Status regarding Budapest ConventionStatus : Party Signed : 23/11/2001 Ratified : 10/01/2006 See legal profile
No strategy specifically dedicated to cybercrime has been adopted so far. An inter-ministerial working group was tasked to prepare a report on a General strategy for the fight against cybercrime. It submitted its report containing 55 recommendations to the Government on 30 June 2014. A short introduction the report is available here (in French only).
Following the establishment in 2009 of an Agency responsible for information systems security (the “ANSSI”), a Cybersecurity strategy was published in February 2011 (“Défense et sécurité des systèmes d’information: Stratégie de la France”, available in French and German). Cybersecurity remains a priority in the last White Paper on defence and national security (April 2013, available here).
A digital strategy has been adopted in 2015.
An action plan of the Ministry of Interior against cyberthreats and a current state of cyber threats in January 2017 have been released.
State of cybercrime legislation
France has adopted an extensive legal framework on cybercrime and computer-related offences, starting with the Law no 88-19, 5 January 1988, on computer fraud (“Godfrain Law”) and its amendments, as codified by Art. 323-1 à 323-7 of the Penal Code. The legal framework was developed by the following legislative texts, especially the Law on the confidence in the digital economy (“LCEN Law”) of 21 June 2004:
- Law no 2001-1062, 15 November 2001, on day-to-day security, “LSQ Law”.
- Law no 2003-239, 18 March 2003, on internal security.
- Law no 2004-204, 9 March 2004, on adapting justice to the evolution of crime
- Law no 2004-575, 21 June 2004, on the confidence in the digital economy (“LCEN law”).
- Law no 2004-669, 9 July 2004, on electronic communications and services of audiovisual services.
- Law no 2005-493, 19 May 2005, authorizing the approval of the Convention on cybercrime and its additional Protocol concerning the incriminations of acts of a racist and xenophobic nature committed through computer systems.
- Law no 2006-64, 23 January 2006, on the fight against terrorism and other provisions regarding security and border control.
- Law no 2007-297, 5 March 2007, on crime prevention.
- Decree no 2006-580, 23 May 2006, publishing the Convention on cybercrime, adopted in Budapest on 23 November 2001
- Decree no 2006-597, 23 May 2006, publishing the additional Protocol concerning the incriminations of acts of a racist and xenophobic nature committed through computer systems, adopted in Strasbourg, 28 January 2003.
Art. 323-1 à 323-7 Penal Code defines as crimes all offences against the confidentiality, integrity and availability of computer data and systems, including illegal access (art. 323-1 al. 1), data interference (art. 323-1 al.2 and 323-3), system interference (art. 323-2), as well as misuse of devices (art. 323-3-1 CP).
Offences related to child pornography are covered by art. 222-23 to 222-31; 223-13; 223- 14; 225- 7 et 225- 7-1; 227-23 to 227-26.
The following texts are relevant in this regard:
- Law no 98-468, 17 June 1998, on the prevention and punishment of sexual offences as well as the protection of minors
- Law no 2002-305, 4 March 2002, on parental authority.
- Law nº 2004-575, 21 June 2004, on the confidence in the digital economy.
- Law no 2007-297, 5 March 2007, on crime prevention.
- Furthermore, the Criminal Code provisions on aggravating circumstances are also relevant, as follows:
- Circonstances aggravantes:
The Criminal Procedure Code provides for the general framework regarding procedural law in criminal matters (available here). Search and seizure are covered by art. 54, 56, 57-1, 76 and 97 CPC; Production orders by art. 60-2, 77-1-1 and 77-1-2; interception by art. 100 al.2, 100-1, 100-3 to 100-7 and 706-95.
Undercover operations are governed by art. 706-73 and 706-81 and following.
The decryption of data seized during an investigation is provided for by art. 230-1 CPC, created by the Law n°2001-1062 of 15 November 2001 on day-to-day security. A decryption may be decided by the Public Prosecutor, the investigative judge or a trial judge.
Further procedural measures are foreseen in the Law n° 2011-267 (“LOPPSI 2”), 14 March 2011, organising and planning internal security performance, including the development of DNA identification and the improvement of the Judicial Police’s databases for investigative purposes. The Law LOPPSI 2 also provides for the involvement of ISPs in the fight against paedophile content online (art. 4 of the Loi), including by blocking access to a website under certain conditions.
General rules and safeguards apply.
