France

Free
76
100
A Obstacles to Access 22 25
B Limits on Content 30 35
C Violations of User Rights 24 40
Last Year's Score & Status
75 100 Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.

header1 Overview

France registered a slight improvement in internet freedom during the coverage period, despite lingering concerns about censorship and surveillance stemming from counterterrorism measures passed after the 2015 terrorist attacks. The internet remains accessible for most of the population. Website blocks and content removals are typically subject to careful judicial or administrative oversight. However, electronic surveillance has increased in both scope and frequency. The coverage period also saw spikes in online content manipulation surrounding the European Union (EU) parliamentary elections and the ongoing yellow vest protest movement.

The French political system features vibrant democratic processes and generally strong protections for civil liberties and political rights. However, due to a number of deadly terrorist attacks in recent years, successive governments have been willing to curtail constitutional protections and empower law enforcement to act in ways that impinge on personal freedoms.

header2 Key Developments, June 1, 2018 – May 31, 2019

  • With the advent of the EU General Data Protection Regulation (GDPR), complaints about the misuse of personal data spiked: the National Commission on Informatics and Liberty (CNIL) received more than 11,900 complaints in 2018, an increase of 32 percent. In January 2019, the CNIL levied the highest fine yet under the GDPR, a 50 million euro ($55 million) fine against Google for processing personal data for advertising purposes without valid authorization (see C5 and C6).1
  • French companies and institutions were frequently attacked through ransomware during the coverage period, reflecting global trends in cybercrime (see C8).
  • In April 2019, internet service providers (ISPs) were ordered to block two well-known websites engaged in piracy, Sci-Hub and LibGen, both of which offer free access to millions of paywalled academic papers (see B1).

A Obstacles to Access

The internet penetration rate continued to increase, although regional disparities persist. The current information and communication technologies (ICT) market is open, highly competitive, and has benefited from the privatization of the state-owned company France Telecom (now Orange).

A1 1.00-6.00 pts0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 6.006 6.006

Infrastructural limitations generally do not restrict access to the internet. According to 2018 EU data, France has a fixed broadband internet penetration rate of 42.97 percent and a mobile penetration rate of 90.52 percent.1 Between 82 and 89 percent of households had access to the internet as of 2018.2

Committed to providing widespread access to high-speed broadband with connection speeds of at least 30 Mbps, the government has been implementing an ambitious national plan to deploy fiber-optic, very high speed digital subscriber line (VDSL), terrestrial, and satellite networks throughout the country by 2022, mobilizing public and private investments totaling €20 billion ($22 billion) over ten years.3 By early 2019, high-speed broadband coverage had reached 57 percent, according to the Regulatory Authority for Electronic Communications and Post (ARCEP), the telecommunications regulator.4

Reforms approved in 2015, known as the “Loi Macron,” sought to improve mobile broadband coverage by requiring mobile service providers to deploy 2G networks in underserved municipalities by 2016 and ensure 3G/4G coverage by 2017.5 According to a 2017 ARCEP report, between 67 and 74 percent of rural areas had 4G coverage, depending on the service provider.6 However, according to current ARCEP data, the 4G networks of three major mobile service providers cover more than 99 percent of the metropolitan French population, while the fourth major provider’s 4G coverage extends to 93 percent of the same population.7 5G networks are expected to be deployed in 2020.8

Internet speeds are high. According to May 2019 data from Ookla, the average download speed on a fixed broadband connection was 115.8 Mbps, while the average mobile download speed was 45.8 Mbps.9 For both types of connections, France ranks among the top 20 countries in the world.

A2 1.00-3.00 pts0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 3.003 3.003

Internet connections are relatively affordable. In 2019, the Economist Intelligence Unit ranked France seventh out of 100 countries in terms of the affordability of connections.1 According to 2017 International Telecommunications Union (ITU) data, a monthly entry-level fixed broadband subscription cost 0.89 percent of gross national income (GNI) per capita, while a 1 GB monthly mobile data plan cost 0.36 percent of GNI per capita.2 Both prices were lower than those in neighboring Germany and the United Kingdom.

