Oct
French Lecornu Decree No. 2025-980 — targeted metadata retention for national security. This decree redefines the fine line between lawful traceability and digital sovereignty. This Freemindtronic Chronicle explores its legal and European scope, while showing how the Freemindtronic doctrine — through technologies like DataShielder NFC HSM, DataShielder HSM PGP, and CryptPeer® — remains outside the scope by design, eliminating any traceable metadata. Sovereign cryptology thus provides built-in compliance by design. The Express Summary below outlines the technical implications.
Express Summary — Lecornu Decree No. 2025-980: Metadata and National Security
This summary provides a quick 4-minute read of the French Lecornu Decree No. 2025-980, a cornerstone of France’s digital sovereignty doctrine, explaining its technical and legal implications, and how Freemindtronic’s sovereign cryptology approach provides a compliant alternative.
⮞ In Short
The Lecornu Decree No. 2025-980 mandates digital operators to retain communication metadata — including identifiers, timestamps, protocols, durations, locations, and technical origins — for one year. Objective: allow national authorities to anticipate threats to national security, under the oversight of the Prime Minister and the CNCTR. This measure aligns with the Book VIII of the French Internal Security Code. It does not apply to autonomous cryptographic systems or offline architectures without logging capabilities. Therefore, Freemindtronic’s DataShielder NFC HSM and DataShielder HSM PGP — which transmit, host, or retain no metadata — remain out of scope.
⚙ Key Concept
How to stay compliant without being subject to retention? By designing offline architectures: DataShielder devices perform encryption locally on NFC terminals — no servers, no cloud, no databases. No communication trace exists, and retention is technically impossible. Compliance with GDPR, NIS2, and DORA is thus native — compliance through non-collection.
Interoperability
Fully compatible with any infrastructure, with no network dependency. Certified for use in France under the Official Journal and the Decree No. 2024-95 of February 8, 2024 governing dual-use cryptographic technologies. Supervision by ANSSI. Sovereign architecture: no data enters the Lecornu Decree perimeter.
Reading Parameters
Quick Summary Read Time: ≈ 4 minutes
Advanced Summary: ≈ 9 minutes
Full Chronicle: ≈ 32 minutes
Last Update: October 21, 2025
Complexity Level: Expert / Cryptology & European Law
Legal Density: ≈ 82% Languages: FR · EN
Specialty: Sovereign Analysis — Lecornu Decree, CJEU, GDPR, EviLink™ / SilentX™ Cryptology Doctrine
Reading Order: Summary → Framework → Application → Doctrine → Sovereignty → Sources
Accessibility: Screen reader optimized — anchors, tables & captions included
Editorial Type: Legal Chronicle – Cyberculture & Sovereign Cryptology
Significance Level: 7.2 / 10 — national, European & technological impact
Author: Jacques Gascuel, inventor and founder of Freemindtronic Andorra, expert in HSM security architectures, hybrid cryptology, and digital sovereignty.
Editorial Note — This chronicle will be updated as institutional responses (CNIL, CNCTR, CJEU, ECHR) emerge and as the Lecornu Decree becomes integrated into the European doctrine of sovereign non-traceability. This content is written in accordance with the AI Transparency Statement published by Freemindtronic Andorra — FM-AI-2025-11-SMD5
Advanced Summary — Lecornu Decree No. 2025-980 and Targeted Traceability Doctrine
The Lecornu Decree No. 2025-980, published on October 16, 2025, mandates temporary retention of electronic communication metadata (identifiers, timestamps, protocols, durations, locations, technical origins) for twelve months. It builds on the Internal Security Code — Book VIII and is jointly supervised by the Prime Minister, CNCTR, and CNIL. Grounded in the national security exception recognized by the CJEU (C-511/18, C-512/18, C-746/18) and guided by the ECHR jurisprudence (Big Brother Watch, Centrum för Rättvisa, Ekimdzhiev), it adheres to the principle of proportionality (French Constitutional Council, Decision No. 2021-808 DC). Measures must be time-limited, threat-specific, and independently reviewed. This decree represents a structural milestone in France’s legal framework for digital sovereignty.
Scope and Exemptions
Covered: ISPs, telecom operators, hosting providers, digital platforms, and messaging/collaboration services. Exempt: autonomous offline cryptographic systems. Freemindtronic’s DataShielder NFC HSM and HSM PGP — authorized under Decree No. 2007-663 and supervised by ANSSI — generate no metadata, use no server or cloud, and therefore fall outside the Lecornu perimeter.
European Compatibility and Sovereign Cryptography
The CJEU (Tele2 Sverige AB, Watson, Privacy International) and ECHR require foreseeability, independent oversight, and limited retention. The CNIL emphasizes that preventive retention qualifies as personal data processing under GDPR Article 6, demanding proportionality and purpose limitation. Freemindtronic’s DataShielder embodies native legal resilience: it neither processes nor stores personal data, adhering to privacy by design principles (GDPR Article 25) — minimization, segmentation, immediate destruction.