Related laws and regulations
On the protection of personal data:
Law “Informatique et Libertés” on information technologies and civil liberties (Law No. 78-17) of 6 January 1978, (consolidated version here, up to date on 12 January 2015) amended by:
- Law n° 88-227 of 11 March 1988 (Official Journal of 12 March 1988),
- Law n° 92-1336 of 16 December 1992 (Official Journal of 23 December 1992),
- Law n° 94-548 of ler July 1994 (Official Journal of 2 July 1994),
- Law n° 99-641 of 27 July 1999, (Official Journal of 28 July 1999).
- Law n° 2000-321 of 12 April 2000, (Official Journal of 13 April 2000).
- Law n° 2002-303 of 4 March 2002, (Official Journal of 5 March 2002).
- Law n° 2003-239 of 18 March 2003 (Official Journal of 19 March 2003).
Law n° 2004-801 of 6 August 2004 (Official Journal of 7 August 2004) (Main reform of the Law No. 78-17 ‘Informatique et Libertés’)
- Law n° 2006-64 of 23 January 2006 (Official Journal of 24 January 2006)
- Law n° 2009-526 of 12 May 2009 (Official Journal of 13 May 2009 )
- Law n° 2011-334 of 29 March 2011 (Official Journal of 30 March 2011)
- Ordonnance n° 2011-1012 of 24 August 2011 (Official Journal of 26 August 2011)
- Law n° 2013-907 of 11 October 2013 on transparency in public life (Official Journal of 12 October 2013)
- Law n° 2014-344 of 17 March 2014
On the regulation of electronic communications:
See the Posts and Electronic Communications Code (Code des postes et des communications électroniques), available here, especially Chapter II on electronic communications (legislative provisions: article L32 à L 40-1)
On national security aspects:
- Code of Internal Security, available here
- Law n° 2002-1094 of 29 August 2002 organising and planning internal security performance (“LOPPSI 1”)
- Law n° 2011-267 of 14 March 2011 organising and planning internal security performance (“LOPPSI 2”)
- Law n° 2013-1168 of 18 December 2013 ‘on military planning for 2014 to 2019’
- Law n° 2014-1353 of 13 November 2014 strengthening the legal framework against terrorism
Additionally, cybercrime related legal provisions are in force in a number of laws, such as:
Code de la defense
Code de la propriété intellectuelle
Code de la santé publique
Code de la sécurité intérieure
Code des postes et communications électroniques
Code monétaire et financier
Code penal francais
Loi du 21 juin 2004 pour la confiance dans l’économie numérique
On December 2014, a Government Special Advisor for the Fight against cyberthreats was appointed within the Ministry of Interior. He is in charge of coordinating the ministry's strategy in this domain.
A department for ICT-related offences, the “Office central de lutte contre la criminalité liée aux technologies de l'information et de la communication” (OCLCTIC), was created within the Judicial Police department (investigative police) in 2000 (Decree n° 2000-405 of 15 May 2000). It has since been incorporated into a sub-directorate for the fight against cybercrime (“SDLC”) within the DCPJ.
Within the National Gendarmerie, different departments have been created:
- A central unit entitled « Centre de lutte contre les criminalités numériques (“C3N”) du service central de renseignement criminel de la gendarmerie nationale (“SCRC”) »; it encompasses several departments in charge of the fight against malware, against online child abuse and all other illegal content on the Internet ; a last department is in charge of prospective and national coordination for the gendarmerie ;
- In 2003, the national centre for the analysis of child abuse material was created (“Centre national d'analyse des images de pédopornographie - CNAIP”), and it is part of the C3N ;
- A department to develop methods, tools and software to automatically detect paedophile pictures called « Département informatique et électronique de l'institut de recherche criminelle de la Gendarmerie nationale (“IRCGN”) »;
- More recently (2003), in cooperation with the National Police, a National Center of paedophile pictures (“CNAIP”)
The Agency responsible for the security of information systems is the “Agence Nationale de la Sécurité des Systèmes d'information (ANSSI)”. France’s CERT is the “CERT-FR” (created in 1999, and known as “CERTA” until 2014), created within the ANSSI. CERT-FR is a member of FIRST since 2000, and takes part to the activities of TF-CSIRT.
CECyF is the French expert centre against cybercrime (also called F-CCENTRE). Established in 2014, it enables law enforcement agencies, researchers from all sectors (academia, industry, independent experts) and educational institutions to meet and exchange to create projects that contribute to the training, education and research against cybercrime. It was initiated as part of the European project 2CENTRE (Cybercrime Centre of Excellence Network for Training Research and Education).