There are a number of Internet Exchange Points (IXPs) in France,3 which contribute to improved access and lower consumer prices.4

However, demographic disparities in internet usage persist. A map produced by ARCEP illustrates some of the regional disparities in mobile penetration, showing patchy 4G coverage in rural areas and overseas territories.5 Most at-home users have access to broadband connections, while the remaining households, usually in rural areas, must rely on dial-up or satellite services.6 There are no significant digital divides in terms of gender or income.

A3 1.00-6.00 pts0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 6.006 6.006

There were no restrictions on connectivity reported during the coverage period. There is no central internet backbone, and ISPs are not required to lease bandwidth from a monopoly holder, as is the case in other countries. Instead, the backbone consists of several interconnected networks run by ISPs and shared through peering or transit agreements. The government does not have the legal authority to restrict the domestic internet during emergencies.

A4 1.00-6.00 pts0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 3.003 6.006

There are no significant business hurdles to providing access to digital technologies in France. Service providers do not need to obtain operating licenses.1 However, the use of frequencies (for mobile networks) is subject to strict licensing by ARCEP.2 Only four providers are licensed in this regard: Orange, Free, Bouygues Telecom, and SFR.3 Others, such as NRJ Mobile, make use of these providers’ networks, reselling internet and mobile services.4

Orange, Free, Bouygues Telecom, and SFR dominate both the fixed and mobile markets. Competition between these four providers is fierce, but there is little room for other players to compete.

In 2017, ARCEP announced that it would impose certain constraints on market leader Orange in an effort to open up competition for high-speed fiber services among small- and medium-sized companies.5 The government is the main (but not majority) shareholder in Orange.

A5 1.00-4.00 pts0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 4.004 4.004

The telecommunications industry is regulated by ARCEP,1 while competition is regulated by Competition Authority and, more broadly, the European Commission (EC).2 ARCEP remains an independent and impartial body, and regulatory decisions are usually seen as fair. ARCEP is governed by a seven-member college. Three members are appointed by the president, while the National Assembly and Senate appoint two each.3 All serve six-year terms. As an EU member state, France must ensure the independence of its telecommunications regulator. Given that the government is the main shareholder in Orange, the leading telecommunications company, the EC stated in 2011 that it would closely monitor the situation in France to ensure that European regulations were met.4

The Digital Republic Act enacted in 2016 broadened ARCEP's mandate, granting the body investigatory and sanctioning powers to ensure compliance with the principle of net neutrality introduced by the law.5 In 2017, ARCEP reiterated its commitment to promote net neutrality and digital transformation.6

B Limits on Content

The government continued to actively legislate the digital public sphere. In December 2018, Parliament passed a law aimed at fighting disinformation around elections. In February 2019, President Emmanuel Macron announced a complementary proposal aimed at curbing online hate speech and ending impunity on social networks. The text was being discussed in Parliament at the end of coverage period. The coverage period saw widespread digital mobilization in the form of the yellow vest protest movement, although disinformation accompanied the movement’s growth.

B1 1.00-6.00 pts0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content? 5.005 6.006

The government does not generally block web content in a politically motivated manner. All major social media platforms are available.

However, France is one of the few countries that has blocked two well-known websites engaged in piracy, Sci-Hub and LibGen, which offer free access to millions of paywalled academic books, journals, and papers. Following a complaint from academic publishers Elsevier and Springer Nature, a court ordered the four major ISPs to block the two websites in April 2019.1

Earlier, in December 2018, a court, acting on a complaint from six associations fighting movie piracy, ordered the same set of ISPs to block seven illegal streaming websites.2

Since the 2015 terrorist attacks in Paris, terrorist-related content and incitements to hatred have been subject to censorship. In November 2018, a Paris court ordered nine French ISPs to block Participatory Democracy, a racist, anti-Semitic, and anti-LGBT+ French-language website hosted in Japan that was inciting hatred. The website is affiliated with French far-right and extremist communities.3