✪ Key Context — Sébastien Lecornu, French Prime Minister (2025)
Sébastien Lecornu has been serving as Prime Minister of France since July 2025, following his tenure as Minister for the Armed Forces (2022–2025). Known for his strategic focus on national resilience and technological sovereignty, Lecornu spearheaded the Decree No. 2025-980 to reinforce. France’s intelligence capabilities within a legally supervised metadata retention framework. His doctrine seeks to balance national security imperatives with European digital rights, establishing a new era of “controlled traceability under democratic oversight.” The Lecornu Decree is part of a broader governmental effort to modernize France’s cyber and intelligence infrastructure, aligned with the ANSSI national cybersecurity strategy and the Ministry of the Interior’s doctrine on digital sovereignty. Lecornu’s leadership thus represents a key political pivot toward “sovereign compliance by architecture.”
Dec
2025 Cyberculture Cybersecurity Digital Security EviLink
CryptPeer messagerie P2P WebRTC : appels directs chiffrés de bout en bout
Nov
2025 Cyberculture EviLink
P2P WebRTC Secure Messaging — CryptPeer Direct Communication End to End Encryption
Nov
2026 Awards Cyberculture Digital Security Distinction Excellence EviOTP NFC HSM Technology EviPass EviPass NFC HSM technology EviPass Technology finalists PassCypher PassCypher
Quantum-Resistant Passwordless Manager — PassCypher finalist, Intersec Awards 2026 (FIDO-free, RAM-only)
Nov
Nov
2025 Cyberculture Digital Security
Reputation Cyberattacks in Hybrid Conflicts — Anatomy of an Invisible Cyberwar
Jul
Jul
Jun
2025 Cyberculture Legal information
French IT Liability Case: A Landmark in IT Accountability
Jan
2024 Articles Cyberculture Legal information
ANSSI Cryptography Authorization: Complete Declaration Guide
Oct
2021 Cyberculture Digital Security Phishing
Phishing Cyber victims caught between the hammer and the anvil
May
2024 Cyberculture EviSeed SeedNFC HSM
Crypto Regulations Transform Europe’s Market: MiCA Insights
Jun
2024 Articles Cyberculture legal Legal information News
End-to-End Messaging Encryption Regulation – A European Issue
Jun
Articles Contactless passwordless Cyberculture EviOTP NFC HSM Technology EviPass NFC HSM technology multi-factor authentication Passwordless MFA
How to choose the best multi-factor authentication method for your online security
Sep
2024 Cyberculture Digital Security News Training
Andorra National Cyberattack Simulation: A Global First in Cyber Defense
Apr
Articles Cyberculture Digital Security Technical News
Protect Meta Account Identity Theft with EviPass and EviOTP
May
2023 Articles Cyberculture EviCypher NFC HSM News Technologies
Telegram and the Information War in Ukraine
Jan
Articles Cyberculture EviCore NFC HSM Technology EviCypher NFC HSM EviCypher Technology
Communication Vulnerabilities 2023: Avoiding Cyber Threats
Sep
Articles Cyberculture NFC HSM technology Technical News
RSA Encryption: How the Marvin Attack Exposes a 25-Year-Old Flaw
Oct
2023 Articles Cyberculture Digital Security Technical News
Strong Passwords in the Quantum Computing Era
May
2023 Articles Cyberculture EviCore HSM OpenPGP Technology EviCore NFC HSM Browser Extension EviCore NFC HSM Technology Legal information Licences Freemindtronic
Unitary patent system: why some EU countries are not on board
Aug
2024 Crypto Currency Cryptocurrency Cyberculture Legal information
EU Sanctions Cryptocurrency Regulation: A Comprehensive Overview
Mar
2023 Articles Cyberculture Eco-friendly Electronics GreenTech Technologies
The first wood transistor for green electronics
Apr
2024 Cyberculture Legal information
Encrypted messaging: ECHR says no to states that want to spy on them
Feb
Feb
2024 Cyberculture Uncategorized
Chinese cyber espionage: a data leak reveals the secrets of their hackers
Mar
2018 Articles Cyberculture Legal information News
Why does the Freemindtronic hardware wallet comply with the law?
Jun
2023 Articles Cyberculture Technologies
NRE Cost Optimization for Electronics: A Comprehensive Guide
Jun
The articles displayed above ↑ belong to the same editorial section, Cyberculture Category. They deepen the legal, technical, and strategic transformations shaping digital sovereignty. This curated selection extends the analysis initiated in this Chronicle on France’s Lecornu Decree No. 2025-980 and on sovereign cryptology technologies developed by Freemindtronic.
