Paris, May 23, 1996: There is an EC regulation called which applies to all EC countries. This restricts the use of cryptography in the context of weapons of mass destruction, but not for any other purpose. The UK also has an export licensing requirement which is similar in scope. France, on the other hand, has much wider restrictions. The EC regulation is "Dual-Use and Related Goods (Export Control) Regulations" and the UK is "Export of Goods (Control) Order". Attached is a message containing the pending French legislation, followed by some comments. I hope this is helpful to readers on both sides of the pond. [Tuesday, 07 May 96 08:30:54 EST, "jean-bernard condat" <condat@atelier.fr> writte:] --------------- Art. 12 Article 28 of the Law No. 90-1170 dated December 29, 1990, on telecommunications regulation is hereby amended as follows: I - Section I is hereby amended as follows: 1) The first paragraph shall be completed by the following phrase: "Secret coding method denotes all materials or programs conceived or modified for the same purpose." 2) The second and third paragraphs are hereby replaced by the following provisions: "To preserve the interests of national defense and the internal or external security of the State, while permitting the protection of information and the development of secure communications and transactions, 1) the use of a secret coding method or service shall be: a) allowed freely: - if the secret coding method or service does not allow the assurance of confidentiality, particularly when it can only be used to authenticate a communication or ensure the integrity of the transmitted message; - or if the method or the service assures confidentiality and uses only coding conventions managed according to the procedures and by an organization approved under the conditions defined in Section II; b) subject to the authorization of the Prime Minister in other cases. 2) the supply, importation from countries not belonging to the European Community, and exportation of secret coding methods as well as services: a) shall require the prior authorization of the Prime Minister when they assure confidentiality; the authorization may require the supplier to reveal the identity of the purchaser; b) shall require declaration in other cases." 3) A decree sets the conditions under which the declarations are signed and the authorizations approved. This decree provides for: a) a simplified system of declaration or authorization for certain types of methods or services or for certain categories of users; b) the substitution of the declaration for the authorization, for transactions concerning secret coding methods or services whose technical characteristics or conditions of use, while justifying a certain attention being paid with regard to the aforementioned interests, do not require the prior authorization of these transactions; c) the waiver of all prior formalities for transactions concerning secret coding methods or services whose technical characteristics or conditions of use are such that the transactions are not capable of damaging the interests mentioned at the beginning of this paragraph. II - Section II is hereby replaced by the following provisions: "II - Organizations responsible for managing, on behalf of others, the coding conventions for secret coding methods or services that allow the assurance of confidentiality must be approved in advance by the Prime Minister. They are obligated to maintain professional confidentiality in the exercise of their approved activities. The approval shall specify the methods and services that they may use or supply. They shall be responsible to preserve the coding conventions that they manage. Within the framework of application of the Law No. 91-646 dated July 10, 1991, concerning the confidentiality of correspondence sent via telecommunications, and within the framework of investigations made under the rubric of Articles 53 et seq. and 75 et seq. of the Code of Criminal Procedure, they must release them to judicial authorities or to qualified authorities, or implement them according to their request. They must exercise their activities on domestic soil. A decree in the Council of State sets the conditions under which these organizations shall be approved, as well as the guarantees which the approval shall require; it specifies the procedures and the technical provisions allowing the enforcement of the obligations indicated above. III - a) Without prejudice to the application of the Customs Code, the fact of supplying, importing from a country not belonging to the European Community, or exporting, a secret coding method or service, without having obtained the prior authorization mentioned in I or in violation of the conditions of the granted approval, shall be punishable by six months imprisonment and a fine of FF 200,000. The fact of managing, on behalf of others, the coding conventions for secret coding methods or services that allow the assurance of confidentiality, without having obtained the approval mentioned in II or in violation of the conditions of this approval, shall be punishable by two years imprisonment and a fine of FF 300,000. The fact of supplying, importing from a country not belonging to the European Community, or exporting, a secret coding method or service, in order to facilitate the preparation or commission of a felony or misdemeanor, shall be punishable by three years imprisonment and a fine of FF 500,000. The attempt to commit the infractions mentioned in the preceding paragraphs shall be punishable by the same penalties. b) The natural persons guilty of the infractions mentioned under a) shall incur the complementary penalties provided for in Articles 131-19, 131-21, and 131-27, as well as, either indefinitely or for a period of five years or longer, the penalties provided for in Articles 131-33 and 131-34 of the Criminal Code. c) Judicial persons may be declared criminally responsible for the infractions defined in the first paragraph under the conditions provided for in Article 121-2 of the Criminal Code. The penalties incurred by judicial persons are: 1) the fine according to the modalities provided for by Article 131-38 of the Criminal Code; 2) the penalties mentioned in the Article L. 131-39 of the same code. The prohibition mentioned in 2) of this article L. 131-39 concerns activities, during the exercise of which, or on the occasion of the exercise of