A decree issued in 2015 outlined administrative measures to block websites containing materials that incite or condone terrorism, as well as sites that display child abuse.4 Shortly after the decree was promulgated, five websites were blocked with no judicial or public oversight for containing terrorism-related information.5 In the ensuing years, many more websites have been blocked in France. According to the data protection agency CNIL, the Central Office for the Fight against Crime Related to Information and Communication Technology (OCLCTIC) issued 879 blocking orders to ISPs between March 2018 and February 2019, compared to 763 during the previous period. Among the orders were 82 sites targeted for hosting terrorism-related information; the remaining 797 were targeted for displaying child abuse.6 The CNIL does not offer details on the content of blocked websites, but it does disclose the OCLCTIC censorship decisions that it disputes. During the coverage period, CNIL disputed three such decisions, all related to content removals rather than website blocks (see B2).7

B2 1.00-4.00 pts0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content? 2.002 4.004

The government sometimes orders online platforms to delete or deindex content. For example, in December 2018, after a year of heated debate, a French court ordered Google to deindex search engine results related to seven illegal streaming websites for a year.1

According to Google’s transparency report, the government issued 244 requests to remove content in the first half of 2018, invoking national security in a majority (54 percent) of cases.2 Google acceded to 71 percent of these requests. In 2018, Facebook “restricted access” to 667 items of content in France, the plurality of which related to Holocaust denial.3 Not all of these items were restricted at the government’s request; 208 of the 667 items were restricted “in response to private reports of defamation,” for example. Facebook did not disclose how many content removal requests it received. In 2018, Twitter received 243 removal requests in France, including two court orders.4 The company acceded to about 5 percent of these requests. Finally, from July to December 2018, Microsoft received 206 content removal requests from the government.5 The company acceded to 74 percent of these requests.

A government decree issued in 2015 allows for the deletion or deindexing of online content related to child abuse and terrorism using an administrative procedure supervised by CNIL.6 According to CNIL, between March 2018 and February 2019, the OCLCTIC issued 18,014 removal requests (a decrease from the previous year’s 34,110) targeting such content as well as 6,581 deindexing requests (compared to 3,115 the previous year).7 Content was deleted in response to 13,421 removal requests (75 percent of the total number issued), 6,625 of which related to child abuse and 6,796 of which related to terrorism. CNIL disputed two removal and deindexing requests, successfully reversing the deindexing of a satirical tweet.8 In addition, CNIL referred a third set of requests, which concerned online articles about police vehicle arson, to a court.9 The court found that the requests were invalid because, in its judgement, the articles neither incited nor condoned terrorism.

In a separate CNIL report, the authority noted that it had received 373 right to be forgotten (RTBF) deindexing requests in 2018 after search engines had rejected them.10 The RTBF was introduced in France in 1995 and institutionalized throughout Europe with the implementation of the GDPR in May 2018.11 During the coverage period, Google deindexed some 53,198 URLs in France under the RTBF.12 Between July and December 2018, Microsoft deindexed just 945 URLs in France under the RBTF.13 Both companies deindexed only about half the URLs requested by users and other entities in France.

Technology companies also proactively removed content during the coverage period. Facebook withdrew over 10,000 ads in early 2019 because they violated its new political advertising policy. Some of the deleted ads were EU-sponsored posts encouraging participation in the upcoming EU parliamentary elections, posts by nongovernmental organizations (NGOs) including Greenpeace, Médecins du Monde, and UNICEF, and posts promoting media outlets (including Le Figaro).14 Similarly, Twitter’s guidelines on political content led the company to block a government-sponsored voter registration ad campaign in April 2019.15 These guidelines were adopted in reaction to France’s new law against election-related “fake news” (see B3).

