Jump to ContentJump to Main Navigation
Bulk CollectionSystematic Government Access to Private-Sector Data$

Fred H. Cate and James X. Dempsey

Print publication date: 2017

Print ISBN-13: 9780190685515

Published to Oxford Scholarship Online: October 2017

DOI: 10.1093/oso/9780190685515.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (oxford.universitypressscholarship.com). (c) Copyright Oxford University Press, 2021. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use. date: 24 January 2021

Systematic Government Access to Private-Sector Data in France

Systematic Government Access to Private-Sector Data in France

(p.49) 2 Systematic Government Access to Private-Sector Data in France
Bulk Collection

Winston J. Maxwell

Oxford University Press

Abstract and Keywords

This chapter focuses on France’s legal framework for access to private-sector data by law enforcement and intelligence agencies. Post-9/11, France enacted provisions to require telecommunications operators and providers of hosting services to retain significant amounts of metadata. The French laws on data retention went beyond the scope of the now-invalidated EU directive on data retention, and the French laws remain on the books today in spite of a recent CJEU decision holding that similar laws in the UK and Sweden violate fundamental rights. France’s intelligence agencies have wide-ranging powers to collect data and conduct interceptions without prior court approval, including the right to analyze metadata of all French Internet users to detect suspicious patterns of behavior. In 2016, the French Constitutional Court invalidated a 25-year-old law permitting intelligence authorities to conduct untargeted monitoring of radio transmissions without supervision; so far, other provisions of government surveillance laws have survived constitutional challenge.

Keywords:   French intelligence services, surveillance, national security, data protection, data retention, antiterror law

I. Abstract

In regulating access to data by law enforcement and the intelligence services, France distinguishes between different levels of government intrusions into privacy. As is the case in most countries, real-time interception of private correspondence requires a higher level of safeguards than the disclosure of metadata.

Post-9/11 France enacted provisions to require providers of telecommunications and hosting services to retain significant amounts of traffic data and so-called “identification data,” a requirement that went beyond the scope of the now-invalidated EU directive on data retention. Even though the EU directive on data retention was invalidated by the Court of Justice of the European Union (CJEU) and similar laws in the UK and Sweden have been held to violate the EU Charter of Fundamental Rights, the French data retention laws remain on the books today.

France’s intelligence agencies have wide-ranging powers to collect data and conduct interceptions with no prior judicial approval. Those rights include the ability to analyze metadata of all French Internet users to detect suspicious patterns of behavior. In 2015 French lawmakers created an oversight committee, the CNCTR, to supervise data-collection activities by intelligence agencies, but privacy advocates argue that institutional safeguards are still insufficient.

II. Introduction

The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), is one of the world’s most outspoken privacy advocates. Yet France’s own laws give intelligence agencies far-reaching surveillance powers, including the power to collect and analyze massive amounts of metadata to detect suspicious patterns of behavior. Although approved by France’s (p.50) Constitutional Court, these provisions contribute to what some have called a “downward spiral”1 in the protection of privacy rights of European citizens against government surveillance.

France’s supreme courts (the Conseil d’Etat and the Conseil Constitutionnel) appear to accord flexibility to the French government and legislature when it comes to government surveillance laws, whereas the CJEU applies a strict proportionality test. Decisions by the CJEU and the European Court of Human Rights (ECtHR) will analyze in detail whether the surveillance measure results from a clearly drafted law, and is necessary in a democratic society. The “necessity” test generally requires a showing that the government measure is effective for its intended purpose, and is the least intrusive measure available to get the job done. By contrast, French decisions seem to limit their enquiry to whether the surveillance measures are limited in scope, and whether they are surrounded by procedural safeguards. The French decisions do not attempt to determine whether the relevant surveillance measure represents the least intrusive means available to achieve the desired objective. When reading French court decisions on government surveillance, one cannot help but think that French courts apply a lighter version of the proportionality test than do the CJEU or the ECtHR. This may only be an impression, as in theory French courts are required to apply the same test as their European counterparts. The difference may be attributable to the French courts’ concise style of drafting—the analysis of proportionality may occur behind the scenes.

