Centrist Emmanuel Macron has just been elected France's new president in a landslide victory over his nationalist opponent, Marine LePen, but what could that mean for data protection and privacy within France?
Neither candidate said much on the topic in an election marked mostly by a confrontation between liberal centrism and anti-immigrant populism. Now that Macron will be thrust into the seat of power, many will be wondering what will become of the policy area as the new president enters the Élysée Palace.
Macron has already registered his dissatisfaction with EU-US Privacy Shield, which currently governs data flows over the Atlantic. Indeed, France's President-elect has even proposed renegotiation of the data transfer framework, saying that the data protection standard is insufficient to meet European, or at least French, privacy needs.
The embattled Privacy Shield currently faces a barrage of criticism at home and an absentee landlord abroad, with some saying that the US government is not prepared to uphold its side of the deal. Macron's stance would put him in line with the Article 28 Working group who conceived the framework and much of the European parliament who recently voted to label Privacy Shield inadequate.
While Macron certainly may think Privacy Shield inadequate, the EU will have the final say as the framework comes up for review in September.
His calls to bolster the security of French data do not readily gel with some of his earlier statements. Macron all but called for weaker encryption along the campaign trail. In April, he unveiled his five-point plan for combatting terrorism in France. Macron vowed to challenge large internet companies' lock on user data, saying that in an age when terrorism is conceived over social media, such powers are critical for law enforcement
Furthermore, said Macron, terrorist “organisations that threaten us take advantage of the possibilities of modern cryptography to hide their projects. They use strongly encrypted instant messengers to talk with each other and give orders.”
Until now, added Macron, “big Internet companies have refused to give their encryption keys or access to this content, saying that they have told their clients that their communications are protected. This situation is no longer acceptable.”
Macron vowed that if he were elected, he would push for a common European initiative to cooperate on encryption and build a legal requisition system for law enforcement to access personal data critical to national security.
As could be expected, such suggestions are not met warmly by the security community. Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust, told SC Media UK that it's not quite as simple as weakening encryption only for the bad guys: Anyone who believes for a moment that you can provide a backdoor into an encryption protocol or have access to the keys without that access being exposed to a wider audience doesn't understand digital security.”
If access exists, adds Chappell, it will become the target of hackers and cyber-criminals and if “malicious actors believe their comms have been compromised they will simply find another route, driving that traffic underground and making it even harder to detect.”
Another effect of today's result is that French data will not be undergoing a ‘data localisation' policy, promised in LePen's manifesto. LePen's nationalism apparently extended into cyberspace as she proposed storing all French data within France itself.
Given the dispersed nature of data storage and the jurisdictional issues,, it is likely that implementing such a policy would be difficult to realise. It would require companies holding that data to undergo an expensive and cumbersome process of moving what it holds on French citizens into French territory.
Yann Padova, former head of the France's data protection watchdog told Bloomberg BNA that “it is technically possible to do, but it would cost a lot”. With Macron in office, we may never know.