B3 1.00-4.00 pts0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 3.003 4.004

Authorities are fairly transparent about what content is prohibited and the reasons behind specific content removal requests. Incitement of hatred, racism, Holocaust denial, child abuse and pornography, copyright infringement, and defamation1 are illegal and may be grounds for blockings or takedowns. Article R645-1 of the criminal code outlaws the display of the emblems, uniforms, or badges of criminal organizations under penalty of a fine and can justify blockings or takedowns of such symbols when they appear online.2

Notably, in December 2018, Parliament passed a law first proposed by President Macron that aims to combat disinformation around elections by empowering judges to order the removal of “fake news” within three months of an election.3 The proposal was rejected twice by the Senate before it was passed. The law places a significant strain on judges, who will have 48 hours to decide whether a website is spreading fake news following a referral by a public prosecutor, political party, or interested individual. Under the law, social media platforms are also required to disclose who is paying for sponsored ads during electoral campaigns.4 Commentators have expressed concern that the law could be used as a political tool.5

In February 2019, President Macron announced a complementary proposal to act against all forms of hate speech and put an end to impunity on social networks.6 In July 2019, after the coverage period, the proposal was formally introduced as a bill in Parliament.7 It is modelled, at least in part, on Germany’s Network Enforcement Act, or NetzDG. The EU Directive on Copyright in the Digital Single Market is also on the legislative horizon and must be implemented at the national level in all EU member states, including France, following the measure’s final approval in Brussels in April 2019.

A decree issued in 2015 outlined administrative measures to block websites containing materials that incite or condone terrorism, as well as sites that display child pornography (see B1). The decree implemented Article 6-1 of the Law on Confidence in the Digital Economy (LCEN), passed in 2004, as well as Article 12 of a new antiterrorism law passed in 2014.8 The OCLCTIC is responsible for maintaining a blacklist of sites that contain prohibited content, and must review the list every four months to ensure that blacklisted sites continue to contravene French law. The OCLCTIC can ask editors or hosts to remove the offending content, and after a 24-hour period, it can order ISPs to block sites that do not comply.9 Users attempting to access blacklisted sites are redirected to a website from the Ministry of Interior providing avenues for appeal.

The lack of judicial oversight in the blocking of websites that allegedly incite or condone terrorism remains a concern. The procedure outlined above is supervised by CNIL. As an administrative authority, CNIL can also refer requests to the administrative court system should it object to any action taken by the OCLCTIC. In May 2019, a CNIL official asserted that the body lacks the technical means and human resources to efficiently supervise the OCLCTIC.10 Some commentators have lamented that, while CNIL was founded to protect internet freedom, it is now overseeing restrictions of the online space.11

A government decree issued in 2015 also allows for the deletion or deindexing of online content from search results using an administrative procedure supervised by CNIL (see B2). Under this decree, the OCLCTIC submits requests to search engines, which then have 24 hours to comply.12 The OCLCTIC is responsible for reevaluating deindexed websites every four months and requesting the reindexing of websites when the incriminating content has been removed. CNIL can dispute the OCLCTIC’s orders by recommending an alternative course of action or referring cases to the administrative court system.

Legal debates over the RTBF have also escalated in recent years. CNIL has been battling with Google to enforce the RTBF ruling across all of the sites that can be accessed within the country, including Google.com in addition to Google.fr.13 Google raised concerns that the move would set a dangerous precedent for authoritarian governments, who could also request that Google apply national laws extraterritorially.14 In 2016, Google was fined $112,000 by CNIL for not complying with demands to remove results across its global domains.15 Google appealed to France’s Council of State, which in 2017 decided to refer the matter to the Court of Justice of the European Union (CJEU).16 The case was still under consideration at the CJEU at the end of the coverage period.17

A ruling in 2016 by a Paris court established that Facebook could be sued in France for removing the account of a French user who posted an image of a Gustave Courbet painting of a naked woman. Facebook had argued that cases concerning its terms and conditions could only be heard by a court in the United States. The case was finally judged in March 2018; a French court dismissed the user’s suit. The user appealed this first decision in April 2018.18

B4 1.00-4.00 pts0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 4.004 4.004

Online self-censorship is minimal. However, a proposal aimed at countering online hate speech might lead to increased government oversight of internet users, raising concerns that it could cause greater self-censorship. In January 2019, President Macron said, “We should move progressively toward the end of anonymity” online.1 The proposal was outlined in further detail in February 2019 by then Secretary of State for Digital Mounir Mahjoubi and Secretary of State for Equality Marlene Schiappa; it would, among other things, pressure social media platforms and other websites to provide identifying information about users.2 The full proposal was made public in July 2019 (see B3).3

