Cryptography is part of our daily digital life: from online communication, through e-commerce, to online banking. Encryption ensures secure data transfers and storage, with data confidentiality, authentication requirements and data integrity. However, data encryption is used in very diverse situations, whether for civil or for military purposes, for legal but also for illegal purposes.
In France, although the Digital Economy Act (“Loi pour la confiance dans l’économie numérique”, aka “LCEN”) of 21 June 2004 introduced more flexibility for the use and supply of means of cryptography, importing or exporting encryption software or services in or from France remains regulated. (1)
The law distinguishes between the use and provision (including transfer, import and export) of means of cryptography and the provision of cryptography services. Means of cryptography are usually classified a dual use encryption products, i.e. technologies which can be used for both civil and military purposes. The provision of means of cryptography and of cryptography services remains regulated, even if certain areas are now exempted from any form of declaration or authorisation.
1. The provision of means of cryptography
The law defines “means of cryptography” as follows: “a means of cryptography (moyen de cryptologie) includes any hardware or software designed or modified to alter data, whether information or signals, through secret conventions (keys or encryption algorithms) or to proceed to the reverse operation with or without a secret convention. The main purpose of such means of cryptography is to safeguard the security of data storage or of data transmission to ensure its confidentiality, authentication or integrity check.” (art 29 of the Digital Economy Act)
The law states the general principle of freedom to use means of cryptography.
The law distinguishes between:
- the provision of means of cryptography ensuring exclusively functions of authentication and integrity checks. Such means may be provided without restriction, including if the means of cryptography are exported to or imported from an EU member state or to/from third countries; and
- the provision of means of cryptography not ensuring exclusively functions of authentication and integrity checks (including means ensuring data confidentiality). The provision of such means and their import is subject to a prior declaration to, or authorisation from ANSSI (Agence nationale de la sécurité des systèmes d’information - the government agency in charge of cybersecurity).
Declarations are acknowledged within one month from submission to ANSSI, and within four months for requests for authorisation. These timeframes may be extended if the submitted file is incomplete or if ANSSI has additional questions on the filing.
Declarations of means of cryptography are also valid for the intermediaries of the supplier (party having filed the declaration), i.e. the distributors of the means of cryptography. A single declaration is therefore sufficient and can be used by the supplier’s distributors.
The provision and export of means of cryptography not ensuring exclusively functions of authentication and integrity checks is subject to an authorisation from ANSSI filed by the supplier of the means of cryptography and to an export license from SBDU (Service des Biens Double Usage) filed by the party exporting the means of cryptography. (2)
Authorisations are granted for a maximum term of five years, at the end of which, a new request must be filed.
Certain categories of means of cryptography may be exempted from prior declaration if their technical characteristics or conditions of use are such that their provision, transfer from a member state or import doesn’t challenge the interests of national defense or of the internal and external security of the State. These categories are identified by decree. They include the provision of equipment to the public, the provision of broadcasting or television equipment, mobile radio communication, mobile telephone equipment which cryptographic coding or encryption is not accessible by the user. The provision of cryptography services not consisting in delivering electronic certificates is also unrestricted. (3)
The Prime Minister can prohibit the release and distribution of a supplier which does not comply with the requirements listed under article 30 of the Digital Economy Act (i.e. prior declaration or request for authorisation). Such prohibition would also include the distributors of the means of cryptography and the equipment used with the means of cryptography.
Suppliers not complying with the prior declaration or request for authorisation requirements may incur criminal penalties, including a maximum fine of €15,000 and one year imprisonment.
Exporting a means of cryptography without the required authorisation is subject to a maximum fine of €30,000 and two years imprisonment.
2. The provision of cryptography services
The law defines “cryptography services” as follows: “a cryptography service (prestation de cryptologie) includes any process used to implement a means of cryptography, on behalf of a third party.” (art 29 of the Digital Economy Act)
The provision of cryptography services must be declared to ANSSI. The exemptions to such declaration are similar to the exemptions for means of cryptography (see above).
The entities providing cryptography services are subject to a duty of professional secrecy (“secret professionnel”). Professional secrecy is defined in article 226-13 of the French criminal code, which provides that “the disclosure of secret information by a person who is entrusted either because of his status or his profession, because of a function or a temporary mission, is subject to one year imprisonment and a maximum fine of €15,000.”
These entities are fully liable for damages caused to the entity or person on behalf of whom they manage the secret conventions in case of breach of the integrity, confidentiality or availability of the encrypted data.
The entities providing electronic certificates are liable for the damages caused to the persons who relied on the certificates presented as “qualified” (art. 33 of the Digital Economy Act). These entities must contract an insurance policy sufficient to cover the risks related to their activity.
Pursuant to article 31 of the French Digital Economy Act, the provision of cryptography services for confidentiality purposes without the required prior declaration is subject to two years imprisonment and a maximum fine of €30,000.
Importing or exporting encryption software or services in/from France remains a complex matter. The supplier must first check whether the means or service is exempted or subject to a regulatory prior declaration or authorisation from ANSSI, then take into account the delays in obtaining a declaration certificate or an authorisation to distribute the software or application, or to provide a cryptography service. Suppliers or importers who breach these legal requirements may incur severe criminal charges.
* * * * * * * * * * * *
(1) Loi n°2004-575 pour la confiance dans l’économie numérique, 21 June 2004 - LCEN (French Digital Economy Act). The provisions regarding cryptography are enacted under articles 29 et seq.
(2) The supplier filing a declaration or requesting an authorisation must submit a file to ANSSI. The format and content of the file are listed in an administrative ruling (Arrêté) dated 29 January 2015
(3) Decree No 2007-663 dated 2 May 2007
Bénédicte DELEPORTE
Avocat
Deleporte Wentz Avocat
www.dwavocat.com
April 2016