The remainder of this chapter will describe how French government access to private-sector data is regulated. Much of the discussion will concentrate on France’s intelligence-gathering practices, which have significantly expanded as a result of the 2015 terrorist attacks in Paris. Like most democratic countries, France has two different legal frameworks for government surveillance. The first applies to criminal investigations by prosecutors and police authorities; the second applies to collection of data by intelligence agencies to protect the “fundamental interests” of France. As one would expect, fewer safeguards surround data collection in the context of intelligence activities. For example, intelligence authorities do not need a judge’s permission to conduct data gathering, whereas similar data gathering by judicial police would require the authorization of a judge.

The sections below will describe the investigatory powers and countervailing safeguards that apply to data gathering by French authorities, both in the context of criminal investigations and in the context of intelligence-gathering for defense of the fundamental interests of France.

(p.51) III. Data Collection in the Context of Criminal Investigations

The rules applicable to police investigations are contained in the French Code of Criminal Procedure. Those rules are similar to those in the United States and other democratic countries, requiring the prior authorization of a judge for the most intrusive forms of data searches. For example, any kind of real-time interceptions of private correspondence, whether a telephone conversation, email, or instant message, requires the prior authorization of an independent judge.2 The independent judge is either the investigating magistrate (juge d’instruction) or the judge of liberty and detention (juge des libertés et de la détention). When police clone a computer terminal and monitor it at a distance, a practice referred to in France as “capturing of computer data,” police must also seek authorization by a judge, and can only seek authorization for purposes of fighting serious crimes.3 “Capturing of computer data” is particularly intrusive because it permits police authorities to hack into a computer system, access the stored data, monitor in real time every keystroke of the terminal, and see what is displayed on the screen.

Other forms of access to computer data are deemed less intrusive of privacy and therefore are surrounded by fewer safeguards. Police authorities can require disclosure of stored computer data with varying levels of approval, depending on the stage of the investigation. If police authorities have reason to believe that a crime is in the course of being committed (flagrance), then an officer from the judicial police can require disclosure of computer data immediately, as long as the officer informs simultaneously the public prosecutor.4 If the request for computer data is made in the context of a preliminary investigation (enquête préliminaire), the public prosecutor must grant specific authority to the judicial police to proceed with the request.5 The public prosecutor is trained as a magistrate but he or she is not a judge when acting in his or her capacity as public prosecutor. Finally, if the investigation has advanced to the stage where a juge d’instruction is appointed, then the investigating judge must authorize all measures to compel disclosure of computer data.6

All of these requests for data, whether ordered by the judicial police, the prosecutor, or investigating judge, are known under French law as réquisitions. The French Code of Criminal Procedure provides that a réquisition ordering access to computer data can permit access to data that is stored in servers outside of France as long as the réquisition involves a terminal that is located in France with authorized access to the relevant data located abroad, and as long as the access (p.52) is permitted under international law.7 The location of the data itself is irrelevant. All forms of réquisition also permit access to so-called connection data and identification data stored by telecom operators and hosting providers under French law. These data storage obligations are described in Section VI below.

IV. Data Access by Customs Authorities

Customs authorities have separate authority to issue requests for computer data in connection with investigation of potential customs or tax violations.8 These réquisitions may be issued by a customs official having the rank of at least “controller,” and do not need to be approved by a judge. Telecom operators, transport companies, and airlines are among the kinds of companies that can receive orders from customs authorities for the communication of data.

