France

Overview

EU Member State: France is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and France’s role in international data sharing.

France was the first European country to enact comprehensive data protection legislation (Loi Informatique et Libertés, 1978) and the first EU country to authorise algorithmic “black box” scanning of communications metadata for intelligence purposes. Following the 2015 Paris attacks, France enacted broad surveillance legislation granting intelligence agencies some of the widest powers in Western Europe. The CNIL imposed EUR 486.8 million in fines in 2025 alone (including EUR 325M against Google and EUR 150M against Shein), while intelligence agencies surveilled 24,308 persons across 98,883 technique authorisations in 2024.^[1][2]

France is a Nine Eyes member with a bilateral SIGINT agreement with the NSA codenamed Lustre, and a Maximator alliance member (joined 1985). Marseille is Europe’s largest submarine cable hub (17+ systems), where DGSE conducts bulk cable interception under Article L.854-1 with no CNCTR prior opinion required.^[3][4]

Privacy Framework

The CNIL (Commission nationale de l’informatique et des libertés), one of the world’s oldest DPAs, issued the first major GDPR fine (Google EUR 50M, January 2019). In 2025, 83 sanctions totalling EUR 486.8M — a nine-fold increase over 2024. Google alone has been fined EUR 625 million across four CNIL actions. 2025 budget: EUR 30.6M; 301 FTE staff; 17,772 complaints (2024). The Loi Informatique et Libertés (1978, as amended) supplements the GDPR with specific provisions on national security processing, public sector data, and health research.^[5][6]

Surveillance and Intelligence

Intelligence Act 2015

Passed after the Charlie Hebdo attack. Authorises targeted interception, real-time geolocation, IMSI catchers, microphones and cameras in private spaces, computer intrusion, and bulk metadata analysis. Algorithmic “black boxes” allow automated devices at data centres and telecom networks to detect communications patterns matching terrorist selectors — France was the first EU country to authorise this. The CNCTR’s 2024 report noted computer data collection more than doubled over five years.^[1][7]

CNCTR Oversight

The CNCTR (Commission nationale de contrôle des techniques de renseignement) provides prior opinions before surveillance authorisation, but these are not binding — the Prime Minister may override with written justification. 2024: 24,308 persons surveilled, 98,883 technique authorisations (+3%). Counterterrorism: 30% of monitored persons, 39.3% of technique requests.^[7]

International Electronic Communications Law (November 2015)

Governs surveillance of communications “emitted from or received abroad” with significantly reduced oversight: CNCTR prior opinion not required; international communications may be intercepted in bulk. Retention: content 1 year after first exploitation (max 4 years; 8 years for encrypted content); metadata up to 6 years. Internet routing means many nominally domestic French communications transit foreign servers and qualify as “international.”^[8]

SILT Law 2017: Permanent Emergency Powers

Formally ended the state of emergency while permanently incorporating key emergency powers: administrative security perimeters, closure of places of worship, house visits with judicial authorisation, and MICAS (individual surveillance measures including municipality restriction, daily police check-ins, passport confiscation, electronic bracelet monitoring for up to one year, with no requirement to disclose evidence). These powers have been repeatedly renewed.^[9]

Intelligence Agencies

DGSI: Domestic intelligence (counterterrorism, counterintelligence, economic protection), under Ministry of Interior.

DGSE: Foreign intelligence and SIGINT, under Ministry of Defence. Contains the Direction Technique (DT) handling signals intelligence (ROEM), operating overseas CRE stations spanning the Mediterranean, Africa, and the Middle East.^[10]

Nine Eyes and Maximator

France maintains a bilateral SIGINT agreement with the NSA codenamed Lustre, exchanging raw SIGINT data. As a third-party partner, France is not exempt from NSA collection. Operation Dunhammer confirmed NSA surveillance of senior French officials via Danish cables.^[3][11]

France joined Maximator in 1985 (the fifth member). DGSE’s Direction Technique contributes cryptanalytic capabilities to the five-nation encryption-defeat cooperative. Germany’s Maximator membership connected the alliance to Operation Rubicon (CIA-BND co-ownership of Crypto AG).^[12]