Executive Brief — French Lecornu Decree No. 2025-980 on Metadata Retention
Published in France’s Official Journal on 16 October 2025 (full text on Legifrance), the Decree No. 2025-980 of 15 October 2025 requires digital service operators to retain communication metadata for one year — including user identifiers, protocols, durations, geolocation, and technical origins.
This obligation, overseen by the CNCTR (National Commission for the Control of Intelligence Techniques) and the French Prime Minister, is part of the Book VIII of the French Internal Security Code governing intelligence techniques.
The decree does not apply to autonomous cryptographic systems or offline architectures that process or host no communication data.
This includes Freemindtronic’s DataShielder NFC HSM and DataShielder HSM PGP solutions — local encryption tools with no servers, clouds, or databases — fully compliant with the GDPR, NIS2 Directive, and DORA Regulation.
Legal Overview
| Element | Status After Publication |
|---|---|
| Text | Decree No. 2025-980 of 15 October 2025 — one-year retention of connection data by digital operators, justified by current and serious national security threats. |
| Scope | Electronic communication providers, hosting platforms, digital service operators, and messaging systems. |
| Purpose | Prevention and anticipation of national security threats (Article 1). |
| Retention Period | Up to 12 months. |
| Supervising Authority | Prime Minister; oversight by the CNCTR. |
| Publication | Official Journal (JORF) No. 0242, 16 October 2025 — Text No. 48 (Legifrance). |
Introduction — Lecornu Decree No. 2025-980 and Digital Sovereignty: A Decade of Traceability Legislation
Legal Context — Ten Years of Intelligence Oversight and Targeted Retention
The Lecornu Decree No. 2025-980 continues a legislative framework initiated in 2015 and consolidated through successive statutes:
- 2015 — Intelligence Act No. 2015-912: established a legal regime for intelligence techniques and introduced oversight by the CNCTR.
- 2021 — Constitutional Council Decision No. 2021-808 DC: upheld metadata retention under proportionality and independent supervision conditions.
- 2024 — Adaptation of Book VIII of the Internal Security Code to the NIS2 Directive.
- 2025 — Full decree published on Legifrance: mandates one-year metadata retention.
This decree marks a stabilization of France’s intelligence and traceability framework, applying CJEU case law (La Quadrature du Net) while reaffirming the authority of the Prime Minister and oversight by the CNCTR.
Note: The CNCTR publishes annual activity reports assessing the legality and proportionality of retention measures, available at cnctr.fr.
Timeline — Evolution of Data Retention and Surveillance (2015 → 2025)
This timeline places into perspective the evolution of French and European law on connection and metadata retention:
- 2015 — Intelligence Act: legalized surveillance techniques and created independent oversight by the CNCTR.
- 2016–2018 — CJEU — Tele2 Sverige / Watson: prohibited general and indiscriminate data retention.
- 2021 — Constitutional Council Decision 2021-808 DC: confirmed conditional validity under proportionality safeguards.
- 2022 — Adoption of the NIS2 Directive and the DORA Regulation.
- 2024 — Revision of the Internal Security Code, Book VIII.
- 2025 — Official publication in the Journal Officiel: mandatory one-year metadata retention.
Reading note: each step highlights the growing tension between national security imperatives and the protection of fundamental rights, under joint arbitration by the Constitutional Council, CJEU, and ECHR.
This gradual evolution demonstrates how the Lecornu Decree on Digital Sovereignty fits into a balanced framework between security and information system autonomy.
Before exploring the next contextual segments, it is essential to understand how targeted traceability evolved into a model of sovereign cryptography — where compliance arises natively from system architecture.
Contextual Insights — Lecornu Decree No. 2025-980: From Targeted Traceability to Sovereign Cryptography
This progressive evolution clearly shows that the Lecornu Decree No. 2025-980 reflects a balance between national security and cryptographic autonomy.
By linking legal traceability with the decentralized design of digital systems, France demonstrates how targeted traceability has gradually transformed into sovereign cryptography — a model based on compliance by design.
Political & Legal Context
Since 2015, France has consolidated a framework of supervised and accountable surveillance — the creation of the CNCTR, rulings by the Constitutional Council, and alignment with European directives.
The French Lecornu Decree 2025-980 fits within this legal continuum by making metadata retention targeted, limited, and independently monitored.
Technological Context
In parallel, the evolution of encryption technologies has led to a form of sovereign cryptology: autonomous HSMs, secure local storage, and zero-logging architectures create an offline ecosystem beyond the scope of retention decrees.
This is the foundation of the Freemindtronic doctrine: to secure without surveillance.
Visual Timeline — Ten Years of Traceability Law (2015 → 2025)
- 2015 – Intelligence Act No. 2015-912: legalized intelligence-gathering techniques and created the CNCTR.