V. Data Access by Intelligence Authorities

A. New Surveillance Law Creates Oversight Committee

The access to data by intelligence agencies is governed by the French Internal Security Code. The rules in the Internal Security Code provide less protection of individual rights than do the rules in the Code of Criminal Procedure. In the aftermath of the Paris terrorist attacks of January 11, 2015, France reformed its rules for intelligence gathering.9 The main accomplishment of the reform was to create a single coherent framework for intelligence-gathering techniques. Previously, the provisions were scattered throughout different parts of the Internal Security Code, creating confusion and incoherence in how different kinds of data were collected.10 Moreover, the previous oversight body for intelligence gathering activities, the CNCIS, lacked authority with regard to certain data-gathering activities, leaving those activities unsupervised by any independent body.

The July 24, 2015 Surveillance Law11 (the “2015 Law”) cures that defect by creating a new independent oversight body called the Commission for Oversight of Intelligence Gathering Techniques, the “CNCTR,” which stands for Commission Nationale de Contrôle des Techniques de Renseignement. Under the 2015 Law, data collection for intelligence purposes can be implemented only when a specific authorization is given by the prime minister.12 The prime minister’s authorization may be granted only after the CNCTR has rendered an opinion on the compatibility of the (p.53) measure with the principles set forth in the Internal Security Code. The CNCTR’s opinion must be rendered within 24 to 72 hours, and is not binding on the prime minister.13 Nevertheless, if the prime minister decides to ignore the recommendations of the CNCTR, the prime minister must give reasons for his or her decision.14 Moreover, the CNCTR can file an appeal with the Conseil d’Etat to challenge the prime minister’s decision if the prime minister disregards the CNCTR opinion.15

There are three situations where the CNCTR’s opinion is not required. The first is where a terrorist or national defense threat requires urgent action. In that case, the prime minister can issue an authorization without waiting for the CNCTR’s opinion.16 Second, the CNCTR’s opinion is not required for so-called “international” data collection, examined in Section IV(G) below. Finally, the opinion is not required for the general monitoring of radio transmissions, examined in Section IV(C) below.

The CNCTR has nine members: two are members of the French National Assembly, two are members of the Senate, two are members of the Conseil d’Etat, two are members of the Court of Cassation, and one is a person with expertise in telecommunications nominated by the French telecommunications regulatory authority, the ARCEP.17 Each of the members of the CNCTR must receive security clearance. The CNCTR’s decisions themselves are considered defense secrets.18 Individuals who think they might be spied on by French intelligence agencies can ask the CNCTR to verify. The CNCTR will then check whether appropriate legal procedures have been followed, but will not reveal to the individual whether he or she is indeed the target of surveillance.19 (This is similar to the role of the ombudsperson in the US-EU Privacy Shield arrangement.20) The CNCTR has authority to access surveillance records, except for data that has been transmitted to the French authorities by their foreign counterparts.21 Civil liberties groups complain that this opens a loophole, because French agencies can sidestep internal oversight mechanisms simply by asking foreign intelligence agencies to collect data for them.22

(p.54) B. French Definition of “Fundamental Interests of the Nation”

The 2015 Law allows intelligence agencies to gather data when necessary for the “defense and promotion of the fundamental interests of the nation.” “Fundamental interests of the nation” include national defense; major foreign policy interests; major economic, industrial, and scientific interests; the prevention of terrorism; immediate threats to public order; organized crime; and the proliferation of weapons of mass destruction.23 France’s “major economic, industrial and scientific interests” are recognized as part of the fundamental interests of the nation, thereby permitting data gathering for purposes of economic espionage. Civil liberties groups have argued that the concept of “fundamental interests of the nation” is so broad as to violate European principles of proportionality, which require among other things that laws interfering with fundamental rights be clear, understandable, and predictable.24 Many drug investigations could be considered as part of “organized crime,” making it difficult to distinguish between matters that should be subject to criminal investigations governed by the Code of Criminal Procedure, and matters that relate to intelligence activities governed by the less-stringent Internal Security Code.

