Back France

Status regarding Budapest Convention

Status regarding Budapest Convention

Status : Party See legal profile

Cybercrime policies/strategies

No strategy specifically dedicated to cybercrime has been adopted so far. An inter-ministerial working group was tasked to prepare a report on a General strategy for the fight against cybercrime. It submitted its report containing 55 recommendations to the Government on 30 June 2014. A short introduction the report is available here (in French only).

Following the establishment in 2009 of an Agency responsible for information systems security (the “ANSSI”), a Cybersecurity strategy was published in February 2011 (“Défense et sécurité des systèmes d’information: Stratégie de la France”, available in French and German). Cybersecurity remains a priority in the last White Paper on defence and national security (April 2013, available here). A digital strategy has been adopted in 2015.

 

An action plan of the Ministry of Interior against cyberthreats and a current state of cyber threats in January 2017 have been released.

 

France’s International Digital Strategy presented by the Minister for Europe and Foreign Affairs on 15 December 2017, is centred around three key focuses: governance, the economy and security.

 

A Strategic Review on Cyber Defence has been carried out by France’s Secretariat-General for National Defence and Security and published on 12th of February 2018, providing a very detailed overview of cyber threats and the current state of French security infrastructure.

Cybercrime legislation

State of cybercrime legislation

France has adopted an extensive legal framework on cybercrime and computer-related offences, starting with the Law no 88-19, 5 January 1988, on computer fraud (“Godfrain Law”) and its amendments, as codified by Art. 323-1 à 323-7 of the Penal Code. The legal framework was developed by the following legislative texts, especially the Law on the confidence in the digital economy (“LCEN Law”) of 21 June 2004:

  • Law no 2001-1062, 15 November 2001, on day-to-day security, “LSQ Law”.
  • Law no 2003-239, 18 March 2003, on internal security.
  • Law no 2004-204, 9 March 2004, on adapting justice to the evolution of crime
  • Law no 2004-575, 21 June 2004, on the confidence in the digital economy (“LCEN law”).
  • Law no 2004-669, 9 July 2004, on electronic communications and services of audiovisual services.
  • Law no 2005-493, 19 May 2005, authorizing the approval of the Convention on cybercrime and its additional Protocol concerning the incriminations of acts of a racist and xenophobic nature committed through computer systems.
  • Law no 2006-64, 23 January 2006, on the fight against terrorism and other provisions regarding security and border control.
  • Law no 2007-297, 5 March 2007, on crime prevention.

Decrees:

  • Decree no 2006-580, 23 May 2006, publishing the Convention on cybercrime, adopted in Budapest on 23 November 2001
  • Decree no 2006-597, 23 May 2006, publishing the additional Protocol concerning the incriminations of acts of a racist and xenophobic nature committed through computer systems, adopted in Strasbourg, 28 January 2003.

Substantive law

Art. 323-1 à 323-7 Penal Code defines as crimes all offences against the confidentiality, integrity and availability of computer data and systems, including illegal access (art. 323-1 al. 1), data interference (art. 323-1 al.2 and 323-3), system interference (art. 323-2), as well as misuse of devices (art. 323-3-1 CP).

Offences related to child pornography are covered by art. 222-23 to 222-31; 223-13; 223- 14; 225- 7 et 225- 7-1; 227-23 to 227-26.

The following texts are relevant in this regard:

Procedural law

The Criminal Procedure Code provides for the general framework regarding procedural law in criminal matters (available here). Search and seizure are covered by art. 54, 56, 57-1, 76 and 97 CPC; Production orders by art. 60-2, 77-1-1 and 77-1-2; interception by art. 100 al.2, 100-1, 100-3 to 100-7 and 706-95.

Undercover operations are governed by art. 706-73 and 706-81 and following.

The decryption of data seized during an investigation is provided for by art. 230-1 CPC, created by the Law n°2001-1062 of 15 November 2001 on day-to-day security. A decryption may be decided by the Public Prosecutor, the investigative judge or a trial judge.

Further procedural measures are foreseen in the Law n° 2011-267 (“LOPPSI 2”), 14 March 2011, organising and planning internal security performance, including the development of DNA identification and the improvement of the Judicial Police’s databases for investigative purposes. The Law LOPPSI 2 also provides for the involvement of ISPs in the fight against paedophile content online (art. 4 of the Loi), including by blocking access to a website under certain conditions.