- 2016 → 2018 – CJEU – Tele2 Sverige / Watson: prohibition of general and indiscriminate data retention.
- 2021 – Decision No. 2021-808 DC: conditional validation subject to proportionality and independent control.
- 2022 – Adoption of the NIS2 Directive and DORA Regulation: operational resilience across the EU.
- 2024 – Revision of Book VIII of the Internal Security Code: full integration of EU legal principles.
- 2025 – Lecornu Decree No. 2025-980: one-year temporary metadata retention under CNCTR oversight.
Cross-Reading — National Security and Digital Sovereignty under the Lecornu Decree No. 2025-980
The Lecornu Decree represents a fine balance between two strategic dynamics:
- State Logic: anticipating threats through temporary, proportionate, and supervised traceability.
- Sovereign Logic: restoring user confidentiality and autonomy through local and decentralized cryptology.
Thus, targeted traceability becomes a legitimate instrument of public security, while offline autonomous architectures — such as DataShielder NFC HSM and DataShielder HSM PGP — preserve this equilibrium by remaining outside the legal retention perimeter.
Doctrinal Focus — From Retention to Cryptographic Resilience
Between 2015 and 2025, France transitioned from a paradigm of preventive retention to one of legal and technical resilience.
The Lecornu Decree concentrates on proportionality and oversight, while Freemindtronic illustrates the inverse solution: eliminating traceability by design.
This duality defines the future of European digital sovereignty.
Summary — Layered Interpretation of Data Governance
Level 1: national regulation (French Lecornu Decree 2025-980).
Level 2: independent oversight (CNCTR, Council of State).
Level 3: European compliance (CJEU, ECHR, GDPR, NIS2, DORA).
Level 4: sovereign innovation (DataShielder — compliance through absence of data).
This multi-layered doctrinal structure now underpins the EU’s emerging targeted traceability and sovereign cryptography policy.
Lecornu Decree and Digital Sovereignty — Legal Framework, National Security, and Fundamental Freedoms
Published in the Official Journal on 16 October 2025 (full text – Legifrance), the Decree No. 2025-980 of 15 October 2025 requires digital operators to retain specific communication metadata for one year — including identifiers, timestamps, duration, protocol, geolocation, and technical origin.
This measure, justified by the need to prevent and anticipate threats to national security, forms part of Book VIII of the French Internal Security Code, which governs intelligence-gathering techniques. It is under the dual oversight of the Prime Minister and the CNCTR (National Commission for the Control of Intelligence Techniques).
The Lecornu Decree explicitly does not apply to autonomous, offline, and non-communicating cryptographic systems — such as the DataShielder NFC HSM, DataShielder HSM PGP, and SilentX™ HSM PGP solutions, which integrate the EviLink™ HSM PGP technology.
These local, serverless and cloudless encryption systems generate no metadata and operate fully within the compliance perimeter of the EU Regulation 2016/679 (GDPR), NIS2 Directive (EU) 2022/2555, and DORA Regulation (EU) 2022/2554.
Local cryptographic technologies such as DataShielder NFC HSM, DataShielder HSM PGP, and SilentX™ HSM PGP remain outside its scope, as they process and transmit no communication data.
To fully understand the reach of the Lecornu Decree on Digital Sovereignty, one must analyze its legal foundation and the definition of a “communications operator” under the French Electronic Communications Code. This distinction clarifies the separation between network-based infrastructures and sovereign cryptographic devices that are autonomous by design.
Legal Box — Definition of “Electronic Communications Operator” (Article L32 of the French CPCE)
According to
Article L32 of the French Postal and Electronic Communications Code (CPCE),
an “electronic communications operator” is defined as any natural or legal person “operating a network or providing an electronic communications service to the public.”
This definition directly determines the scope of the Lecornu Decree No. 2025-980:
- Covered: Internet service providers (ISPs), telecom operators, hosting providers, platforms, and intermediary services engaged in the transmission or storage of data.
- Excluded: Autonomous offline encryption systems providing no communication service to the public — including DataShielder NFC HSM, DataShielder HSM PGP, and SilentX™ HSM PGP integrating EviLink™ HSM PGP technology.
Analysis:
A local, self-contained, and non-networked encryption device cannot legally be classified as an “operator” under Article L32 of the CPCE. It instead falls under the Decree No. 2007-663 governing cryptographic means, rather than the electronic communications framework. Therefore, the Lecornu Decree is neither applicable nor enforceable to such devices.
In continuity with the Lecornu Decree on Digital Sovereignty, the EviLink™ HSM PGP doctrine demonstrates the operational implementation of sovereign cryptology — rooted in decentralization and non-traceability. Before addressing the decree’s broader legal and technical implications, it is essential to understand how this segmented architecture achieves compliance by design while eliminating any exploitable form of data retention.