Commercial Surveillance Procurement

Palantir/DGSI: France renewed its DGSI intelligence contract with Palantir through 2025. As a US company subject to the CLOUD Act, the contract raises concerns about US access to French intelligence data bypassing bilateral frameworks.^[13]

Pegasus: In July 2021, the Pegasus Project revealed that phone numbers associated with French President Macron, members of his government, and journalists appeared on an NSO Group target list. France launched an investigation, and the DGSE reportedly explored but did not procure Pegasus.^[14]

Internet Infrastructure and Cable Surveillance

Marseille: Europe’s Largest Submarine Cable Hub

Marseille hosts at least 17 submarine cable systems including SEA-ME-WE 3/4/5/6, AAE-1, ACE, IMEWE, and 2Africa (Meta’s 45,000 km system). The majority of Europe-Asia and Europe-Africa internet traffic passes through Marseille, making it Europe’s primary cable chokepoint.^[15]

DGSE Cable Access (Article L.854-1)

The International Electronic Communications Law provides the legal basis for DGSE bulk interception of all communications “emitted from or received abroad” at cable landing stations and IXPs, with no CNCTR prior opinion required. Combined with algorithmic black box capabilities, this gives DGSE extensive collection access at one of Europe’s most concentrated cable chokepoints.^[8]

France-IX and Orange Marine

France-IX: ~500 members, largest French IXP, with exchanges in Paris and Marseille. Orange Marine (former state-owned France Télécom subsidiary) operates 7 cable ships averaging ~50 maintenance operations/year, giving France operational knowledge of cable routing and infrastructure directly relevant to SIGINT collection.^[16][17]

Cryptography

Domestic encryption use is unrestricted. Compelled decryption: up to 3 years imprisonment and EUR 270,000 for refusing judicial decryption orders (higher for terrorism/organised crime). In March 2025, the National Assembly rejected a “ghost participant” proposal that would have forced messaging platforms to allow hidden law enforcement access to encrypted chats. An encryption backdoor provision in the Narcotrafficking Law (requiring platforms to provide decrypted messages within 72 hours) was also rejected, with Signal threatening to withdraw from France.^[18]

Data Retention

The Council of State validated generalized retention of connection data, ruling that the national security threat justifies it while requiring periodic government reassessment. Intelligence can retain metadata up to 6 years. The national security justification has been continuously reaffirmed since 2015 with no reduction in retention obligations.^[19]

Age Verification: Identity Infrastructure as Surveillance

France has implemented mandatory age verification for online pornography (effective January 11, 2025, Law 2024-449). Platforms must implement digital ID verification, biometric analysis, or document checks — simple “I am 18” declarations are explicitly insufficient. Enforcement authority Arcom can impose fines up to EUR 150,000 or 2% of worldwide turnover. In February 2025, the scope was extended to 17 services in other EU member states, asserting French jurisdiction over non-French platforms.^[26]

France’s “double anonymity” principle attempts to separate identity from content: the site does not know the user’s identity, and the verification provider does not know which sites the user visits. However, any age verification system necessarily creates metadata linking an individual to age-restricted content access at a specific time. The infrastructure required — centralised verification services, government-approved identity checks, platform integration — creates a surveillance-capable architecture that could be repurposed beyond its original scope. A CJEU referral (March 2024, Advocate General opinion September 2025) may determine whether France’s extraterritorial enforcement is compatible with the e-Commerce Directive’s country-of-origin principle.^[27]

The National Assembly also adopted a social media ban for under-15s (January 27, 2026, 130–21 vote), requiring platforms to verify all users’ ages and obtain parental consent for minors. Combined with the pornography verification mandate, France is building one of the most extensive government-mandated age verification infrastructures in any democracy — creating identity verification touchpoints across the internet that did not previously exist.^[28]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, and EIO. France was an original Prüm Convention signatory (2005) and participates in automated DNA, fingerprint, and vehicle data exchange; Prüm II (2024) adds facial images and police records.

Council of Europe (50 signatory states): European Convention on MLA 1959 + Additional Protocols.

Bilateral MLAT with the United States: Ministry of Justice serves as central authority. 10-month average processing times.^[20]

Francophone cooperation: Extensive bilateral MLA treaties and judicial cooperation with former colonial territories across Africa, the Middle East, and Southeast Asia.