which, the infraction was committed." III - Section III becomes IV. Its last paragraph is hereby replaced by the following provisions: "The fact of refusing to supply information or documents, or of obstructing the progress of the investigations mentioned in this section IV, shall be punishable by six months imprisonment and a fine of FF 200,000." IV - Section IV becomes V. After the word "authorizations," the words "and declarations" are hereby inserted. V - A section VI is hereby added, formulated as follows: "VI - The provisions of this article shall not hinder the application of the Decree dated April 18, 1939, establishing the regulation of war materials, arms, and munitions, to those secret coding methods which are specially conceived or modified to allow or facilitate the use or manufacture of arms." VI - This article is applicable to overseas territories and to the territorial commonwealth of Mayotte. Copyright 1996 Steptoe & Johnson LLP Steptoe & Johnson LLP grants permission for the contents of this publication to be reproduced and distributed in full free of charge, provided that: (i) such reproduction and distribution is limited to educational and professional non-profit use only (and not for advertising or other use); (ii) the reproductions or distributions make no edits or changes in this publication; and (iii) all reproductions and distributions include the name of the author(s) and the copyright notice(s) included in the original publication. --------------- In trying to analyze the impact of the proposed law, I would note the following: Section I: Paragraph 1 (a), first bullet, seems to explicitly allow digital signatures, and does not require that the secret keys used for such purposes be escrowed. Paragraph 1 (a), second bullet, in combination with Section II, strongly hints at a requirement for key escrow. Conceivably, depending on the details of Law No 91-646 dated July 10, 1991 concerning the confidentiality of correspondence sent via telecommunications, the use of short keys that might expose information to unauthorized individuals (a la the IBM masked DES and Lotus Notes solution) might even be prohibited! Paragraph 1 (b) provides an escape clause for certain favored activities (and/or organizations?). Presumably international standards such as Visa/MasterCard's SET, which apply strong confidentiality to only certain data fields, notably the cardholders account number, would be permitted under this kind of an exception. Banking transactions and other sensitive information may also be excluded from the key escrow requirement, especially if (since) the Government could subpoena the bank's records directly. This is further borne out by paragraph 3, (a, b, and c). Paragraph 1 seems to apply to the use of encryption, as opposed to the supply, import, or export. However, unless such use is covered by Law No. 91-646, the proposed amendment does not seem to apply criminal or civil penalties to such use. Paragraph 2 is interesting, in that it differentiates between "supply" and "importing from countries not belonging to the European community". This may be a techni-cality of the European Community import/export laws -- perhaps importation from countries within the European Community no longer has any meaning, since such customs barriers were supposed to have been removed. I would interpret "supply" to include the offering for sale, or even distributing for free, such code, even by a French citizen. This would therefore appear to apply to the (re-)distribution of PGP and/or any home-grown French products, as well as any encryption products originating within the EC. If so, this would seem to be more even-handed with respect to imports from the US and elsewhere than might otherwise appear, and may obviate any claim that the law would violate the World Trade Organization's Most Favored Nation agreements. The apparent import preference for EC products simply reflect's France's obligation to allow the free flow of goods within the EC. Paragraph 3 seems to provide for some simplified administrative mechanisms that may be less onerous than a case by case review. IN US terms, this may be similar to requesting a commodity jurisdiction from Commerce, rather than having encryption being construed as following under the ITARs. If so, we should certainly investigate these options. Subparagraphs b and c may apply to the use of relatively short keys, or for transactions of limited scope, e.g., for SET. Section II defines conditions for establishing and approving escrow agencies. Given the requirement for "professional confidentiality", I would not be at all surprised if the civil law "notaires" didn't jump at the chance to get into this business. The requirement that they exercise their activities on French soil is rather obscure. The prior language doesn't explicitly say that anything about escrow, nor where the escrowed keys must be maintained -- it only talks about the management of coding conventions, and the requirement to comply with the requirements of the Code of Civil Procedure, which presumably requires that they divulge the keys and/or the text of any confidential messages upon demand by a proper authority. But a literal reading of the text would suggest that a standards organization that manages and preserves the coding conventions would have to carry out their activities on French soil, while the escrow repository might be elsewhere. Section III certainly makes it clear that they are serious about all this. The natural persons who have committed, or even attempted to commit acts in violation of the Act are subject to fines and imprisonment, and I would hazard a guess that the Articles 131-33 and 131-34 would debar them from participating in any future importing or exporting. Corporations (judicial persons) may be held criminally responsible for any infractions caused by their employees, and I would assume that Article 131-39 would also lead to a debarment for future import or export, in exactly the same manner as US export violations would. Section VI makes the Act applicable to overseas territories, which means that some of the more obscure areas and countries would also be covered, such as French Guiana, etc. Disclaimer: I am not a French attorney, nor someone who is at all knowledgeable about EC law. The preceding analysis should not be construed as any kind of an official position. Go get your own hired guns if you need advice!