The data protection agency is the “Commission Nationale de l’Informatique et des Libertés (“CNIL”), created by the Law 78-17 of 6 January 1978.
The « Autorité de Régulation des Communications Electroniques et des Postes (“ARCEP”) is responsible for the regulation of telecom activities in France.
The Conseil National du Numérique (Digital Council) is an independent consultative commission set up in 2011 which give recommendations on all aspects of the impact of ICTs on society and the economy.
France signed most of the treaties and conventions on international cooperation within the European Union and the Council of Europe. France is also a Party to the United Nations. Convention against Transnational Organized Crime (ratified on 29 October 2002), which encompasses provisions on international cooperation.
In domestic law, international cooperation is governed by Title X of France’s Criminal Procedure Code. Chapter I (art. 694 to 694-13 CPC) provides for the general legal framework on international cooperation. Chapter II deals with specifically with international cooperation with member States of the European Union (art. 695 to 695-9-53 CPC).
Competent authorities and channels
Unless provided otherwise by an international convention ratified by France, outgoing cooperation requests should be transmitted by the Ministry of Justice to the foreign authorities. Incoming requests should be transmitted through diplomatic channels. (see art. 694 CPC). Urgent requests may be directly transmitted between relevant judicial authorities. Urgent incoming requests should be reviewed, in principle, by the foreign Government beforehand, and transmitted to the Public Prosecutor or to the competent investigative judge (conditions set out in art. 694-1).
In principle, incoming requests should be executed by the Public Prosecutor or by judicial police officers mandated to do so, or by the investigative judge under certain circumstances (art. 694-2). Specific provisions apply to requests requiring hearing, surveillance or under-cover operations (see art. 694-5 to 694-9).
Complying with Article 35 of the Budapest Convention, a 24/7 point of contact is in place since 2000, and it is based at the Ministry of Interior in the investigative police department: the Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication (OCLCTIC). The OCLCTIC is also the contact point for “H24” (G7), EUROPOL, and INTERPOL networks.
- Court of Appeal Paris, 12th chamber A, 30 October 2002 (illegal access), See here: http://www.legalis.net/spip.php?page=jurisprudence-decision&id_article=136
- Court of First Instance Paris, 12th chamber corr., 1 June 2007 (illegal access), See here: http://www.legalis.net/spip.php?page=jurisprudence-decision&id_article=2179
- Supreme Court, Criminal Chamber. 8 February 2012 (data interference and system interference), http://www.legifrance.gouv.fr/affichJuriJudi.do?idTexte=JURITEXT000025534746
- Supreme Court, Criminal Chamber. 27 October 2009, 09-82.346 (confirming the qualification of an online publication of a security flaw as a criminal offence under art. 323-3-1 of the Criminal Code) (Misuse of device and related offences)
Sources and links
- Legifrance, French Government online legal database: (FR) http://www.legifrance.gouv.fr/Traductions/en-English/Legifrance-translations
- Legifrance’s translations of French legal texts (EN): http://www.legifrance.gouv.fr/Traductions/en-English/Legifrance-translations
- Council of Europe’s country profile on cybercrime legislation for France: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/CountryProfiles/cyber_cp_France_2011_May_EN.pdf
- Webpage of the National Gendarmerie on cybercrime : http://www.gendarmerie.interieur.gouv.fr/fre/Sites/Gendarmerie/Zooms/Cybercriminalite
- Website of the National Police: http://www.police-nationale.interieur.gouv.fr/
- Webpage of the National Police on the OCLCTIC
- French Portal on Computer Security: http://www.securite-informatique.gouv.fr/
- CERT-FR: http://www.cert.ssi.gouv.fr/
- Agence Nationale de la Sécurité des Systèmes d'information (ANSSI): http://www.ssi.gouv.fr/
- “Défense et sécurité des systèmes d’information: Stratégie de la France”, Feb 2011: http://www.ssi.gouv.fr/fr/anssi/publications/autres-publications-233/
- “Protéger les internautes : Rapport sur la cybercriminalité”, Inter-ministerial report on the fight against cybercrime (30 June 2014), available here: http://www.ladocumentationfrancaise.fr/rapports-publics/144000372/
- CNIL (data protection authority): http://www.cniLoifr/
- ARCEP (Telecom Regulatory Authority): http://www.arcep.fr/
- France’s reporting platform for offences committed online (PHAROS): www.internet-signalement.gouv.fr
- Dalloz Actualités (newspage of one of the main legal editors in France): www.dalloz-actualite.fr/
- Legalis (legal news on IT issues): http://www.legalis.net/