B5 1.00-4.00 pts0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 3.003 4.004

There were no reports of the government proactively manipulating content online during the coverage period. However, there were strong concerns about disinformation and misinformation campaigns in the run-up to European parliamentary elections held in May 2019. Several online tools were employed to fight against such manipulation, including the EU’s EUvsDisinfo initiative1 and the nonprofit FactCheckEU.2 According to the EC, Facebook “acted specifically against 1,574 nonEU-based and 168 EU-based pages, groups, and accounts engaged in inauthentic behavior targeting EU member states” between January and May 2019.3 Pursuant to the EU’s voluntary Code of Practice on Disinformation, major social media platforms restricted misleading ads ahead of the elections.4

Content manipulation remains a problem outside the context of elections. In March 2019, false reports of child abductions by members of the Roma community spread on social networks, notably Facebook and Snapchat, triggering real-world violence against Roma living in the suburbs of Paris.5

The yellow vest movement that began in France in October 2018 has seen the spread of misinformation in and about the movement’s protests. Traditional media outlets highlighted the spread of fake news within the movement, such as images of violence against protesters in other countries that were wrongly attributed to France.6

B6 1.00-3.00 pts0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 3.003 3.003

France has a long history of anti-piracy laws and regulatory constraints on online content publication. However, users face few obstacles to publishing online.

An antipiracy law administered by the High Authority for the Dissemination of Works and the Protection of Rights on the Internet (HADOPI) was originally passed in 20091 and supplemented by a second law also passed that year.2 HADOPI functions by responding to copyright infringers with a graduated response, starting with an email warning for the first offense, followed by a registered letter if a second offense occurs within six months. If a third offense occurs within a year of the registered letter, the case can be referred to a court, and the offender may receive a fine.3 In 2018, HADOPI filed more than 1,045 referrals to prosecutors. Most fines ranged from €50 to €1,000 ($56 to $1,140).4

A new copyright proposal may increase HADOPI’s power by implementing the newly passed EU Copyright Directive (see B3).5 The proposal is currently in draft form and will likely be debated in early 2020. In its present form, the proposal would, inter alia, blacklist websites that host pirated content and promote the use of measures similar to YouTube’s Content ID on other social media platforms to automatically detect and remove copyright violations.6 It has been criticized by freedom of speech activists who fear that measures like Content ID will limit the ability of content creators to benefit from the fair use of copyrighted materials.7

The net neutrality principle is enshrined in the law. In November 2018, a joint study published by ARCEP and Northeastern University indicated that net neutrality was better respected in France than in the rest of the EU.8

B7 1.00-4.00 pts0-4 pts
Does the online information landscape lack diversity? 4.004 4.004

France is home to a highly diverse online media environment. There are no restrictions on access to independent online media. There is no censorship of platforms providing content produced by different ethnic, religious, or social groups, including the LGBT+ community. However, commentators have observed increased online harassment against LGBT+ users (see C7).1

B8 1.00-6.00 pts0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 6.006 6.006

There are no restrictions on digital mobilization in France. The state and other actors do not block online organizing tools and collaboration websites.

A number of digital rights and advocacy groups, such as Squaring of the Net (LQDN), are active and play a significant role in protesting the government’s recent moves to expand censorship and surveillance measures without judicial oversight.1

The yellow vest movement was rooted in digital mobilization platforms like Change.org, along with social media platforms. The first protests were planned using Facebook, Twitter, and YouTube in May 2018.2 The movement organized its first mass protest in Paris in November 2018 through Facebook. Protests are still organized online every weekend by the yellow vests. When the number of followers of yellow-vest-aligned Facebook groups dropped precipitously in January 2019, some suspected that Facebook was censoring the movement,3 but Facebook asserted that the reduction in followers was due to a change in the platform’s policies for counting followers, seeking to dispel misinformation about the issue.4 After the coverage period, several yellow vest leaders were arrested for organizing “illicit manifestations” on Bastille Day in July 2019.5

C Violations of User Rights

Laws to address threats to national security have bolstered the state’s surveillance powers and introduced stricter measures to tackle terrorist propaganda online. In 2018, a new amendment to the Military Planning Law increased the state’s surveillance capabilities.