EviLink™ HSM PGP Doctrine — Compliance Through Decentralized Sovereignty and Segmented Contextual Encryption
The EviLink™ HSM PGP technology, embedded at the core of the SilentX™ HSM PGP system, implements an innovative model of hybrid decentralized encryption. It combines hardware, software, and contextual factors to form a sovereign cryptographic architecture: keys are segmented, volatile, and impossible to reassemble within the same memory space.
Architecture and Operation
- Self-hosted decentralized server: each instance can be deployed locally or on a private remote relay, fully controlled by the end user.
- Secure remote connection: TLS channels via Let’s Encrypt and/or VPN tunnels. Every instance features a dynamically generated, unique certificate.
- Dynamic IP addressing: variable and non-correlatable allocation prevents persistent tracking.
- Post-transmission volatility: instant deletion of messages and derived keys after reading; no logs, caches, or session files are ever retained.
Segmented AES-256 Encryption Within the Lecornu Digital Sovereignty Decree Framework
EviLink™ HSM PGP is based on segmented AES-256 encryption, where the session key is derived from concatenated, independent segments.
Each segmented key pair is autonomous and a minimum of 256 bits per segment, i.e., ≥ 512 bits before derivation.
Typological Derivation Line
# Concatenation + derivation toward 256-bit key SEED = localStorageKey || server || [optional_trust_factors] || salt || nonce AES256_KEY = HKDF-SHA512(SEED, info="EviLink-HSMPGP", len=32)
Legend: This line shows the typological cryptographic derivation process.
Each segment is concatenated to form a SEED, then derived via HKDF-SHA512 within a named context (“EviLink-HSMPGP”) to produce a 32-byte AES-256 key.
- localStorageKey: randomly generated in memory and exportable in encrypted form for restoration; reusable only after strong authentication and trust policy validation.
- server: temporary segment hosted on the EviLink™ relay (generated server-side, encrypted storage, auto-deleted after session/TTL).
- Optional — Trust factors: contextual elements (e.g., BSSID, userPassphrase, device fingerprints) dynamically added to the concatenation to bind the key to its execution environment.
- salt / nonce: fresh values ensuring derivation uniqueness and resistance to replay or reuse attacks.
A 256- or 512-bit segment stolen in isolation is cryptographically useless: the attacker lacks the concatenation algorithm, derivation parameters, and contextual trust factors.
Reconstructing the required
AES256_KEY for AES-256-CBC/PGP is impossible without the complete set of inputs and derivation logic.The result: an uninterceptable, locally derived encryption system in which data on both sender and receiver sides remains over-encrypted.
Even if one segment (server or local) is compromised, the absence of concatenation logic, trust factors, and salts/nonces makes decryption infeasible.
Legal Status and Compliance
This hybrid architecture fully satisfies security and proportionality standards without falling within the scope of Decree No. 2025-980:
- Decree 2025-980: non-applicable — no exploitable data or metadata are stored.
- Decree 2007-663: classified as dual-use cryptographic product, declarable to ANSSI.
- GDPR (Articles 5 & 25): native compliance — data minimization and privacy by design.
- CJEU & ECHR: respects the La Quadrature du Net and Big Brother Watch rulings — proportionality and immediate destruction.
Comparative Summary
| Element | EviLink™ HSM PGP / SilentX™ Architecture | Applicability of Decree 2025-980 |
|---|---|---|
| Centralized storage | No — user self-hosting | Out of scope |
| Encryption keys | Segmented, exportable in encrypted form, reusable under strict trust conditions | Not individually exploitable |
| Logging | Absent — no persistent logs | Out of scope |
| Network transport | TLS / VPN (Let’s Encrypt) | GDPR / ANSSI compliant |
| Post-read erasure | Instant content destruction | Compliant — CJEU / ECHR |
Compliance relies on the absence of any exploitable storage and the cryptographic non-reconstructibility of keys without full contextual restoration.
By fragmenting keys across hardware, software, and cognitive components, then erasing all traces after use, SilentX™ HSM PGP embodies a sovereign messaging model that remains outside any legal data retention obligation.
This operational doctrine represents compliance through distributed volatility, the foundation of hybrid sovereign cryptology that bridges software, hardware, and cognitive trust factors.
By design, it renders any retention requirement legally and technically inapplicable.
After presenting the cryptographic principles of the EviLink™ HSM PGP Doctrine and its logic of decentralized sovereign compliance, the next section examines how the Lecornu Decree on Digital Sovereignty legally frames such architectures. This transition from the technical to the normative dimension clarifies how French regulation aligns with European principles of proportionality, independent oversight, and fundamental rights protection.
