We will, we will, watch you: codifying mass surveillance in France

Earlier today, the French Senate adopted the highly controversial Projet de loi sur la surveillance des communications internationales, better known as the Surveillance bill. The bill enables the indiscriminate mass surveillance of millions of individuals in France and abroad, with no mechanism for independent oversight and judicial control. It is now only a matter of days before François Hollande, the President of France, signs the bill into law.

The bill had met vigorous opposition from civil rights groups and NGOs. This included our petition opposing its passage, which we delivered to the French Senate prior to the vote. You can read our press statement here.

What’s in the bill?

What will this mean for privacy in France and globally? Here’s a look at how intimate the Director General for External Security (DGSE) is about to become with your data under the auspices of the bill. The bill:

  • authorises the monitoring of communications that are sent or received abroad;
  • enables the Prime Minister or one of his delegates to issue a permit to access personal data in order to obtain, among others, the geographic locations of organisations, groups, or individuals;
  • enables the issue of a one-year permit (renewable) for authorities to use personal and login data to create profiles and “predict patterns” of a person’s activity;
  • provides for data retention periods of four, six, or eight years, depending on whether the information collected is content, metadata, or encrypted content that has been decrypted by the government, respectively, and finally;
  • allows for the indefinite retention of any information that is in any way pertaining to a “cyber attack,” whether it is encrypted or not.

That is in addition to the provisions in the previously passed Intelligence law, a.k.a. the “French Patriot Act”, which requires:

  • telecommunications companies to install “black boxes” on their networks, which use an algorithm to indiscriminately sweep data for suspicious activity;
  • data to be retained from 30 days to four years, depending on the retention mandate and data type;
  • collection of information and documents of individuals broadly identified as a threat;
  • collection of login information (the access to which has been extended under the Surveillance law);
  • creation of a commission, Commission Nationale de Contrôle des Techniques de Renseignement, to oversee the legality and justification for surveillance (which might nevertheless be overruled by the Prime Minister); and
  • interception of any electronic communication likely to reveal intelligence information.

Words like threat, suspicious, and technology remain conveniently undefined in both pieces of legislation, allowing a frighteningly broad mandate.

The French Data Protection Authority (CNIL) has voiced its objections to the way these laws violate aspects of both French and European law. Supporters justify the legislation by claiming that France cannot hope to protect its citizens by monitoring only within its borders. However, politicians across Europe continue to contend that national security should not come at the expense of European citizens’ privacy and data rights. And while France’s previous surveillance endeavorsmay now be the worst kept secret in Europe, it is worrying now to see them protected by an air of “legality”.

Can it be challenged?

Since the Senate advanced the law, it can be submitted to the French Constitutional Court for review. This may bode well, since this court has already ruled that several provisions of the preceding Intelligence law are unconstitutional. Furthermore, a group of French journalists are also challenging the Intelligence law at the European Court of Human Rights.

We thank everyone who has taken action to fight this bill, and we will continue to fight for your rights.