Safeguards

General rules and safeguards apply.

Related laws and regulations

On the protection of personal data:

Law “Informatique et Libertés” on information technologies and civil liberties (Law No. 78-17) of 6 January 1978, (consolidated version here, up to date on 12 January 2015) amended by:

  • Law n° 88-227 of 11 March 1988 (Official Journal of 12 March 1988),
  • Law n° 92-1336 of 16 December 1992 (Official Journal of 23 December 1992),
  • Law n° 94-548 of ler July 1994 (Official Journal of 2 July 1994),
  • Law n° 99-641 of 27 July 1999, (Official Journal of 28 July 1999).
  • Law n° 2000-321 of 12 April 2000, (Official Journal of 13 April 2000).
  • Law n° 2002-303 of 4 March 2002, (Official Journal of 5 March 2002).
  • Law n° 2003-239 of 18 March 2003 (Official Journal of 19 March 2003).

Law n° 2004-801 of 6 August 2004 (Official Journal of 7 August 2004) (Main reform of the Law No. 78-17 ‘Informatique et Libertés’)

  • Law n° 2006-64 of 23 January 2006 (Official Journal of 24 January 2006)
  • Law n° 2009-526 of 12 May 2009 (Official Journal of 13 May 2009 )
  • Law n° 2011-334 of 29 March 2011 (Official Journal of 30 March 2011)
  • Ordonnance n° 2011-1012 of 24 August 2011 (Official Journal of 26 August 2011)
  • Law n° 2013-907 of 11 October 2013 on transparency in public life (Official Journal of 12 October 2013)
  • Law n° 2014-344 of 17 March 2014

 

On the regulation of electronic communications:

See the Posts and Electronic Communications Code (Code des postes et des communications électroniques), available here, especially Chapter II on electronic communications (legislative provisions: article L32 à L 40-1)

 

On national security aspects:

  • Code of Internal Security, available here
  • Law n° 2002-1094 of 29 August 2002 organising and planning internal security performance (“LOPPSI 1”)
  • Law n° 2011-267 of 14 March 2011 organising and planning internal security performance (“LOPPSI 2”)
  • Law n° 2013-1168 of 18 December 2013 ‘on military planning for 2014 to 2019’
  • Law n° 2014-1353 of 13 November 2014 strengthening the legal framework against terrorism

Additionally, cybercrime related legal provisions are in force in a number of laws, such as:

 

  1. Code de la defense

Code de la defense Art L 2321-2

Code de la defense Art L 2321-4

 

  1. Code de la propriété intellectuelle

Code de la propriété intellectuelle ArtL122-6

Code de la propriété intellectuelle ArtL335-2

Code de la propriété intellectuelle ArtL341-1

Code de la propriété intellectuelle ArtL521-10

Code de la propriété intellectuelle ArtL615-14

Code de la propriété intellectuelle ArtL623-32

Code de la propriété intellectuelle ArtL716-10

Code de la propriété intellectuelle ArtL716-9

 

  1. Code de la santé publique

Code de la santé publique ArtL5421-13-4

 

  1. Code de la sécurité intérieure

Code de la sécurité intérieure Art. L.881-2

 

  1. Code des postes et communications électroniques

Code des postes et communications électroniques Art. 1

Code des postes et communications électroniques Art. L32

 

  1. Code monétaire et financier

 

Code monétaire et financier Art.L163(3)

Code monétaire et financier Art. L163(4)

 

  1. Code penal francais

Code penal francais_Article 226(16)-(24)

Code penal francais_Article 323(1)-(8)

Code penal francais Article 411(9)

Code penal francais Article 226 (4).(1)

 

  1. Loi du 21 juin 2004 pour la confiance dans l’économie numérique

Articles Art 1er- Définitions «communication au public par voie électronique », « communication au public en ligne»

Specialised institutions

On December 2014, a Government Special Advisor for the Fight against cyberthreats was appointed within the Ministry of Interior. He is in charge of coordinating the ministry's strategy in this domain.

