+33 (0) 7 5692 5302

Updated November 7, 2022

One person was arrested for possession of narcotics. While in custody, she refused to give investigators codes to unlock two phones believed to have been used in drug trafficking.

This person, prosecuted before a criminal court, was not sentenced for having refused to give his telephone unlocking codes; she was released.

Passwords and encryption conventions allow the protection of data, and their disclosure imposed by the authorities can endanger individual freedom and democracy but also allow the repression of crime.

The Constitutional Council, on QPC where La Quadrature du Net intervenes, judges that the incrimination of refusal to communicate a password is not contrary to the Constitution.

Article 434-15-2 of the Penal Code, in its wording resulting from the law of June 3, 2016 provides:

"Is punished by three years' imprisonment and a fine of €270,000 the fact, for anyone having knowledge of the secret convention of deciphering a means of cryptology likely to have been used to prepare, facilitate or commit a crime or an offence, to refuse to submit said agreement to the judicial authorities or to implement it, on the requisitions of these authorities issued pursuant to Titles II and III of Book I of the Code of Criminal Procedure. 

"If the refusal is opposed while the delivery or the implementation of the convention would have made it possible to avoid the commission of a crime or an offense or to limit its effects, the penalty is increased to five years of imprisonment and a €450,000 fine.
Article 29 paragraph 1 of the 2004 law for confidence in the digital economy (theoi n° 2004-575 of June 21, 2004 for confidence in the digital economy) provides:

Means of cryptology means any hardware or software designed or modified to transform data, using secret conventions or to perform the opposite operation with or without a secret convention. These cryptology means are mainly aimed at guaranteeing the security of the storage or transmission of data, by making it possible to ensure their confidentiality, their authentication or the control of their integrity.

The Council makes a classic reading of the text, that is to say strict, in application of the principle according to which criminal law is to be interpreted strictly, and deduces from this the constitutionality of the provision (in this case paragraph 1 of the article, the only one concerned).
The prosecution must characterize against the suspected person:
– knowledge of the password or the convention (the person who is required is the one who actually knows the password, and not only the person who is supposed to know, or who could, or should, know…the technical intermediaries as companies relying on their machines to manage and access passwords could justify their refusal by opposing the absence of any natural person (human being) having access to the secret agreement);
– the probability that the means of cryptology has been used for criminal or tortious purposes.
The legal authorities concerned are those which intervene within the framework of the preliminary investigation or of flagrance or the instruction (titles II and III of book I of the code of penal procedure). The request must respond to a formalism (official notification of the consequences of a refusal).
Decision 2018-696 of the Constitutional Council of March 30, 2018.
A simple request for the communication of a password by a police officer investigator therefore does not appear to allow the facts to be qualified. And the refusal to communicate the locking code, a "PIN" (for Personal Identification Number) is not a refusal to communicate an encryption convention. In this sense, moreover, Paris 16 April 2019, n°19/09267.
Conventionality. The Court of Cassation ruled that the offense of refusing to hand over a secret cryptological decryption agreement did not in itself infringe the right to remain silent and not to incriminate oneself arising from Article 6 of the European Convention on human rights (Cas. crime, Dec. 10 2019, No. 18-86.878)
The Court of Cassation indicates that the refusal to deliver the PIN may amount to refusing to deliver the decryption agreement (Crim.13 oct.2020, n°20-80150).
This involves distinguishing between the code allowing access to a terminal (computer, telephone, server, SIM card, etc.) and the key used to decipher the stored or circulating data or metadata.
In some cases the PIN or other secret codes and passwords do not prevent access to data, in others yes, the case law is therefore hesitant (CA Paris 16 April 2019, 18-09.267;  Cas. crim., 13 Oct. 2020, no. 20-80.150; Cas. crim., 13 Oct. 2020, n° 19-85.984).

In its judgment of November 7, 2022, the Court of Cassation, plenary assembly, appeal no. K 2183.146, indicates, in its press release:

A " means of cryptology is intended to render information incomprehensible, in order to secure its storage or transmission. A " secret decryption convention allows the clearing of encrypted information. When a mobile phone is equipped with a " means of cryptology », their home screen unlock code may be a " decryption key » if the activation of this code has the effect of clarifying the encrypted data that the device contains or to which it gives access. Therefore, if a mobile phone with these technical characteristics - as is the case with most mobile phones today - is likely to have been used for the preparation or the commission of a crime or offense, its holder, who will have been informed of the penal consequences of a refusal, is required to give the investigators the unlock code for the home screen. If he refuses to communicate this code, he commits the offense of “refusal to deliver a secret decryption agreement ". Therefore, in this case, the decision of the Court of Appeal is quashed and another Court of Appeal is appointed to retry the case.