Yesterday evening, the French Constitutional Court released its opinion on the “French Patriot Act”, orProjet de loi relatif au renseignement, a law that increases France’s surveillance capabilities, and expands the power of the Executive Branch at the expense of users’ rights to privacy and freedom of expression. While the Court allowed surveillance to continue within France, there may be a silver lining, as the text suggests that surveillance by French intelligence in foreign countries is unconstitutional.
Still, Access is outraged by the Court’s decision to uphold the vast majority of the provisions passed in France earlier this year, disregarding the serious concerns that a large number of civil rights groups, technology companies, human rights defenders, and politicians expressed over the clear violation of the right to privacy and the fundamental contradictions with France’s commitments to protect civil liberties.
Those concerns were strongly echoed by the UN Human Rights Council, which criticised the bill just a few hours before the Constitutional Court released its opinion. The Human Rights Council stated that it is particularly concerned over the risks raised by “the extremely vast and invasive powers that the legislation gives to surveillance agencies” and the lack of appropriate judicial oversight and remedy mechanisms.
Deeper analysis of the decision
1. Lack of oversight
The French Executive branch and the “national committee for control on intelligence techniques” established by the law will be in charge of the limited intelligence oversight. Despite clear risks to the principle of separation of powers and independence, the Court ruled that the composition of this new body, mostly made up of members appointed by political institutions, is in line with the Constitution. The Court also added that it is not problematic that the law only requires one of the members to have expertise on electronic communications. (This is not entirely surprising when the members of the Court are also appointed by political institutions and are not required to have any legal training.)
2. The law likely contravenes EU case law
Importantly, the Court overlooked the recent ruling from the Court of Justice of the EU (CJEU) on data retention when evaluating its compatibility with the French Constitution. The CJEU decision, known as the Digital Rights Ireland case (“DRI”), invalidated the controversial Data Retention Directive — which required the retention of telecommunication data for up to two years — for breaching the fundamental rights to privacy and data protection. The French intelligence law goes even further than the invalidated EU legislation, as it requires the retention of communications data and metadata for at least 30 days and up to 6 years, depending on the type of data. It’s highly likely the law contravenes the CJEU ruling.
3. Silver lining: third country surveillance is unconstitutional
While the Court broadly overlooked the impact of the intelligence law on the right to privacy, one aspect of the ruling may set an important precedent in the fight against mass surveillance. The Courtdeclared the surveillance of communications in third countries to be unconstitutional. Through the Snowden revelations, we learned that French intelligence services are conducting mass surveillance in a large number of foreign countries. While this clause would not stop these practices, it could provide a basis for future legal battles.
Notably, the Court also invalidated a provision from the intelligence law that would have allowed the establishment of surveillance measures “in emergency cases” where no authorisation would have been required. A third provision about the funding of the new oversight body created by the law has also been declared unconstitutional.
4. Laundry list of privacy-invasive powers authorised by this ruling
The Court decision officially authorised the vast expansion of the powers of the intelligence services, with limited oversight and remedies, putting fundamental rights and liberties at risk:
- Internet providers will be required to install mandatory “black boxes” that collect and store all internet connection data. Using algorithms to detect and report suspicious online behaviour, “black boxes” create an inherently disproportionate system of mass surveillance. Through the automated processing of data, black boxes are also likely to produce “false positives”, placing innocent citizens under surveillance.
- Additional surveillance measures, such as International Mobile Subscriber Identity catchers “IMSI-catchers”, will be deployed. “Tricking” your mobile device so that you think you’re being connected to a cell phone tower, IMSI catchers in fact vacuum up all communications — including from people not suspected of any crime — within a given geographic area.
- No warrant is required for phone tapping and access to private communications, such as email.
Read more: https://www.accessnow.org/blog/2015/07/24/french-court-allows-mass-surveillance-inside-france-vague-on-outside