C. General Monitoring of Radio Transmissions

The 2015 Law maintains a 25-year-old provision in the Internal Security Code that allowed the general monitoring of over-the-air radio transmissions without any oversight.25 Under these provisions, intelligence authorities may conduct untargeted surveillance of radio transmissions without prior authorization or any other form of supervision, as long as the reasons for doing so relate to “defending national interests.” At the request of French civil liberties groups, the Conseil d’Etat recently sent a question to the French Constitutional Court, asking about this provision’s constitutionality.26 The Constitutional Court found the provision unconstitutional because of the lack of guidance given by lawmakers on what “general monitoring of radio transmissions” consists of, and the total lack of institutional oversight for the practice.27 The Court nevertheless allowed the law to stay in effect until December 31, 2017.

(p.55) D. Access to Metadata

The Internal Security Code permits intelligence agencies to obtain access to metadata retained by telecom operators and hosting providers. As explained in Section VI, both telecom operators and hosting providers must retain broad categories of metadata for 12 months. The 2015 Law permits intelligence agencies not only to require telecom operators and hosting providers to deliver access to stored metadata,28 but also to allow collection of metadata, including location data, in real time. The real-time collection of data must be preceded by a non-binding opinion of the CNCTR, and is only permitted for the prevention of terrorism, not for the defense of France’s other “fundamental interests.”29

E. Interception of the Content of Communications

The 2015 Law maintains the ability for intelligence agencies to intercept the content of private communications for purposes of defending France’s fundamental interests, after an authorization by the prime minister and a non-binding opinion of the CNCTR.30 These so-called “security interceptions” can be implemented using otherwise illegal interception equipment, such as “IMSI catchers” that pretend to be a mobile phone base station. A recent amendment to the 2015 Law allows intelligence agencies not only to listen to communications of the targets themselves, but also to the communications of anyone in the target’s circle of contacts if those persons may provide information in connection with the intelligence objective identified in the authorization.31 After consulting the CNCTR, the prime minister must fix the maximum number of security interceptions that intelligence agencies can conduct during a given year.

F. Untargeted Analysis of Metadata

One of the most controversial provisions in the 2015 Law relates to the so-called black boxes (boîtes noires) that intelligence agencies can require telecommunications operators and hosting providers to install on their networks. After authorization from the prime minister, intelligence agencies may deploy algorithms to analyze all metadata from users of French telecommunications or hosting services in order to identify suspicious patterns revealing potential terrorist threats. When it originally presented the black box provision, the French government argued that the metadata was anonymous and that its analysis therefore presented no threat to privacy. The French data protection authority disagreed, stating that the analysis of metadata involves the processing of personal data and therefore presents a risk (p.56) for privacy that had to be justified under strict rules on proportionality.32 The provision seemed to contradict the CJEU’s Digital Rights Ireland decision, which states that the retention of traffic data involving the entire population of users in a country constitutes a disproportionate infringement of privacy.33 Similarly, in the Schrems decision,34 the CJEU found that massive surveillance is incompatible with the EU Charter of Fundamental Rights. Consequently, many observers thought that France’s black box provision would also be considered disproportionate because it permits analysis of metadata involving all users of telecom services or social media services in France, including persons who are not suspected of any illegal activity.

The French Constitutional Court reviewed the provision and affirmed its constitutionality.35 The court pointed out that the algorithm used by intelligence authorities only deals with metadata and does not permit the identification of individuals (although when suspicious activity is detected, officials can request permission to identify the person in order to set up more targeted surveillance). Moreover, the court said that the procedure can only be implemented after an authorization from the prime minister and an opinion from the CNCTR. The authorization is only granted for a period of two months and its renewal is subject to certain conditions to ensure that the algorithm does not create too many false positives. Finally, the court pointed out that the black box measure is only allowed in connection with antiterrorism activities. On balance, the court found that the black box provision did not represent a disproportionate interference with the right to privacy.

