[At this time the bill is still under review by Parliament]
On April 28, 2021, five days after the attack in Rambouillet, the project arrived in the Council of Ministers. It is currently in the hands of Parliament. The objective is to harden measures taken in the framework of the fight against terrorism and intelligence. Our constitutional rights are being threatened. Indeed, the line between the protection of fundamental liberties and the protection of the Nation against terrorism is becoming more and more uncertain. Although this fight is legitimate, there is a fear of tipping over into an important limitation of human rights.
Two main aspects are addressed in this law. One on the fight against terrorism, which seals the previous measures on the state of emergency with additional details. Another on intelligence, which updates the 2015 law on data capture techniques to detect a terrorist outbreak.
The Anti-terrorist section
The main aspect of this project is to perpetuate and strengthen the measures taken by the 2017 SILT law (inforcing internal security and fight against terrorism). Indeed, in 2017 the law had introduced measures relating to the exceptional derogatory regime adopted after the attacks of November 13, 2015. This law brought the logic of the “state of emergency” into our common law.
2017 Anti-terrorist measures
The measures initially planned conferred powers on the administrative authorities without going through the approval of the judicial judge. However, a judicial decision is taken at the end of an investigation which limits disproportionate infringements of our rights and freedoms. However, the objective seems legitimate since it tends to preserve national security. But it is difficult to evaluate the proportionality of these measures because the terms of the law are quite condensed.
These measures provided powers to the prefect as :
- To order “home visits and seizures” ;
- To close places of worship ;
- To establish protective perimeters (reserved for places or events subject to a risk of terrorist acts).
Also, the law had granted powers to the Minister of the Interior :
- Decide on surveillance measures against any person when there are serious reasons to believe that his or her behavior constitutes a particularly serious threat to security and public order (or MICAS for Mesures Individuelles de Contrôle administratif et de Surveillance) ;
- To restrict the movement of an individual by preventing him from moving outside of a determined geographical perimeter (without being smaller than the municipality, nor forcing him to remain in a determined place during part of the day) ;
- In addition, individuals could be obliged to report on a daily basis at the Police Station ;
- Also, the individual could be forbidden to be in contact with certain persons likely to present a danger to public security.
The right to a fair trial, the freedom of movement, the right to a private and family life as well as the freedom to work are threatened by a potentially arbitrary and non-proportionate decision.
Moreover, these measures were temporary, they were supposed to apply until December 2020, then they were postponed until July 2021
This bill was clearly developed within a climate of tension and insecurity. As a result, political opinion is heavily weighted towards a strengthening of the norms that are usually taken under the provisional framework of the state of emergency. This risks normalizing the infringements of our constitutionally protected freedom
2021 Anti-terrorist measures
- The closure of places of worship
- The establishment of a protective perimeter
- Individual control and surveillance measures (MICAS)
- Home visits and referrals
- The possibility of closing down places of worship suspected of being linked to acts of a terrorist nature
- Prohibit a person placed under surveillance, or assigned to a residence perimeter, from attending an event where a particular terrorist risk exists
- Extend to two years the administrative surveillance measures for prison leavers sentenced to at least five years (or three years in the case of recidivism) for terrorism, compared to one year today
- Supervision by judicial measures of anti-terrorist social reintegration of these same prison leavers. It can be combined with surveillance measures. The maximum duration is one year, renewable up to five years.
It is also important to note that both the prefect and the intelligence services will be able to cross-reference the HOPSYWEB file on people hospitalized for psychiatric disorders with the file on people who present a profile of terrorist radicalization, without their consent.
The Intelligence Section
Aware of technological developments, the draft adapts and completes the law of July 24, 2015 on Intelligence. Thus, it perpetuates and extends the technique of the algorithm which consists in detecting radicalized persons who would be unknown to the intelligence services.
In 2015 it was foreseen that the Prime Minister, after the opinion of the Commission for the Control of Intelligence Techniques (CNCTR), could “impose on electronic communication operators and internet access providers, the implementation on their networks of automated processing intended to detect connections likely to reveal a terrorist threat”. (Article L851-3 of the Code of Internal Security).
While the French government had criticized industrial spying by the NSA following Edward Snowden’s revelations, it acquired equivalent tools for the benefit of its intelligence services as early as 2015. Thus, the installation of “black boxes” into Internet service providers is allowed to capture data of potential suspects. At the time, this had already caused an outcry in public opinion. Indeed, this is a mass surveillance device that indirectly influences the behavior of Internet users. It is an undeniable invasion of privacy. You will certainly refrain from doing some research when you know that you can potentially be monitored.
Basically, identification is only allowed if the algorithm has detected data characterizing a terrorist threat. But the principle of black boxes is covered by defense secrecy, so nobody really knows how the data is managed. However, it is known that the data concerned are the location, the recipient and the sender of messages, the time of sending and receiving of communication, etc. (in other words the “metadata”). The device makes it possible to identify weak signals on the data that would indicate a “threat to national security” that humans cannot detect. According to the newspaper Le Monde, 58 of the 59 attacks foiled in the last six years have been foiled thanks to human intelligence. Secondly, the implementation of surveillance must be authorized, as it is already the case with telephone surveillance.
Additionally the bill plans to extend the algorithm technique to web addresses (URLs). However, https sites have a cryptographic layer that cannot be broken. The intelligence services will then know which site is visited but they will not have access to the content. For example, they won’t be able to tell if it’s a beheading video if it’s on YouTube. This technique will be useful for sites that do not use the https protocol. The text also allows the interception of satellite communications through a proximity capture device without going through telecom operators.
The period of data retention is also extended from one month to two months. Beyond that, the intelligence services can keep data for 5 years for research and development of artificial intelligence tools.
Finally, communication service operators will be ordered by the Prime Minister to retain user connection data for one year in the event of a serious threat to national security. Here The bill has drawn the conclusions of the French Data Network decision of the Council of State of 21 April 2021. However, the Court of Justice of the European Union had issued a ruling on October 6, 2020, in which it prohibited the generalized and undifferentiated retention of metadata of the entire population for one year. An exception authorizes such a measure if “the State is facing a serious, actual and present or foreseeable threat” and the retention is justified by “safeguarding national security”. However, it is prohibited for the prevention of crime.
GDPR lays down obligations while giving some clues to secure data at the organization level.
The application of the regulation is mandatory for almost all organizations (from the moment you process personal data). If not, penalties are foreseen (up to 20 million euros and 4% of annual worldwide turnover). Beyond the financial aspect, it is the preservation of our fundamental freedoms that is at stake. However, starting by complying with the RGPD is an excellent start to become aware of the risks and to adapt the protection measures.