National and European Legal Framework of the Lecornu Decree on Digital Sovereignty — Foundations, Oversight, and Doctrine
The Lecornu Decree No. 2025-980 of 15 October 2025 (Legifrance) extends the framework initiated by the French Intelligence Act No. 2015-912. It authorizes the retention, for a maximum of one year, of technical metadata (identifiers, protocols, durations, locations, and origins of communications) when a serious and current threat to national security exists.
This preventive and non-intrusive measure, which excludes message content, is based on the distinction drawn by the Constitutional Council Decision 2021-808 DC: content remains under judicial authorization, while technical data collection is under administrative oversight by the Prime Minister and the CNCTR (National Commission for the Control of Intelligence Techniques).
2. European Position — CJEU and ECHR
The CJEU confirmed the prohibition of generalized data retention (Tele2 Sverige C-203/15, Privacy International C-623/17), while allowing a targeted derogation in cases of serious and current national security threats (La Quadrature du Net C-511/18, SpaceNet C-746/18). The Lecornu Decree applies this exception precisely — limiting both scope and duration, while ensuring independent oversight.
The ECHR rulings —Big Brother Watch, Centrum för Rättvisa, and Ekimdzhiev — impose strict safeguards: a foreseeable legal basis, independent control, and mandatory data deletion upon expiry. The 2025-980 decree meets all these criteria: clear legal foundation, limited retention period, and CNCTR supervision.
3. GDPR and CNIL Alignment
According to the CNIL, metadata retention qualifies as a personal data processing activity under the GDPR. Even when justified under the national security exemption (Article 2 §2 a), it must comply with the principles of proportionality and data minimization. Authorities remain responsible for ensuring processing security (Article 32 GDPR) and restricting access exclusively to national defense purposes.
4. Comparative Table — Lecornu Decree No. 2025-980 and European Law
| Framework | Requirement | Position of Decree 2025-980 |
|---|---|---|
| French Constitution | Proportionality, CNCTR oversight | ✓ Compliant (Decision 2021-808 DC) |
| CJEU | No generalized retention | ✓ Targeted derogation under serious threat |
| ECHR | Foreseeability, independent review | ✓ CNCTR oversight + limited duration |
| GDPR | Minimization, purpose limitation, security | ~ Partially exempt (Art. 2 §2 a) |
| NIS2 Directive | Resilience and cybersecurity | ✓ Reinforces targeted traceability |
5. DataShielder — Compliance Through Non-Applicability
The DataShielder NFC HSM and DataShielder HSM PGP solutions, developed by Freemindtronic Andorra, operate entirely offline. They use no server, no cloud, and no database; no metadata is ever generated or retained. Consequently, these devices fall outside the scope of Decree 2025-980.
They natively embody privacy by design and data minimization (GDPR Art. 25), while complying with the resilience frameworks of the NIS2 Directive and DORA Regulation. As Decree 2007-663 dual-use cryptographic products, they are approved under ANSSI regulation.
Centralized Architecture DataShielder Offline Architecture ─────────────────────────────── ───────────────────────────────────── Server / Cloud required No server or cloud Identified sessions (UUID) No persistent identifiers Network transmission Local NFC chip encryption Technical logging No logging at all Ex post audit control Legally non-applicable
Their design illustrates compliance through data absence: no logs, no identifiers, and thus no obligation for retention.
6. Perspective — Towards a Balanced Digital Sovereignty
The French Lecornu Decree 2025-980 represents a turning point: it institutionalizes targeted and temporary traceability under independent supervision.
Amid growing global surveillance trends, autonomous cryptographic solutions like DataShielder provide both legal and technical resilience — a sovereignty model grounded in the non-existence of data.
Strategic Outlook — Towards a European Doctrine of Non-Traceability
The Lecornu Decree No. 2025-980 enshrines controlled traceability rather than mass surveillance.
Autonomous cryptographic architectures offer a legally sound model that protects both state security and digital privacy.
A European doctrine of non-traceability could soon emerge as the new standard for digital sovereignty.
In conclusion, the Lecornu Decree on Digital Sovereignty stands as a legal instrument balancing national security with European data protection standards. Its effective interpretation and enforcement now depend on the oversight institutions — courts, regulators, and civil society — tasked with defining the real scope and future of targeted metadata retention within the European legal space.
Following the legal analysis of the Lecornu Decree on Digital Sovereignty, attention now turns to its institutional reception and practical implementation.
This monitoring phase aims to assess how national and European authorities interpret the balance between public security and fundamental rights.
Institutional Reactions and Monitoring — Lecornu Decree No. 2025-980 on Digital Sovereignty
Absence of Official Reaction, but Civil Society Vigilance
As of 20 October 2025, no official statements have yet been issued by the CNIL, CNCTR, or the Constitutional Council regarding Decree No. 2025-980. However, several institutional and civil society actors — including La Quadrature du Net and Privacy International — have reiterated in earlier communications their principled opposition to any form of generalized metadata retention, citing the CJEU Tele2 Sverige and La Quadrature du Net rulings.