For an outside observer it is frustrating that the French Constitutional Court provided no guidance on why it considered the French black box provision compatible with the principles set down by the CJEU in its Digital Rights Ireland decision. The court did not even mention the existence of the CJEU decision. The French court’s lack of analysis of the CJEU’s Digital Rights Ireland decision contrasts with the UK High Court decision dated July 17, 2015, in which the High Court directly confronted the UK Data Retention and Investigatory Powers Act 2014 (DRIPA) with the principles set forth in the Digital Rights Ireland decision.36 In the UK decision, the High Court found that DRIPA created a disproportionate infringement of citizens’ rights to privacy.

(p.57) Several French civil liberties groups are challenging the French decree implementing the black box provision. They argue that the provision is incompatible with the case law of the CJEU and of the ECtHR.37

G. Collection of Data Relating to “International Communications”

Previously, collection of data outside of France by French intelligence agencies fell into a legal no man’s land. French intelligence agencies took the position that French law did not apply to their data-gathering activities outside France. The 2015 Law originally contained a provision on so-called international data collection, but the Constitutional Court annulled the provision because it contained insufficient institutional safeguards.38 A new law was passed on November 30, 2015, which corrected the defects identified by the Constitutional Court. The November 30, 2015 law39 expressly authorizes the collection of data relating to communications received or sent outside of France, including the collection and analysis of both metadata and content. These international data collection measures must be authorized by the prime minister, although he or she does not need to seek the prior opinion of the CNCTR. The CNCTR is nevertheless informed and is allowed to have access to interception records.

A curious aspect of the law is that it creates different levels of protection based on whether the communication involves a person located in France. Intelligence authorities may collect and analyze metadata and content data involving communications by persons outside France with minimal supervision. But if the authorities stumble upon a French telephone number, or a French IP address, then the data must be destroyed and a domestic procedure involving more safeguards must be followed. The purpose of the law is to allow monitoring of communications not involving French residents. French civil liberties groups argue that the provision allows mass surveillance incompatible with the CJEU’s Schrems decision, and that the measure illegally discriminates against non-French residents (including residents of other EU Member States). Under the EU Charter of Fundamental Rights, the protection of privacy accrues to “everyone,”40 which makes the difference in treatment in the November 30, 2015 law surprising. One of the complaints of European authorities with regard to US surveillance laws was that Europeans did not benefit from the same institutional protections as US citizens and residents.41 The French law appears to suffer from exactly the same defect.

(p.58) H. Hacking into Computer Systems

Where “the information cannot be collected through other legal means,” the prime minister can authorize, after the CNCTR’s opinion, use of equipment to access data stored in computer systems, as well as to install clone spyware that permits agents to see the screen and follow keystrokes of a computer.42 Unlike Article 57-1 of the French Code of Criminal Procedure, this provision of the Internal Security Code does not state expressly that the “computer systems” involved may be located inside or outside France.

I. Encryption

Any provider of encryption technology must provide to intelligence authorities the keys for decrypting messages. Alternatively, intelligence authorities can order the provider to decrypt the message within 72 hours, “unless the provider demonstrates that it is unable to comply with these orders.”43 When making these orders, intelligence authorities must be acting in the context of a data-gathering mission authorized by the prime minister.

