21 January 1999
See cryptology statement of January 1998
See also French policy on electronic commerce and cryptology: http://www.internet.gouv.fr/francais/commerce/sommaire.html
Build a legislative framework to protect exchanges and privacy
Encryption, protection of data of a personal nature, recognition of the probative value of digital documents and electronic signatures: three dossiers that condition the safe use of information technology and the Internet in France and justify adapting French law. The French Government decided to present a number of new dispositions to Parliament, based on reports presented to the Prime Minister by Mr Guy Braibant with regard to data of a personal nature, and the Council of State on legal aspects of the Internet.
1. Encryption : total freedom of use in France
Confronted with the development of electronic methods of espionage, the possibility of encrypting communications seems to be an efficient response to protect the confidentiality of exchanges and privacy.
The Government allowed itself time to reflect. After consulting those involved, experts and international partners, it became convinced that the dispositions which result from the law of 1996 are no longer appropriate. They strictly restrain the use of encryption in France, without allowing the authorities to efficiently combat criminal acts where encoding could facilitate dissimulation. They also make apparent a risk of isolation for France with regard to her main partners.
The Government has therefore decided to opt for a fundamental change of direction, which aims to make the use of encryption totally permitted in France, while adapting the means at the disposal of the authorities to guarantee public liberty in this new environment and to combat the use of encoding methods for illicit ends.
The draft bill that will be presented to Parliament will be based on the following orientations:
- provide total freedom of use of encryption products, with one restraint to maintain control over exports which result from France's international engagements (encoding methods that do not use keys that are longer than 56 bits);
- suppress the mandatory nature of having recourse to a third party of confidence for depositing encoding keys. The role of the third party will not be limited to managing keys but can extend to other tasks, such as certifying electronic signatures. Recourse to such instruments and to auto-depository mechanisms will be encouraged. The third parties of confidence can notably apply for certification from the authorities.
- allow the authorities to efficiently combat the use of encoding procedures for illicit ends. To this end, the current legal mechanism will be supplemented by setting up obligations, as well as penal sanctions, with regard to presenting the uncoded transcription of encoded documents to the legal authorities when they so request. Moreover, the technical capacities of the authorities will be significantly reinforced.
The law, therefore, must be changed, which will take several months. But the Government wished that the hindrances which handicap citizens who are anxious to protect the confidentiality of their exchanges, and the development of electronic commerce, be lifted without delay. Thus, while waiting for the legislative modifications announced, the Government decided to raise the threshold for permitted encryption methods from 40 bits to 128 bits, a level which is considered by experts to resolutely ensure high security.
As far as the supply of encryption products is concerned, the declaration procedure will be simplified, notably through the suppression of the simple stop test. Finally, the constraints on the third parties of confidence that can be modified through regulatory means will be considerably relaxed, in particular by the suppression of the requirement for defence clearance for personnel and 24 hour per day availability.
2. Data of a personal nature: ensure a high level of protection
The transposition of the European directive of 1995 relative to the protection of data of a personal nature must allow for the adaptation of the internal legal framework to the generalisation of data processing and the expansion of the Internet. It must guarantee the preservation of rights as fundamental as individual liberty and respect of privacy.
The transposition of the directive, far from weakening the legal guarantees offered to citizens today, will aim to ensure a high level of protection for them.
With this in mind, the initiatives that the Government will propose will aim notably to reinforce:
- the means of the National Commission for Information Technology and Liberty (CNIL),
- the power to control that the CNIL has. In particular, the CNIL must be in a position to better exercise its power to control a posteriori in the domain of processing data for commercial purposes, which is in rapid expansion.
3. Digital documents and electronic signatures: lift the legal obstacles
Non-material transactions are becoming of increasing importance, whether in the commercial arena or for administrative procedures. Certain legal obstacles make it necessary to modify the law to allow for the adaptation of French law with regard to proof to the new technologies and electronic signatures.
This modification will respond to two preoccupations:
- conformance with the orientations retained within the European Union,
- taking into account, with all necessary guarantees, the probative nature of digital documents and electronic signatures.