C1 1.00-6.00 pts0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 4.004 6.006

Although the constitution guarantees freedom of speech,1 recent actions by the government in response to the 2015 terror attacks have curtailed digital rights in practice. The European Convention on Human Rights, to which France is a signatory, provides for freedom of expression, subject to certain restrictions considered “necessary in a democratic society.”2 Since the Charlie Hebdo attack and November 2015 terrorist attacks in Paris, the government has suggested on a number of occasions that limiting fundamental rights would serve public safety.3

Broad new powers under the state of emergency proclaimed in 2015 have raised concerns among human rights and digital activists.4 While then prime minister Manuel Valls declared that it was a “short term response,”5 the state of emergency was subsequently extended six times until November 2017.6 The state of emergency included provisions on electronic searches7 and empowered the interior minister to take “any measure to ensure the interruption of any online public communication service that incites the commission of terrorist acts or glorifies them.”8 The new counterterrorism law that came into effect in 2017 has also raised concerns among civil rights campaigners for giving prefects and security forces wide-ranging powers with limited judicial oversight. It also introduced a new legal framework for surveillance of wireless communications (see C5).9

C2 1.00-4.00 pts0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities? 2.002 4.004

There are a number of laws that assign criminal or civil penalties for potentially legitimate online activities. In particular, the myriad counterterrorism laws threaten to punish users for such activities. Measures to address terrorism were already in place prior to the 2015-2017 state of emergency. The counterterrorism law passed in 2014 penalizes online speech deemed “apology for terrorism” with up to seven years in prison and a €100,000 ($114,000) fine. Speech that incites terrorism is also penalized. Penalties for online offenses are harsher than offline offenses, which are punishable by up to five years in prison and a €75,000 ($85,000) fine.1

Another counterterrorism and organized crime law enacted in 2016 imposes up to two years in prison or a €30,000 ($34,000) fine for frequently visiting sites that glorify or incite terrorist acts, unless these visits are in “good faith,” such as conducting research.2 The Constitutional Council rejected this law in 2017, arguing that the notion of “good faith” was unclear and that the law was not “necessary, appropriate, and proportionate.”3 An amended version was reintroduced as part of a public security law, imposing prison sentences on users who also “manifest adherence” to the ideology expressed at the visited sites,4 but was once again struck down by the Constitutional Court in December 2017.5 While at least one member of Parliament contemplated reintroducing the law during the coverage period, the government has opposed this effort.6

Defamation can be a criminal offense in France, punishable by fines or, in certain circumstances, such as “defamation directed against a class of people based on their race, ethnicity, religion, sex, sexual orientation or handicap,” prison time.7

C3 1.00-6.00 pts0-6 pts
Are individuals penalized for online activities? 5.005 6.006

While no citizens faced politically motivated arrests or prosecutions in retaliation for online activities, users have been convicted of inciting or apologizing for terrorism online. The broad terms “inciting” and “glorifying” terrorism risk targeting speech that has tenuous connections to terrorist acts.

In June 2019, after the coverage period, a 21-year-old woman was handed a six-month suspended prison sentence for possessing, but not sharing, videos and pictures glorifying terrorism. Following an electronic search, the police found 82 incriminating videos, along with 735 pictures. She was also accused of being in contact with the Islamic State (IS) militant group through social networks.1

In May 2019, a man from the Douai region was sentenced to four years in prison for “apology for terrorism.” Under the pseudonym “Imam of the North,” he organized multiple online campaigns promoting terrorist activities on social networks and on his websites.2

Penalties for threatening state officials are applied to online activities. In May 2019, a man was fined €500 ($570) for sending President Macron a death threat on Facebook.3

In June 2019, Marine Le Pen, leader of the far-right National Rally party, was ordered to stand trial by a correctional court for sharing videos of IS terrorists beheading a journalist on Twitter.4

C4 1.00-4.00 pts0-4 pts
Does the government place restrictions on anonymous communication or encryption? 2.002 4.004

Users are not prohibited from using encryption services to protect their communications, although mobile users must provide identification when purchasing a SIM card, potentially reducing anonymity for mobile communications.1 There are no laws requiring providers of encryption services to install backdoors, but providers are required to turn over decryption keys to the government.2 In June 2019, a drug dealer who was using encryption services refused to unlock his phone during his arrest and was also charged for this refusal. A court later ruled that the suspect was not required to unlock his phone in the absence of a court order, setting a legal precedent.3

Anonymous communication using tools such as Tor is not prohibited.