VI. Retention of Traffic Data and Identification Data

France transposed the now-invalidated European directive on retention of traffic data,44 but went beyond the minimum required by the directive. French law not only requires telecommunications operators to retain for one year traffic data (including location data and Internet logs45), but also requires hosting providers to retain similar logs relating to persons who create or store data using their hosting service.46 The definition of hosting provider is similar to that in the European E-Commerce Directive,47 and broad enough to include many cloud providers, social media services, blogs, and video sharing platforms. Under the French data retention decree, a hosting provider must retain all the information provided by the user when he or she registers for the service, including the user’s name, pseudonym, address, telephone number, email address, password, information permitting the user to change the password, and payment information.48 (p.59) When a user uploads content, the hosting provider must keep logs regarding the user’s connection to the service. All the foregoing data are considered “identification data” and are subject to government access, either through a requisition under the French Code of Criminal Procedure, or through requests made by intelligence agencies under the Internal Security Code. France’s data retention law goes beyond the requirements of the now-invalidated EU data retention directive by including hosting providers within its scope. France has not attempted to modify its laws since the CJEU’s Digital Rights Ireland decision, which led a parliamentary commission to assert that France’s laws on data retention violate Articles 7 and 8 of the EU Charter of Fundamental Rights.49 As noted above, the Constitutional Court decision relating to the 2015 Law50 made no mention of the Digital Rights Ireland decision. And on February 12, 2016, the Conseil d’Etat found that the provisions relating to access to metadata as they existed before the 2015 Law were surrounded by sufficient safeguards to satisfy European and French proportionality tests.51

The February 12, 2016 Conseil d’Etat decision suggests that the French data retention rules would be considered, at least by the French Conseil d’Etat, as satisfying the European proportionality test. Yet for this author, it is unclear that the CJEU and the ECtHR would agree, particularly after the recent CJEU decision finding UK and Swedish laws on data retention incompatible with the EU Charter of Fundamental Rights.52

VII. Conclusion

This chapter has shown that French procedures permitting government access to data in the context of criminal investigations are similar to those in other countries. The level of judicial oversight increases with the level of intrusion into privacy. Real-time interceptions of content require a prior judicial authorization whereas access to stored metadata can often be achieved without a prior authorization. One interesting aspect of the French Code of Criminal Procedure is that it expressly permits French authorities to obtain access to data stored in servers outside of France, as long as an authorized access point exists in France.

The French regime for intelligence data gathering was modified in 2015 in reaction to the heightened terrorist threat in France. The reform permitted a long overdue cleanup of the provisions applicable to intelligence data gathering. The previous provisions dated from early 1990s and related to traditional wiretaps. (p.60) The new regime has the merit of creating a single coherent framework for data collection by intelligence authorities, including the creation of a single independent oversight body, the CNCTR. The new reform also makes certain intelligence-gathering techniques more explicit, such as the interception of communications of persons outside of France. Previously those practices existed, but had no legal framework. Among the new provisions is one permitting intelligence authorities to use algorithms to analyze large volumes of metadata in order to detect suspicious patterns of activity.

The French Conseil d’Etat and Constitutional Court have reviewed, or are in the course of reviewing, the constitutionality of most of these provisions. The 25-year-old provision allowing general monitoring of radio transmissions was recently declared unconstitutional by the French Constitutional Court, but other provisions have so far survived constitutional challenge. The French court decisions analyzing these provisions do not appear to apply the same kind of proportionality test as European courts do with regard to similar measures. It is unclear whether this is simply because the French courts provide less explicit reasoning in the text of their decisions, or whether French courts in fact apply a lighter version of the proportionality test. The recent CJEU decision invalidating UK and Swedish laws on data retention suggests that certain aspects of the French laws may violate the EU Charter of Fundamental Rights.


(1.) European Parliament resolution of October 29, 2015 on the follow-up to the European Parliament resolution of March 12, 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)); see also, N. Muiznieks, “Europe Is Spying on You,” New York Times (Oct. 27, 2015).

(2.) Articles 100 and 706-95, Code of Criminal Procedure.

(3.) Article 706-102-1, Code of Criminal Procedure.

(4.) Articles 57-1, 60-1, 60-2, Code of Criminal Procedure.

(5.) Articles 77-1-1 and 77-1-2, Code of Criminal Procedure.

(6.) Articles 94 and 97, Code of Criminal Procedure.

(7.) Article 57-1, Code of Criminal Procedure.

(8.) Article 65, Customs Code.

(9.) Law n° 2015-912 of July 24, 2015, O.J. July 26, 2015, p. 12735.

