former yellow vests Maxime Nicolle, sharing the connection of the same decree, while that a Twitter user denounces this text that “it allows the police to listen to all our phone conversations“.
If this decree “ordering, in view of the serious and present threat to national security, the retention for a period of one year of certain categories of connection data“came into effect on October 21 and provides that telephone and Internet service providers, as well as website hosts and publishers, must”store, for a period of one year, traffic and location data“, it does not impose any new obligations to protect this information, as some digital law specialists explain to AFP.
“There is nothing new in this decree, electronic communications operators and site hosts and publishers have had the obligation to store connection data for years.“, explains Frédéric Forster, lawyer at Lexing Alain Bensoussan and specialist in telecom law.
“This decree does not bring anything new in practice“, also tells Noémie Levain, lawyer at La Quadrature du net, an association for the protection and promotion of rights and freedoms on the Internet, while emphasizing that“does not record phone conversations“, contrary to what some publications claim, “but the metadata“.
“This is all data that revolves around communication. For a phone call, these are the numbers of the two correspondents, the time of the call. On the Internet it is the IP address, the connection time… Basically, this remains problematic because this metadata potentially makes it possible to intersect many elements in private life.“, she continues.
“All these technical identifiers unrelated to the content of a communication are like the envelope into which a letter slips. This information is already very accurate and makes it possible to make discounts on many thingss”, there are many Bastien Le Querrec, jurist and also member of La Quadrature du net.
A long practice in France
As Noémie Levain reminds us, this obligation to store metadata from telecom operators and website hosts or publishers “in case the police are required to consult with them“dates from the early 2000s, the decree of October 17, 2022 is only “the culmination of a long-running legal saga“.
“The first texts date from March 2003, with homeland security lawin response to the attacks of September 11, 2001“, emphasizes Frédéric Forster.
In July 2004, a law amended Article L34-1 of the Postal and Electronic Communications Code (CPC), which now there is whatOperators of electronic communications, and in particular persons whose activity is to provide access to communications services to the public on the Internet, delete or anonymize any traffic data“but than these”operations that tend to delete or anonymize certain categories of technical data“can be postponed”for a maximum period of one year“for”the needs of investigation, observation and prosecution of criminal offences“, in”the sole purpose of allowing“, if necessary, “providing information to the judicial authority“.
In 2014, a “overthrow” of the Court of Justice of the European Union
Two years later, March 15, 2006a European directive maintains this principle for all Member States, responsible for ensuring that data relating to communications via telephone or internet “are kept a minimum of six months and a maximum of two years from the date of communication“, and can”be transmitted without delay to the competent authorities“.
But on April 8, 2014, a decision of the Court of Justice of the European Union (CJED) questions this directive, considering that it represents a “interference with the basic rights of almost the entire population“, who isn’t”precisely tailored by provisions that make it possible to guarantee that it is effectively limited to what is strictly necessary“.
“This decision by the ECJ was a real game-changer, as it considered that the directive was too broad and that data retention should be more targeted and limited to what is strictly necessary – something that has reaffirmed that then in a 2016 stop“underlines Noémie Levain, while specifying that “grid square has started a complaint before the Council of State to remove the storage of these data for one year“.
In April 2021evaluates the Council of State, on the basis of three decisions given by the ECJ October 6, 2020 provided that such data may be retained in the event of a serious threat to national security, considers that “the broad restraint imposed today on operators by French law is well justified by a threat to national security, as required by the ECJ.“
On the other hand, it defines the obligation to “the government to conduct, under the control of the administrative judge, a periodic review of the existence of such a threat“, this being broadly understood as including, according to the Council of Stateexcept for a “high terrorist risk“, “the risk of espionage and foreign interference“and”serious threats to public peace, related to the increased activity of radical and extremist groups“.
“Behind the illusion of victory hides one of our worst defeats. The principle of generalized suspicion and political surveillance is valid in the long term“, Quadrature du Net had reacted at that time on Twitter.
We are in the process of drafting our response to the decision @Council_State but in two words already: behind the illusion of victory hides one of our worst defeats. The principle of generalized suspicion and political surveillance is valid for a long time.
— La Quadrature du Net (@laquadrature) April 21, 2021
“Instead of providing for data retention only in case of a serious threat to national security as envisaged by the ECJ, the Council of State considered that France was still under this threat since the 2015 attacks and that there would simply be a review every year to see if this threat was still present“, analyzes Noémie Levain.
Investigators, magistrates and intelligence services were alerted at the time of the danger of being deprived of “fadets” (records of communications) used in “four out of five criminal investigations“, ranging from domestic violence or theft to organized crime and terrorism. In 2020, around 2.5 million legal requests were sent to the platforms.
“Of course, we can discuss the principle of saving connection data itself. But these various decisions of the ECJ and the Council of State have not found anything wrong with the essence of the principle, except that it was necessary to specify what data it is about, because the previous formulations were too general and imprecise , which could leave. telecom operators to determine for themselves what to carry“, analyzes Frédéric Forster.
An obligation defined by three decrees in 2021
On October 20, 2021, three decrees were approved by the prime minister at the time, Jean Castex, to specify the legal framework for the storage of this connection data.
“For years, the texts remained imprecise on the exact nature of ‘input data’. Only since the adoption of these decrees, last year, do we have a much finer and more differentiated description, since the obligations of telecommunications operators are not the same as those of an editor or host of a website. They made it possible to win in accuracy“, emphasizes Frédéric Forster.
If the first two decrees relate respectively to “data categories stored by operators“and to”data retention to identify any person who contributed to the creation of the content on the Internet“, the third gate”order, in view of the serious and actual threat to national security, for the retention for a period of one year of certain categories of connection data.“.
“Decree of October 17, 2022 is exactly the same as on 20 October 2021: notes that the serious threat is still there and maintains this generalized and undifferentiated data retention obligation“, emphasizes Bastien Le Querrec, emphasizing that the same decree can be taken again after a year to renew this order.
“To “authenticate” this process by the judge, the French government receives a “temporary” text which it will renew as long as the “serious and present threat against national security” lasts.“, explains to AFP Hélène Lebon, a lawyer specialized in personal data law, while emphasizing that ifnothing changes“in practice with this kind of decree,”at the legal level, the text hypothesizes that surveillance will probably stop one day“.
“The 2022 decree does not call into question anything that is not already specified in the 2021 decrees“, adds Frédéric Forster, Noémie Levain emphasizing that this text is alonean application of last year’s changes, which did not themselves modify data retention practice, but only revised the framework“.