Doctrinal Anticipation and European Oversight
At the European level, neither the European Data Protection Board (EDPB) nor the European Commission has yet commented on the decree. Nevertheless, questions surrounding its compatibility with the Charter of Fundamental Rights of the European Union are expected to arise during forthcoming dialogues between France and the Commission.
In France, legal scholars and digital law researchers — notably from Université Paris-Panthéon-Assas, the Institut Montaigne, and the Observatoire de la Souveraineté Numérique — already view the decree as a transitional measure pending European harmonization. Its effective reach will depend on proportionality reviews by the Conseil d’État.
In summary: the Lecornu Decree on Digital Sovereignty has not yet triggered formal legal challenges, but it is likely to become a test case before the CJEU or ECHR, following the trajectory of the 2015 and 2021 intelligence laws. Freemindtronic Andorra maintains continuous monitoring of publications from the CNIL, CNCTR, and European courts to anticipate any doctrinal developments.
While institutional monitoring captures early reactions to the Lecornu Decree, the doctrinal analysis now highlights areas of uncertainty that shape its interpretation — between legal theory, technical constraints, and European digital sovereignty. These open questions require in-depth reading to anticipate future adjustments to the legal framework.
Interpretation Zones, Doctrinal Debates, and Ongoing Monitoring — Lecornu Decree No. 2025-980
Although the Lecornu Decree No. 2025-980 establishes a targeted retention framework, some aspects remain legally and technically open — particularly the precise scope of the term digital operator, the limits of proportionality, and the articulation between national security and undamental rights.
Zone 1 — Definition of “Operator”
The decree’s scope remains ambiguous: should it cover hybrid services (collaborative hosting, federated protocols, private clouds)?
The Conseil d’État will likely have to rule in the event of litigation, especially concerning self-hosted or decentralized infrastructures.
Zone 2 — Temporal Proportionality
The uniform one-year retention period could be deemed excessive for certain services.
The CJEU (SpaceNet C-746/18) and La Quadrature du Net C-511/18 confirmed that data retention must be strictly limited to serious and current threats.
Zone 3 — GDPR and National Security Interface
Although Article 2 §2(a) of the GDPR excludes state activities, the
CNIL advocates for minimum transparency and oversight safeguards.
The principle of “equivalent guarantees” remains to be clarified at the European level.
Zone 4 — Data Transfers and Extraterritoriality
Retention of metadata by non-EU services (e.g., TikTok, Telegram, WeChat) raises questions of territorial jurisdiction and effective CNCTR supervision.
This issue may eventually reach the CJEU or ECHR in future proceedings.
Doctrinal Analysis
The decree’s practical reach will depend on its enforcement and future challenges.
Legal experts already anticipate a potential “QPC 2026” (priority constitutional question) regarding the uniform retention period and
its compatibility with the Charter of Fundamental Rights of the European Union.
The Conseil d’État will play a decisive role in maintaining a lasting equilibrium between public safety and digital privacy.
Institutional Monitoring — CNCTR, CNIL, and European Jurisdictions
As of October 20, 2025, no formal institutional opinion has been published on Decree No. 2025-980. However, several bodies and NGOs are preparing their analyses:
- CNCTR: 2025 annual report expected (section “Data Retention”).
- CNIL: forthcoming opinion on proportionality and data security obligations.
- CJEU / ECHR: possible preliminary rulings on the interpretation of “serious and current threat.”
- NGOs: La Quadrature du Net and Privacy International actively monitoring the decree’s implementation perimeter.
Freemindtronic Monitoring
Freemindtronic Andorra maintains continuous watch over publications from the CNCTR, CNIL, and European courts.
The DataShielder NFC HSM, DataShielder HSM PGP, and SilentX™ HSM PGP devices remain outside the scope of the decree — since no data is retained, compliance is achieved by design, independent of future regulatory changes.
These interpretive zones illustrate the complexity of maintaining a delicate balance between national security, European compliance, and technical sovereignty. In this evolving legal environment, the next analysis explores the operational scope of the Lecornu Decree and its concrete impact on infrastructures, messaging systems, and digital services — revealing how retention obligations apply (or not) across categories of actors, and how technical sovereignty and compliance by design provide a natural exemption pathway for decentralized and offline architectures.
Practical Application — Scope of the Lecornu Decree No. 2025-980 on Messaging, Email, Platforms (Hosts) and Infrastructure
The French Lecornu Decree No. 2025-980 mandates one-year retention of specific metadata by (i) electronic communications operators and (ii) the persons referenced in Article 6(I)(1°–2°) of the LCEN (access providers and hosts). Applicability depends on the service’s nature, technical architecture and territorial nexus.