C5 1.00-6.00 pts0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 2.002 6.006

Surveillance has escalated in recent years, including through the enactment of a new surveillance law in 2015, which was passed in the wake of the attack on Charlie Hebdo that year.

The 2015 Intelligence Law allows intelligence agencies to conduct electronic surveillance without a court order.1 An amendment passed in 2016 authorized real-time collection of metadata not only from individuals “identified as a terrorist threat,” but also those “likely to be related” to a terrorist threat and those who belong to the “entourage” of the individuals concerned.2

The Constitutional Council declared three of the law’s provisions unconstitutional in 2015, including one that would have allowed the interception of all international electronic communications. However, an amendment enabling surveillance of electronic communications sent to or received from abroad was adopted later in 2015, shortly after the Paris attacks, for the purposes of “defending and promoting the fundamental interests of the country.”3 In 2016, the Constitutional Council struck down part of the Intelligence Law related to the monitoring of hertz wave communications, ruling it “disproportionate.”4 Article 15 of the new counterterrorism law of 2017 reintroduced a legal regime for monitoring wireless communications, but limits surveillance to certain devices such as walkie-talkies and does not encompass Wi-Fi networks.5

During the coverage period, an amendment passed as part of a routine military spending bill (the Military Planning Law, or LPM) extended the state’s surveillance capabilities. The amendment, to be implemented from 2019 to 2025, expands access to data collected outside France’s borders by providing domestic antiterrorism investigators with information obtained by the General Directorate for External Security, France's foreign intelligence agency.6 According to Article 37 of the new LPM, it will be possible to "perform within the intercepted connection data spot checks for the sole purpose of detecting a threat to the fundamental interests of the nation, linked to subscription numbers or technical identifiers attributable to French territory and geographical areas.”7 Digital rights groups have criticized this expansion of surveillance that previously only affected French citizens living abroad.8

The LPM covering 2014 to 2019 extended administrative access to user data by enabling designated officials to request such data from ISPs for “national security” reasons, to protect France’s “scientific and economical potential,” and to prevent “terrorism” or “criminality.”9 The Office of the Prime Minister authorizes surveillance, and the National Commission for Security Interception (CNCIS, later renamed the National Intelligence Control Commission, or CNCTR) must be informed within 48 hours in order to approve it.10 Early critics pointed out that the CNCIS lacked appropriate control mechanisms and independence from potential political interference, given that the body was comprised of only three politicians in 2014.11 While the government argued that the law provided an improved legal framework for practices that had been in place for years,12 it finally replied to these criticisms at the end of 2015 by enlarging its composition from three members to nine, making room for judges.13

A law related to the fight against organized crime and terrorism, enacted in 2016, also elicited strong reactions from the public.14 The law notably expanded the range of special investigation methods available to prosecutors and investigating judges, which were previously reserved for intelligence services. These include bugging private locations, using phone eavesdropping devices such as international mobile subscriber identity (IMSI) catchers, and conducting nighttime searches.15 Relatedly, Article 23 of the Law on Guidelines and Programming for the Performance of Internal Security (LOPPSI 2), adopted in 2011, granted the police with the authority to install malware—such as keystroke logging software and Trojan horses—on suspects’ computers in the course of counterterrorism investigations, although a court order must first be obtained.16

The Digital Republic Act adopted in 2016 seeks to enhance individuals’ rights to control the use of their personal data. Companies will face hefty fines if they fail to comply; with the GDPR coming into force in 2018, CNIL will be able to fine a company up to 4 percent of its total worldwide annual turnover for any data protection violations.17

