Surveillance Norms: Toward a Baseline Consensus Among Democratic States | Communication Surveillance in France

November 15, 2023

Executive Summary

  • Agencies that conduct national-security surveillance. In France, several intelligence and security agencies can initiate electronic surveillance for national-security purposes:
    • France’s external service, the DGSE (Direction générale de la sécurité extérieure), conducts both human and technical collection and is regarded as among the world’s most capable foreign-intelligence agencies.
    • The domestic service, the DGSI (Direction générale de la sécurité intérieure), collects intelligence on domestic security threats, such as terrorism and foreign espionage.
    • Specialized agencies responsible for military intelligence, military counterintelligence, organized crime, and financial intelligence can also request electronic surveillance.
  • Implementing surveillance. All domestic electronic surveillance conducted by these agencies is implemented through the “Interministerial Control Group” (Groupement interministériel de contrôle, or GIC), a body subordinate to the Prime Minister’s office.
    • The GIC is a civilian entity but is led by a senior military officer, always a General Officer. It has a workforce of roughly 250 people, mostly civilians and police officers.
    • The GIC cannot undertake its own surveillance activities; under the law, it can only implement approved requests made by the intelligence agencies.
    • The GIC interacts directly with telephone operators and Internet providers and is empowered by law to obtain data and metadata directly from them.
  • Approval process. Requests by the agencies to conduct surveillance must first be approved by the “National Control Commission for Intelligence Techniques” (Commission nationale de contrôle des techniques de renseignement, or CNCTR), an independent administrative body.
    • The nine-member CNCTR is composed of four parliamentarians, four judges, and one technical expert.
    • The CNCTR confirms that each request comports with the statutory requirements and the principles of proportionality and subsidiarity (least intrusive means).
    • After the surveillance has been conducted, the CNCTR checks that the implementation comported with the statute. To do this, it can access transcripts or other results from the surveillance and can conduct on-site inspections.
    • The CNCTR publishes annual reports, which include statistics about the number of “intelligence techniques” used each year. The reports are short, however, and provide little detail about how the CNCTR resolves issues that arise in its interactions with the intelligence services.
  • Redress. Individuals, including non-citizens, can file a complaint with the CNCTR alleging that they have been subject to unlawful surveillance.
    • If the CNCTR discovers that an unlawful technique has been used, it can ask the Prime Minister to stop the surveillance and destroy resulting data.
    • Complainants do not learn whether they were surveilled.
  • Oversight. Legislative oversight is provided by a select parliamentary committee, the “délégation parlementaire au renseignement,” or DPR.
    • The DPR oversees the CNCTR and the intelligence agencies, but does not directly review individual instances of surveillance carried out by the agencies.
  • Reforms. Since the 1960’s, France has subjected electronic surveillance to ever-greater statutory and institutional control.
    • Beginning in 1960, during the war in Algeria, domestic surveillance was based solely on written authorization by the Prime Minister, with no external oversight.
    • A 1991 decision by the European Court of Human Rights led France to enact its first major statutory framework for surveillance. The 1991 Act included several features that remain foundational to France’s current system:
      • The requirement that an independent body approve requests to conduct “security intercepts” of electronic communications.
      • A list of permissible purposes for which surveillance can be conducted.
      • Express legal authorization for the role of the Prime Minister’s office in implementing such surveillance.
    • In 2015, the Charlie Hébdo terrorist attack catalyzed a long-brewing reform of France’s surveillance laws. The 2015 Act:
      • Precisely defined a list of technical “intelligence techniques” that can be requested by the intelligence services, including real-time intercepts, metadata collection, bugging, IMSI catchers, tracking beacons, and malware.
        • Before the 2015 law, many of these techniques were available only to law enforcement, not the intelligence services.
        • The law does not authorize the use of “intelligence techniques” for bulk collection; an individual target is required.
      • Expanded the purposes for which surveillance can be authorized, to include “national independence, territorial integrity and national defense” and “France’s major economic, industrial and scientific interests.”
      • The Prime Minister’s office can unilaterally approve collection of “international communications,” including surveillance of devices registered in a country other than France, without oversight by the CNCTR.
        • The law does not address the permissibility of bulk surveillance of “international communications.”
  • Interaction with EU law. In October 2020, the Court of Justice of the European Union (CJEU) held that French law’s broad requirement that telecommunications carriers retain metadata for use in subsequent national-security investigations contravened EU data-protection law.
    • In a subsequent opinion requested by the French government, France’s highest administrative court, the Conseil d’État, held that the retention requirement, with modest changes, could be squared with EU law and the CJEU’s judgment.

Sébastien-Yves Laurent