Key Benefits:
The National Commission on Informatics and Liberties,
Seizure by the Minister of Justice of a request for an opinion on a draft decree in the Council of State amending the Decree No. 2014-1162 of 9 October 2014 establishing an automatic processing of personal data referred to as " National platform for judicial interception ",
Having regard to Council of Europe Convention 108 for the protection of persons with regard to the automatic processing of personal data;
In view of Parliament Directive 95 /46/EC European and Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of such data;
In view of the Code of Criminal Procedure, in particular its Articles 74-2, 60-2, 77-1-2, 99-4, 80-4,100 to 100-7, 706-95, R. 40-42 to R. 40-56;
Code Posts and electronic communications, in particular Articles L. 34-1, R. 10-12 to R. 10-14;
In view of the amended Act No. 78-17 of 6 January 1978 relating to computers, files and freedoms, in particular its Articles 26-II and 30;
Vu Decree No. 2005-1309 of 20 October 2005 as amended for the application of Act No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;
In light of Decree No. 2007-115 of 30 July 2007 on the creation of a treatment Automated personal data named " System for the transmission of judicial interceptions " ;
In view of Decree No. 2011-219 of 25 February 2011 on the retention and disclosure of data to identify any person who has contributed to the creation of online content, in particular its Article 1;
Given the Decree No. 2014-1162 of 9 October 2014 creating an automated processing of personal data called " National Platform for Judicial Interceptions " ;
In view of the de-deliberation n ° 2014-009 of 16 January 2014 concerning a draft decree authorising the implementation of an automated processing of personal data known as " National Platform for Judicial Interceptions " ;
After hearing Mr. Gaétan GORCE, Commissioner, in his report, and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in His observations,
Emet the following opinion:
The Committee was referred by the Minister of Justice for a request for an opinion on a draft decree amending Decree n ° 2014-1162 of 9 October 2014 establishing an automated processing of Personal data named " National Platform for Judicial Interceptions " (PNIJ), taken after the opinion of the Commission dated 16 January 2014.
Article 1 of the aforementioned decree of 9 October 2014 on the implementing rules for the NPC treatment was codified in Articles R. 40-42 to R. 40-56 of the Code of Procedure CPP. Article 4 of the said Decree is related to the repeal of Decree No. 2007-1145 of 30 July 2007 establishing an automatic processing of personal data known as " System for the transmission of judicial interceptions " (STIJ), to which the PNIJ is to succeed.
On the postponement of the repeal of Decree No. 2007-1145 of 30 July 2007 on the STIJ
The purpose of the NPC is to centralise the connection data set out in Articles L. 34-1 of the Code. Posts and electronic communications (CPCE) and 6-I1 of Act No. 2004-575 of 21 June 2004, as amended (LCEN), obtained in the context of a judicial requisition pursuant to Articles 60-2, 77-1-2 and 99-4 of the Code of Criminal Procedure (CPP), And, on the other hand, data from the interceptions of correspondence issued by the Telecommunications, made on the basis of sections 74-2, 80-4,100 to 100-7 and 706-95 of the PPC.
In effect, prior to the implementation of this platform, electronic communications interception devices and requisitions Connection data was based on a heterogeneous and decentralized system.
Thus, connection data requirements were made directly by the investigator to the electronic communications operator, the access provider to the Internet (ISP) or the host, without a common tool being put to the Provision of investigators and operators.
In the case of judicial interceptions, no treatment allowed the centralisation, within a dedicated device, of the content of all communications intercepted in the context of Judicial procedures. The STIJ, created by decree of 30 July 2007, nevertheless allows the judicial authority to have the content of the minimessages (SMS or MMS) emitted or received by a telephone number whose line is intercepted, as well as traffic data
PNIJ is thus intended to replace the STIJ and centralize these two types of requisitions. This is why it is foreseen, in Article 4 of the aforementioned decree of 9 October 2014, to repeal Decree No. 2007-1145 of 30 July 2007 on the STIJ six months after the implementation of the NPC and by 31 December 2015
the latest. Ministry has agreed to proceed with the deployment of the platform in a progressive manner, so that it will not be completed by 31 December 2015. The proposed amendment is therefore intended to allow a postponement of the repeal of the decree of 30 July 2007 as at 31 December 2016.
