Intelligence Act (France)

The French Intelligence Act of 24 July 2015 (French: loi relative au renseignement) is a statute passed by the French Parliament. The law creates a new chapter in the Code of Internal Security aimed at regulating the surveillance programs of French intelligence agencies, in particular those of the DGSI (domestic intelligence) and the DGSE (foreign intelligence).

History
The Intelligence Bill was introduced to the Parliament on 19 March 2015 by French Prime Minister Manuel Valls and presented as the government's reaction to the Charlie Hebdo shooting. Despite widespread mobilization, the Bill was adopted with 438 votes in favor, 86 against and 42 abstentions at the National Assembly and 252 for, 67 against and 26 abstentions at the Senate. It was made into law on 24 July 2015.

Although framed by the government as a response to the Paris attacks of January 2015, the passage of the Intelligence Act was actually long in the making. The previous law providing a framework for the surveillance programs of French intelligence agencies was the Wiretapping Act of 1991, aimed at regulating telephone wiretaps. Many surveillance programs developed in the 2000s—especially to monitor Internet communications—were rolled out outside of any legal framework. As early as 2008, the French government's White Paper of Defense and National Security stressed that "intelligence activities do not have the benefit of a clear and sufficient legal framework", and said that "legislative adjustments" were necessary.

Main provisions
This section summarizes the main provisions of the Intelligence Act.

Scope
Through article L. 811-3, the Act extended the number of objectives that can justify extrajudicial surveillance. These include:
 * national independence, territorial integrity and national defense;
 * major interests in foreign policy, implementation of European and international obligations of France and prevention of all forms of foreign interference;
 * major economic, industrial and scientific interests of France;
 * prevention of terrorism;
 * prevention of: a) attacks on the republican nature of institutions; b) actions towards continuation or reconstitution of groups disbanded (article L. 212-1 of criminal code); c) collective violence likely to cause serious harm to public peace;
 * prevention of organized crime and delinquency;
 * prevention of proliferation of weapons of mass destruction.

These surveillance powers can also be used by law enforcement agencies that are not part of the official "intelligence community" and whose combined staff is well over 45,000.

Oversight
The existing oversight commission, the Commission nationale de contrôle des interceptions de sécurité, was replaced by a new oversight body called the "National Oversight Commission for Intelligence-Gathering Techniques" (Commission nationale de contrôle des techniques de renseignement, or CNCTR). It is composed of:


 * four members of Parliament designated by the Presidents of both chambers of Parliament;
 * two administrative judges and two judicial judges designated respectively by the Council of State and the Cour de Cassation;
 * one technical expert designated by the telecom National Regulatory Authority (the addition of a commissioner with technical expertise was the main innovation).

The CNCTR has 24 hours to issue its ex ante non-binding opinion regarding the surveillance authorizations delivered by the Prime Minister before surveillance begins, except in cases of "absolute emergency" where it is simply notified of the surveillance measure within 24 hours upon deliverance (article L. 821-3).

For ex post oversight, the CNCTR has "permanent, comprehensive and direct access to records, logs, collected intelligence, transcripts and extractions" of collected data. It is able to conduct both planned and in the premises where these documents are centralized (article L. 833-2-2). If an irregularity is found, it can send to the Prime Minister a "recommendation" so that she can put an end to it. One hugely significant exception to the CNCTR's oversight powers are the bulk of data obtained through data-sharing with foreign intelligence agencies (article L. 833-2-3).

Wiretaps and access to metadata
Techniques of communications surveillance covered by the Act include telephone or Internet wiretaps (L. 852-1), access to identifying data and other metadata (L. 851-1), geotagging (L. 851-4) and computer network exploitation (L. 853-2), all of which are subject to authorization of a renewable duration of 4 months.

Black boxes and real-time access to metadata
The Act authorizes the use of scanning device (nicknamed "black boxes") to be installed on the infrastructures of telecom operators and hosting providers. Article L. 851-3 of the Code of Internal Security provides that, "for the sole purpose of preventing terrorism, automated processing techniques may be imposed on the networks of [telecom operators and hosting providers] in order to detect, according to selectors specified in the authorisation, communications that are likely to reveal a terrorist threat.

Another provision limited to anti-terrorism allows for the real-time collection of metadata (article L. 851-3, for terrorism only and for a 4 months period). Initially, the provision targeted only individuals "identified as a [terrorist] threat". After the 2016 Nice Attack, it was extended by a Bill of the state of emergency to cover individuals "likely to be related to a threat" or who simply belong to "the entourage" of individuals "likely related to a threat". According to La Quadrature du Net, this means that the provision can now potentially cover "hundreds or even thousands of persons (...) rather than just the 11 700 individuals" reported to be on the French terrorism watchlist.

Computer Network Exploitation
The Act authorizes computer network exploitation, or computer hacking, as a method for intelligence gathering. Article L. 853-2 allows for:
 * access, collection, retention and transmission of computer data stored in a computer system;
 * access, collection, retention and transmission of computer data, as it is displayed on a user's computer screen, as it is entered by keystrokes, or as received and transmitted by audiovisual peripheral devices.

Considering the intrusiveness of computer hacking, the law provides that these techniques are authorized for a duration of 30 days, and only "when intelligence cannot be collected by any other legally authorized mean."

The Act also grants blanket immunity to intelligence officers who carry on computer crimes into computer systems located abroad (article 323-8 of the Criminal Code).

International surveillance
The Act also provides chapter on the "surveillance of international communications", particularly relevant for the DGSE's surveillance programs. International communications are defined as "communications emitted from or received abroad" (article L. 854-1 and following). They can be intercepted and exploited in bulk on the French territory with reduced oversight. Safeguards in terms of bulk exploitation and data retention are lessened for foreigners (though the definition of foreigners is technical, i.e. people using non-French "technical identifiers").

Data retention periods
For national surveillance measures, once communications data are collected by intelligence agencies, retention periods are the following:
 * Content (correspondances): 1 month after collection (for encrypted content, period starts after decryption, within the limit of 6 years after initial collection);
 * Metadata: 4 years (compared to a 3-year period before the adoption of the Act).

For international surveillance, retention periods depend on whether one end of the communication uses a "technical identifiers traceable to the national territory" or not, in which case the "national" retention periods are applicable, but they start after the first exploitation and no later than six months after collection (article L. 854-8). If both ends of the communication are foreign, the following periods apply:
 * Content: 1 year after first exploitation, within the limit of 4 years after collection (for encrypted content, periods starts after decryption, within the limit of 8 years after collection);
 * Metadata: 6 years

The law fails to provide any framework to limit staff access to collected intelligence once it is stored by intelligence and law enforcement agencies.

Redress mechanism
The Act reorganizes redress procedures against secret surveillance, establishing the possibility to introduce a legal challenge before the Council of State after having unsuccessfully thought redress before the CNCTR.

Criticism and legal challenges
During the Parliamentary debate, the bill faced severe criticism from several organizations including National Commission on Informatics and Liberty (CNIL), National Digital Council, Mediapart, La Quadrature du Net.

The implementation decrees of the French Intelligence Act are currently undergoing a series of legal challenges by French civil society organizations La Quadrature du Net, French Data Network and Fédération FFDN before the Council of State.