Cyberspace Law is (almost) evolving together with new technologies and threats to information and communication systems.
The Law of 26 February 2018, implementing the NIS Directive, created obligations for Operators of Essential Services (OES), as well as for Digital Service Providers (DSP) whose services are used by OES, to ensure the continuity of economic and social activities critical to the national interest.
The next Act on Military Programming, which draft has just been submitted to Parliament for debate, should further strengthen the legislative framework. It aims to reinforce the resiliency of the information systems, both those electronic communications operators make available to their subscribers through their networks, and those of public authorities and operators of vital importance (OVI). As the Strategic Review of Cyber Defence points out, electronic communications operators “have a key role to play in the cyber defence of operators [that are] essential to the functioning of our economy and society”; they must therefore be “eminent partners of the State in its fight against cyber-threat”. The essential contribution of private actors to cybersecurity is thus acknowledged.
The implementation of “markers”, on the initiative of operators or upon request by the ANSSI, aims to detect cyberattacks. When becoming aware of threats “likely to affect” its information system, the Agency is granted the right to apply its marking device on the network of an electronic communications operator, on that of an individual whose activity is to provide access to online public communication services (service provider), or on that of a web host. ARCEP finds its powers extended for control over these measures.
Jurisprudence is also a source of law. In its judgement of 22 February 2018, the European Court of Human Rights (ECHR) upheld the possibility for an employer to access to data stored on an employee’s work computer, as long as such data are not identified as private. The Court of Cassation (First Civil Chamber, (17-10.499) Google / Mr. Thierry X., 14 February 2018) specified that a court seized of a delisting request cannot order a search engine any measure of general injunction, and must weigh up the interests involved. It thus applies the judgement of 13 May 2014 (C-131/12, Google Spain and Google) delivered by the Court of Justice of the European Union on the “Right to be forgotten”. Finally, on March 30th, the Constitutional Council should give a primary ruling over the constitutionality of Article 434-15-2 of the Penal Code, which criminalizes any person who has knowledge of a decryption key and refuses to hand it over to the judicial authorities. If we add to this list the bill on fake news, which was announced last January 3rd by the President of the French Republic, we must note that the legal corpus of cybersecurity lacks of a comprehensive approach, due to its scattering into many codes. There should come a day when a single document will gather everything together to guarantee its overall coherence. The FIC, and its Parliamentary Agor@, aim to contribute to this clarification.