French Blocking Statutes

Modernised 2022, designed to protect against unilateral US law enforcement requests. However, they apply only to unilateral requests and do not prevent data sharing through MLATs, the EU-US Umbrella Agreement, Nine Eyes channels, or EU frameworks like SIS II and Prüm. The result: blocking statutes provide limited practical protection against the web of multilateral data sharing frameworks.^[21]

Nine Eyes Intelligence Sharing

Under the Lustre agreement, DGSE exchanges raw SIGINT with the NSA. The Nine Eyes framework creates reciprocal bypass: French intelligence can collect on Five Eyes persons and share back; partner agencies can collect on French persons and share with French intelligence, bypassing CNIL oversight and French judicial warrants.^[22]

EU and Multilateral Frameworks

SIS II: Real-time query and alerts across Schengen. EU-US Umbrella Agreement: French citizens get judicial redress before US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Passenger data for France-US flights. Interpol I-24/7 (195 countries). Egmont Group: Tracfin shares financial intelligence across 164+ FIUs. Europol: Including FBI cooperation channel.

The Privacy Backdoor Effect

Despite GDPR enforcement by CNIL and French blocking statutes, international agreements create alternative access:

• Nine Eyes/Lustre: NSA can collect on French persons and share with French intelligence, bypassing judicial oversight; DGSE can collect on partner nations’ persons and share back
• MLAT Bypass: US requests via MLAT circumvent blocking statutes, with potentially lower evidentiary standards than French judicial warrants
• Marseille Cable Access: DGSE intercepts Europe-Asia/Africa traffic in bulk under Article L.854-1 with no CNCTR prior opinion
• EU Framework Sharing: French person data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol to US FBI
• SWIFT/PNR: Financial transactions and air travel data subject to US access

Recent Developments

Narcotrafficking Law Surveillance Provisions Struck Down (June 2025): The Conseil constitutionnel struck down Article 15 (extending algorithmic black boxes from counterterrorism to drug trafficking) as disproportionate, along with provisions for direct intelligence access to tax databases. An encryption backdoor provision was separately rejected by the National Assembly. AVS (algorithmic video surveillance) extension to 2027 was also censured. France has no operative statutory basis for AI video surveillance as of early 2026.^[23]

Ghost Participant Encryption Backdoor Rejected (March 2025): The National Assembly rejected requiring messaging platforms to allow hidden law enforcement access to encrypted chats. France’s existing authorities (including device-based spyware) already provide lawful access to encrypted content.^[18]

Algorithmic Video Surveillance: Olympics Experiment Expired (March 2025): The 2023 Olympic AVS authorisation expired March 31, 2025. Police pushed for permanence; CNIL warned of a “ratchet effect.” The push to extend via transport security law was censured by the Conseil constitutionnel in April 2025.^[24]

Chat Control: France generally supports the EU CSA Regulation. The November 2025 Council general approach dropped mandatory encrypted scanning but preserved “high-risk” service mitigation measures. However, the EU Parliament rejected the voluntary scanning extension on March 26, 2026 (311–228), and the ePrivacy derogation expired April 3, 2026.^[25]

CNIL Enforcement (January 2026): The CNIL fined FREE MOBILE €27M and FREE €15M (January 13) for data security failures affecting 24 million subscriber contracts including IBANs. Separately, France Travail received a €5M fine (January 22) for failing to secure job seekers’ data, where identified security measures were documented in impact assessments but never implemented. The CNIL’s 2025 sanctions totalled a record €486.8 million.^[29]

NIS2: Loi Résilience (Q1 2026): France’s NIS2 transposition law (Loi relative à la résilience des infrastructures critiques) is in the final stages, expected to be signed and published in the Journal Officiel in Q1 2026. ANSSI technical décrets anticipated Q2 2026. The law will bring approximately 15,000 entities into scope. The European Commission’s infringement proceedings remain active.^[30]

CNIL Designated as AI Act Authority: As of February 2026, the CNIL is the national supervisory authority for the EU AI Act in France, with power to sanction prohibited practices and audit transparency of high-risk AI systems.^[30]

Sources