More specifically, the Ministry of Justice initially limited the investigative services participating in the The pilot phase. The opening of the NPC to all investigative services will take place, depending on the areas of defence to which they belong, between October 2015 and the second half of 2016.
The Ministry of Justice has also gradually opened up The various benefits that may be claimed. Thus, only the connection data, mentioned in the 3 ° of article R. 40-46 of the PPC, were initially processed through the PNIJ. Interception requisitions have subsequently been opened to the IJI.
The current version of the NPC does not technically allow for the processing of the data provided for in Article R. 40-46-2 ° of the PPC (data relating to electronic communications Subject to real-time geolocation measurement). Similarly, the speaker's voice recognition function is not available. Subsequent developments in the NJNP will gradually allow for these functionalities to be taken into account.
This progressive deployment of the NPC allows to test the effectiveness of the system, both from a procedural and security point of view. Processed data. The Panel acknowledges that this ensures that the data is processed in accordance with the terms and conditions set out in sections R. 40-42 to R. 40-56 of the PPC. In general, the Ministry is of the opinion that the use of the NPC in this pilot phase is satisfactory, in terms of both the speed of processing of the requisitions and the responses of operators and of the security of the operators. The
finally notes that the aforementioned decree of 30 July 2007 provides for a retention period in the STIJ of the content of the minimessages and connection data limited to 30 days, since these data are then transferred to the post Of the investigator, who thus retains full availability. Information on the recipients of judicial interception is retained in the STIJ for a period of three years from the date of registration.
However, the Commission took note in its deliberation of 16 January 2014 mentioned above that no data from the STIJ would be taken up in the NPC. The repeal of the decree on the STIJ will therefore have to be accompanied by the deletion of all the data recorded there. The Commission therefore questions the fate of the data coming from the STIJ and transferred to the investigators' work station.
In this regard, it points out that, in its deliberation of 16 January 2014, it considered that the registration of Data on the computer workstations of the investigators does not adequately ensure the security and in particular the confidentiality of the recordings.
The Committee therefore wishes to be kept informed of the measures taken by the Ministries of the Interior and Justice to ensure that data from the STIJ and Transferred to the investigators' work station in accordance with the provisions of sections R. 40-42 to R. 40-56 of the PPC.
On this reserve, the Commission considers that the postponement of the repeal of the Order in respect of STIJ does not pose any particular difficulties.
On the other hand, it notes that if the NCCP also allows for the transfer of all or part of the communications on the investigator's workstation, the Chancery indicated that no need for Transfer of all or part of the intercepted communications on the workstation of a Investigator was not expressed during the pilot phase. In view of the security risks associated with this practice, the Committee draws the attention of the Ministry to the need to limit, by technical measures, the implementation of this functionality only to situations which
On taking into account by the Ministry of Justice the observations made by the committee in its previous deliberation
Beyond the envisaged change, the committee recalls that it had estimated, with regard to the scale of the The data processed and the nature of the acts of investigations concerned, than of measures Legal and technical measures should be provided to ensure a high level of data protection. It had also indicated that it would be particularly attentive to the actual deployment conditions of the platform.
Thus, it noted that several of its security recommendations would be implemented by the Ministry of Justice, according to different deadlines: A regular reassessment of the level of risks will now be implemented, an automatic mechanism for detecting traces whose shelf life has expired and a regular synthesis of these traces will be developed in the Future versions of the NPC.
In addition, the Commission points out that adequate security measures must also be implemented by operators. In this regard, section R. 15 -33-72 of the PPC provides that a protocol passed by the Minister of Justice and, as the case may be, the Minister of the Interior or the Minister responsible for the budget, with the agencies that make available to investigators Electronic data in the course of judicial investigations, specifies the technical procedures for the interrogation and transmission of information and that a copy of each signed protocol must be addressed to the CNIL on the occasion of the filing of the As required by the law of January 6, 1978, as amended
Provisions, the Commission has been addressed to five protocols, the review of which will enable it to provide additional control over the security measures surrounding the device.
Finally, with regard to the control arrangements for the IJI, Whereas Article R. 40-53 of the CPP does not provide for the return of the commission to the report established by the qualified personality in charge of the control of the NPC, which it had deplored in its deliberation of 16 January 2014, the Ministry of Justice said that a copy of the report would be sent to it. The Commission takes note of this commitment, which will allow for better control over the implementation of the IJ NP.
The President,
I. Falque-Pierrotin
