E-commerce directive transposition raises serious privacy and free speech concerns in France
France has started the process of implementing the European Directive on Electronic Commerce. The draft text of the Digital Economy Law (“Loi relative à l’économie numérique” or LEN in French) deals with ISP liability, electronic contracts and unsolicited commercial emails, cryptography, cybercrime, and satellite systems. Among them, the most controversial provisions are those concerning cryptography, cybercrime and ISP liability.
Providers of cryptography services should provide upon request decryption keys to authorised agents named by the Prime Minister. The penalty for not complying with this obligation is a 2 years jail sentence and a fine of EUR 30,000. When a crime or offence is suspected, the public prosecutor or a judge may ask any expert to decrypt data. If the incurred penalty exceeds a 2 years prison sentence, military staff may be asked for help. In that case, the decryption method and process would be kept secret, making it very difficult for defence lawyers to question the outcome. The last provision states that anyone having access to decryption keys should provide them. The keys should be provided upon judicial request when cryptography is used for commission, preparation, or facilitation of a suspected crime or offence. The penalty is very high again: a jail sentence of 3 years and a fine of EUR 45,000.
There are 3 major objections against these provisions. First, judicial control is not ensured. The public prosecutor may start investigations before any crime or offence has been committed. Secondly, they allow for self-incrimination, and thus contradict the French law. Thirdly, professional secrecy is no longer guaranteed for some professions, for example for lawyers that exchange encrypted e-mails with their clients.
On ISP liability, the draft is a third attempt to introduce a “notice and take down” procedure in French legislation. Currently, a French ISP can only be held liable for hosting illegal content if he does not obey a judicial order to remove this content.
With the implementation of the Digital Economy Law, ISPs would not be held liable if, after obtaining actual knowledge or becoming aware of facts and circumstances indicating illegal activity, they act expeditiously to remove or to disable access to the information. These provisions reproduce the exact words of the E-Commerce Directive (article 14). This would open the way for privatized censorship, where the ISP has to decide what is illegal and what is not, after having been notified by a third party on the basis of its private interests. There is no provision for counter claims, seriously undermining presumption of innocence and the right to a fair trial.
Moreover, the draft introduces the possibility of ordering French providers to block access to foreign websites. This unprecedented provision may open the door to further restrictions and censorship on other media, and would undermine freedom of circulation on the Internet.
On 5 February, EDRI-member IRIS launched a petition against provisions on ISP liability and access filtering, in collaboration with 2 non commercial ISPs, the French Human Rights League and a Federation of Trade Unions. The still on-going petition has already been signed by more than 40 French organizations and almost 400 French individuals.
European Directive on Electronic Commerce (2000/31/EC)
Petition against ISP liability and access filtering provisions (in French)
IRIS Dossier (in French)
(Contribution by Meryem Marzouki, EDRI-member IRIS)