(10.) For a description of the previous rules, see W. Maxwell, “Systematic Government Access to Private-Sector Data in France,” 4 Int’l Data Privacy Law 4 (2014).

(11.) Law n° 2015-912 of July 24, 2015, O.J. July 26, 2015, p. 12735.

(12.) Article L821-1, Internal Security Code.

(13.) Article L821-3, Internal Security Code.

(14.) Article L821-4, Internal Security Code.

(15.) Article L833-8, Internal Security Code.

(16.) Article L821-5, Internal Security Code.

(17.) Article L831-1, Internal Security Code.

(18.) Article L832-5, Internal Security Code.

(19.) Article L833-4, Internal Security Code.

(20.) Letter from U.S. Secretary of State Kerry to EU Commissioner Jourova dated July 7, 2016, Annex A: EU-U.S. Privacy Shield Ombudsperson Mechanism, Section 4(e).

(21.) Article L833-2, Internal Security Code.

(22.) See, Brief filed by La Quadrature du Net and French Data Network on May 10, 2016 before the Conseil d’Etat challenging the government decree n° 2016-67 adopted to implement the July 24, 2015 law, available at https://exegetes.eu.org/recours/renseignement/CEtat/2016-05-06-Quadrature%20du%20net_%20FDN%20et%20FDNN%20%28Renseignement%20-%20Decret%202016-67%29%20-%20MC.pdf [hereinafter, the “Quadrature du Net Brief”].

(23.) Article L811-3, Internal Security Code.

(24.) Quadrature du Net Brief, above note 22.

(25.) Article L811-5, Internal Security Code.

(26.) Conseil d’Etat decision of July 22, 2016, case n° 394922.

(27.) Constitutional Court decision n° 2016-590 QPC of October 21, 2016.

(28.) Article L851-1, Internal Security Code.

(29.) Article L851-2, Internal Security Code.

(30.) Article L852-1, Internal Security Code.

(31.) Article 17, Law n° 2016-987 of July 21, 2016.

(32.) CNIL deliberation n° 2015-078 of March 5, 2015.

(33.) CJEU decision of April 8, 2014, Case C‑293/12, Digital Rights Ireland v. Ministry for Communications et al.

(34.) CJEU decision of November 13, 2015, Case C-362/14, Schrems v. Data Protection Commissioner.

(35.) Constitutional Court decision of July 23, 2015 n° 2015-713 DC.

(36.) UK High Court decision of July 17, 2015, Cases n° CO/3665/2014, CO/3667/2014 and CO/3794/2014.

(37.) Quadrature du Net Brief, above note 22.

(38.) Constitutional Court decision of July 23, 2015 n° 2015-713 DC.

(39.) Law n° 2015-1556 of November 30, 2015.

(40.) Article 8, EU Charter of Fundamental Rights.

(41.) Communication from the European Commission on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, November 27, 2013, COM(2013) 847 final, paragraph 7.2.

(42.) Article L853-2, Internal Security Code.

(43.) Article L871-1, Internal Security Code.

(44.) Directive 2006/24/EC of March 15, 2006.

(45.) Decree n° 2006-358 of March 24, 2006.

(46.) Decree n° 2011-2019 of February 25, 2011.

(47.) Directive 2000/31/EC of June 8, 2000.

(48.) Decree n° 2011-219 of February 25, 2011.

(49.) French National Assembly, Commission de réflexion et de propositions sur le droit et le libertés à l’âge numérique, Rapport n° 3119 (2014), p. 166.

(50.) Constitutional Court decision of July 23, 2015 n° 2015-713 DC.

(51.) Conseil d’Etat decision of February 12, 2016, case n° 388134.

(52.) CJEU, Cases C-203/15 and C-698/15, Tele2 Sverige v. Post-och telestyrelsen and Secretary of State for the Home Department v. Tom Watson and others, December 21, 2016.