A department for ICT-related offences, the “Office central de lutte contre la criminalité liée aux technologies de l'information et de la communication” (OCLCTIC), was created within the Judicial Police department (investigative police) in 2000 (Decree n° 2000-405 of 15 May 2000). It has since been incorporated into a sub-directorate for the fight against cybercrime (“SDLC”) within the DCPJ.

Within the National Gendarmerie, different departments have been created:

  • A central unit entitled « Centre de lutte contre les criminalités numériques (“C3N”) du service central de renseignement criminel de la gendarmerie nationale (“SCRC”) »; it encompasses several departments in charge of the fight against malware, against online child abuse and all other illegal content on the Internet ; a last department is in charge of prospective and national coordination for the gendarmerie ;
    • In 2003, the national centre for the analysis of child abuse material was created (“Centre national d'analyse des images de pédopornographie - CNAIP”), and it is part of the C3N ;
  • A department to develop methods, tools and software to automatically detect paedophile pictures called « Département informatique et électronique de l'institut de recherche criminelle de la Gendarmerie nationale (“IRCGN”) »;
  • More recently (2003), in cooperation with the National Police, a National Center of paedophile pictures (“CNAIP”)

The national platform on which French citizens can report cybercrime is entitled Pharos.

The Agency responsible for the security of information systems is the “Agence Nationale de la Sécurité des Systèmes d'information (ANSSI)”. France’s CERT is the “CERT-FR” (created in 1999, and known as “CERTA” until 2014), created within the ANSSI. CERT-FR is a member of FIRST since 2000, and takes part to the activities of TF-CSIRT.

CECyF is the French expert centre against cybercrime (also called F-CCENTRE). Established in 2014, it enables law enforcement agencies, researchers from all sectors (academia, industry, independent experts) and educational institutions to meet and exchange to create projects that contribute to the training, education and research against cybercrime. It was initiated as part of the European project 2CENTRE (Cybercrime Centre of Excellence Network for Training Research and Education).

The data protection agency is the “Commission Nationale de l’Informatique et des Libertés (“CNIL”), created by the Law 78-17 of 6 January 1978.

The « Autorité de Régulation des Communications Electroniques et des Postes (“ARCEP”) is responsible for the regulation of telecom activities in France.

The Conseil National du Numérique (Digital Council) is an independent consultative commission set up in 2011 which give recommendations on all aspects of the impact of ICTs on society and the economy.

International cooperation

Competent authorities and channels

France signed most of the treaties and conventions on international cooperation within the European Union and the Council of Europe. France is also a Party to the United Nations. Convention against Transnational Organized Crime (ratified on 29 October 2002), which encompasses provisions on international cooperation.

In domestic law, international cooperation is governed by Title X of France’s Criminal Procedure Code. Chapter I (art. 694 to 694-13 CPC) provides for the general legal framework on international cooperation. Chapter II deals with specifically with international cooperation with member States of the European Union (art. 695 to 695-9-53 CPC).

 

Competent authorities and channels

Unless provided otherwise by an international convention ratified by France, outgoing cooperation requests should be transmitted by the Ministry of Justice to the foreign authorities. Incoming requests should be transmitted through diplomatic channels. (see art. 694 CPC). Urgent requests may be directly transmitted between relevant judicial authorities. Urgent incoming requests should be reviewed, in principle, by the foreign Government beforehand, and transmitted to the Public Prosecutor or to the competent investigative judge (conditions set out in art. 694-1).

In principle, incoming requests should be executed by the Public Prosecutor or by judicial police officers mandated to do so, or by the investigative judge under certain circumstances (art. 694-2). Specific provisions apply to requests requiring hearing, surveillance or under-cover operations (see art. 694-5 to 694-9).

Complying with Article 35 of the Budapest Convention, a 24/7 point of contact is in place since 2000, and it is based at the Ministry of Interior in the investigative police department: the Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication (OCLCTIC). The OCLCTIC is also the contact point for “H24” (G7), EUROPOL, and INTERPOL networks.

Jurisprudence/case law

Available here:

http://www.legifrance.gouv.fr/affichJuriJudi.do?oldAction=rechJuriJudi&idTexte=JURITEXT000021299967&fastReqId=750589792

Sources and links

Print France
Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 

Contribute

  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links