C6 1.00-6.00 pts0-6 pts
Are service providers and other technology companies required to aid the government in monitoring the communications of their users? 3.003 6.006

Service providers are required to aid the government in monitoring their users’ communications under certain circumstances. For instance, they must retain user metadata for use in criminal investigations.1 The 2015 Intelligence Law requires ISPs to install so-called “black boxes,” algorithms that analyze users’ metadata for “suspicious” behavior in real time.2 The first black box was set in 2017.3 Intelligence services released data on the use of three black boxes in 2018, as two additional black boxes were added during the coverage period.4 Related to this increase in surveillance capabilities, 10,562 “security interceptions” were undertaken in 2018—an increase of 20 percent over 2017. Real-time geolocation tracking in the context of individual surveillance for national security purposes increased by 38.4 percent (from 3,751 to 5,191). The number of individuals subject to this surveillance only slightly increased (from 21,386 to 22,038).5

In June 2019, after the coverage period, the Ministry of the Interior proposed a new intelligence law in order to extend the use of black boxes, with the aim of improving automation, prolonging data collection, and taking into account new technologies such as 5G.6

On the other hand, the data protections enshrined in the GDPR are strongly enforced in France. In January 2019, CNIL fined Google a record €50 million ($57 million) for violating the regulation.7

C7 1.00-5.00 pts0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in retribution for their online activities? 4.004 5.005

There were no reported physical attacks against journalists or ordinary users during the coverage period. However, there were several high-profile cases of online harassment.

In February 2019, a group of mostly male journalists were accused of online harassment against women, obese people, and LGBT+ people. Though they carried out harassment campaigns primarily on Twitter, they coordinated their activities in a private Facebook group called the “League of LOL.”1

Notably, online harassment of the LGBT+ community has increased. In January 2019, two associations defending LGBT+ rights filed 213 complaints related to insults, incitements to hatred, and calls to murder LGBT+ users on social networks.2 Also in January 2019, YouTuber and LGBT+ advocate Bilal Hassani filed a lawsuit asserting that he was the victim of a large-scale cyberbullying campaign.3

Furthermore, in April 2019, journalists from the investigative online outlet Disclose were summoned to the DGSI (France’s domestic intelligence agency) after publishing confidential documents about the export of weapons later used by Saudi Arabia and the United Arab Emirates (UAE) in the war in Yemen.4

C8 1.00-3.00 pts0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 2.002 3.003

According to the Global State of Information Security Survey 2018, French business losses related to cyberattacks grew by 50 percent in 2017, with companies losing an average of €2 million. More than 4,550 cybersecurity incidents were recorded by French companies in one year.1 Companies and institutions also frequently experience ransomware attacks, which are sometimes targeted attacks where cybercriminals manually intrude the network and encrypt data; the petroleum company Picoty SA suffered such an attack in May 2019.2 There are also automated infections using ransomware from the black market, which are injected via phishing. A public hospital was infected in this manner in May 2019.3

During the 2017 presidential campaign, Macron’s campaign team announced that they were the “victim of a massive and coordinated hacking attack” after thousands of leaked emails and documents were dumped on the internet in a last minute effort to destabilize the race.4 Macron had previously confirmed being the target of phishing operations by a group of hackers and denounced “interference.”5 Later, an investigation by Le Monde indicated that these cyberattacks were directed by a US neo-Nazi group.6 Observers noted that there was no real police investigation into the leaks.7 Indeed, after Macron was elected, the government did not follow up on the investigation of the origins of this cyberattack.

In June 2019, the government’s tax collection website went down on the last day for fiscal declarations. The National Cybersecurity Agency (ANSSI) is investigating the case and suspects that the attack originated from abroad.8 It was also reported that 2,000 fiscal declarations were altered by hackers.9

On France

See all data, scores & information on this country or territory.

See More
  • Global Freedom Score

    89 100 free
  • Internet Freedom Score

    76 100 free
  • Freedom in the World Status

    Free
  • Networks Restricted

    No
  • Websites Blocked

    No
  • Pro-government Commentators

    No
  • Users Arrested

    No