Preventing unauthorized access to information or data can be a matter of life or death, and certainly when it goes about our most vital infrastructure like the communications network, the power grid and the health systems. Encryption is essential to security. However, while encryption is used by most ICT users everyday, the legal framework for the right to encryption can differ widely from one country to the other, making it challenging to understand and comply with encryption laws and policies internationally. With this post, Raphaël Barazza focuses on the national controls on encryption in France.
INTRODUCTION: Definition of encryption
Encryption consists of cryptography techniques applied to convert data into an “encrypted” form in order safeguard sensitive information.
Encryption responds to different needs:
- Confidentiality: making information unreadable to anyone who intercepts the message inadvertently;
- Access control: which limits access to sensitive data or servers to selected authorized users (Unix password, for example);
- Data integrity: guaranteeing that the encrypted data is not tampered with fraudulently
- Identification: which ensures the authentication of partners and the authenticity of the message.
Historically, cryptography has been used at first by governments, armed forces and intelligence agencies to protect highly sensitive information from foreign powers. The first civilian use of DES (Data Encryption Standard) dates back to 1977, a year often considered to be the birth date of modern cryptology.
The large hi-tech companies quickly realized that encryption, the same way as the Internet, was to become a flourishing business and heavily invested into it. Lawmakers shortly caught on to regulate the budding industry.
I / Legal Control of Encryption in the EU
In (March 27, 1997), the Organisation for Economic Co-operation and Development (referred to as OECD) provided guidelines for cryptography policy. These guidelines advocate the liberalization of cryptographic means to promote the emergence of electronic business. The development of encryption greatly contributes to electronic commerce, notably, by ensuring that confidential bank account information does not fall into the hands of ill-intentioned people.
In the European Union, most products incorporating encryption functions are classified as Dual-use Goods or War Material, and are subject to export control. They are treated as such since the technology surrounding encryption and cryptology maybe employed both for military and civilian use.
The means of cryptology fall under the category of “dual-use” goods; they are recognized under Category 5, Part II “Information Security” of Annex I of amended Council Regulation (EU) No. 428/2009.
Cryptology programs used for cryptanalysis are subject to stricter regulations and are included in the list of “very sensitive” items in Annex IV of Regulation 428/2009.
As the European Union sets the regulations, it is the duty of the member states to enforce these rules. France yet implements another layer of controls for encryption which goes beyond the one set forth by the EU.
Indeed, whereas the use of encryption media in France is unrestricted, the supply, import, intra-EU transfer and export of cryptology are however regulated and subject to various administrative steps.
II / French domestic control of Encryption
Under French law (art.29 of law 2004-575 of 21 June 2004 – Law regarding Confidence in the Digital Economy (LCEN)), the means of cryptology are defined as “any hardware or software designed or modified to transform data, whether it is information or signals, using secret conventions or to perform the opposite operation with or without a secret convention. These cryptological means are primarily intended to ensure the security of storage or data transmission, allowing to ensure their confidentiality, authentication or control of their integrity. ”
The means of cryptology are subject to a specific control by French authorities, which require that such means of encryption should be declared or authorized before they are subject to intra-community transfers, import or export from or to France.
These steps are the responsibility of the manufacturer/author of the cryptology means and are to be taken alongside the National Agency for the Security of Information Systems (hereafter referred to as ANSSI). This Prime Minister Agency, created by Decree No. 2009-834 of 7 July 2009, records declarations and investigates requests for authorization of cryptology equipment.
Moreover, the requirements may vary depending on the technical functionalities of the means and the planned commercial operation (supply, import, export, etc.). It should be noted that the concepts of supply, import and export cover any intangible transfers.
In order to import cryptology equipment or software in France, including from another EU member country unless specifically exonerated, a declaration must be filed at the ANSSI at least 1 month before the operation. The transfers from France to other EU member states or from such member states to France are also subject to prior declaration.
Unlike imports and intra-EU transfers which are subject to declaration made by the manufacturer/author at the ANSSI, exports on the other hand are subject to a more peculiar regime. Depending on the destination of the export, formalities differ.
On one hand, exports to “ally countries” (Australia, Canada, USA etc.) benefit from a general authorization of export from within the Union granted by Council Regulation (EC)
N° 428/2009. These products only need to be declared and the exporters of such equipment may ask for a general EU 001 license delivered by the Service for dual-use goods (referred to as SBDU) in France. However exporters who ask for such general authorization are subject to extra formalities, indeed, they have an obligation of self-assessment and must report the details of their operations on a regular baisis to the ANSSI.
On the other hand, exports to third countries are subject to the full force of administrative formalities. The exporter must first obtain a copy of the authorization of the concerned product delivered by the ANSSI. Authorizations shall be filed at least 4 months before the operation. Only then, the exporter may formulate a request for licensing at the SBDU. It behoves the exporter to obtain a copy of the ANSSI documents per his supplier or to proceed directly with the ANSSI.
Last but not least, for failing to comply with the aforementioned formalities, the concerned operators expose themselves to hefty fines, the confiscation of their products and even prison sentences.
The European Union does offer flexible legislation to trade encryption within the Union and with ally nations, however it is only sensible that heavier restrictions are imposed on these dual-use products or software when traded with third countries because of their sensitive nature.
Also, the examination of the proper formalities and deliverance of the necessary documents for the trade of these products falls under the purview of national authorities.
Traders shall be aware of national peculiarities within the EU and France national controls on encryption is a good example of a stringent control over trade. Failing to fulfil the requirements imposed by French authorities results in administrative complications and in delays if not, criminal sanctions.
Raphaël Barazza is a member of the Paris Bar. He represents domestic and international clients in a wide range of trade-related legal matters.
He acts for clients in customs investigations and audits and advises on various compliance matters. Mr. Barazza has acquired significant experience in export control and sanction matters and regularly assists clients facing audits or in the implementation of compliance processes.
He is a frequent speaker in various international and export control related conferences.
He is co-author of Dual use export control of the European Union (published by WorldECR Journal of export controls and sanctions).
Raphaël Barazza is a member of the Association for Trade & Investment Controls Attorneys
- Catégorie 5 partie 2 de l’Annexe I du Règlement (UE) N°428/2009 du Conseil (modifié par le Règlement délégué n° 1382/2014)
- Décret n°2001-1192 du 13 décembre 2001
- Arrêté du 13 décembre 2001
- Articles 30 à 36 de la loi n° 2004-575 du 21 juin 2004
- Décret 2007-663 du 2 mai 2007
- Décret n° 2009-834 du 7 juillet 2009
- Arrêté du 29 janvier 2015