Legend & Legal Scope
Decree status: 🟢 Not covered · 🟠 Partially covered · ✅ In scope GDPR/CJEU (editorial): 🛡️ Strong · ⚠ Watchpoints · 🔴 Notable risk
XL Matrix — Services & legal exposure
| Category | Service | Legal role | Decree status | GDPR/CJEU | E2E default | HQ (ISO) | HQ Flag | Hosting (ISO/regions) | Hosting Flags | Metadata held (typical) | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|
| A – Public messaging | Messenger (Facebook) | Host | ✅ | ⚠ | Optional | US | 🇺🇸 | US, IE/EU, global CDN | 🇺🇸/🇮🇪/🇪🇺 | Accounts/IDs | Transfers possible (SCCs) |
| A – Public messaging | Messenger Kids | Host | ✅ | ⚠ | No | US | 🇺🇸 | US, IE/EU | 🇺🇸/🇮🇪/🇪🇺 | Accounts/IDs (guardian-managed) | Child-directed policies apply |
| A – Public messaging | Instagram DM | Host | ✅ | ⚠ | Optional | US | 🇺🇸 | US, IE/EU | 🇺🇸/🇮🇪/🇪🇺 | IDs/device/IP/timestamps | Meta ecosystem |
| A – Public messaging | Threads DMs | Host | 🟠 | ⚠ | Optional | US | 🇺🇸 | US, IE/EU | 🇺🇸/🇮🇪/🇪🇺 | IDs/device/IP/timestamps | Interoperates with Instagram account |
| A – Public messaging | Snapchat | Host | ✅ | ⚠ | Optional | US | 🇺🇸 | US/EU mix | 🇺🇸/🇪🇺 | IDs/device/IP/timestamps | Ephemeral UX; backups/logs may exist |
| A – Public messaging | Host | 🟠 | 🔴 | No | CN | 🇨🇳 | CN + global | 🇨🇳/🌐 | Account/contacts/IP/timestamps | Non-EU jurisdiction core | |
| A – Public messaging | LINE | Host | 🟠 | ⚠ | Optional | JP | 🇯🇵 | JP/TW/TH + EU | 🇯🇵/🇪🇺 | IDs/IP/timestamps | Regional DCs vary by market |
| A – Public messaging | Viber | Host | 🟠 | ⚠ | Optional | JP | 🇯🇵 | EU + global | 🇪🇺/🌐 | IDs/IP/timestamps | Rakuten group |
| A – Public messaging | KakaoTalk | Host | 🟠 | ⚠ | Optional | KR | 🇰🇷 | KR + global | 🇰🇷/🌐 | IDs/IP/timestamps | Regional constraints apply |
| A – Public messaging | Threema | Host | 🟠 | 🛡️ | Yes | CH | 🇨🇭 | EU/CH focus | 🇪🇺/🇨🇭 | Minimal (IDs/timestamps) | Privacy-by-design |
| A – Public messaging | Wire (consumer) | Host | 🟠 | 🛡️ | Yes | CH | 🇨🇭 | EU (DE/IE) mainly | 🇩🇪/🇮🇪 | Minimal (IDs/timestamps) | End-to-end by default |
| A – Public messaging | Wickr (consumer) | Host | 🟠 | ⚠ | Yes | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Minimal (IDs/timestamps) | Service changes over time |
| A – Public messaging | Telegram | Host | 🟠 | 🔴 | Optional (Secret Chats) | AE (core ops)/VG | 🇦🇪 | EU + non-EU | 🇪🇺/🌐 | IDs/contacts/IP/timestamps | Hybrid hosting; non-EU jurisdiction core |
| A – Public messaging | Host | ✅ | ⚠ | Yes (chats) | US | 🇺🇸 | IE/EU + global | 🇮🇪/🇪🇺/🌐 | Account/device/IP/timestamps | Meta DPA/Transfers | |
| A – Public messaging | Signal | Host | 🟠 | 🛡️ | Yes | US (org)/EU mirrors | 🇺🇸 | EU/US mix (varies) | 🇪🇺/🇺🇸 | Minimal (technical IDs/timestamps) | Exposure depends on data actually held |
| A – Public messaging | Olvid | Host | 🟠 | 🛡️ | Yes | FR | 🇫🇷 | FR/EU | 🇫🇷/🇪🇺 | Extremely minimized | Depends on connection data under control |
| A – Public messaging | iMessage | Host | ✅ | ⚠ | Yes (messages) | US | 🇺🇸 | US/EU Apple + iCloud | 🇺🇸/🇪🇺 | Apple IDs/device/IP/timestamps | E2EE limits with cloud backups |
| B – Workplace/collab | Discord | Host | 🟠 | ⚠ | No (DMs) | US | 🇺🇸 | US/EU mix | 🇺🇸/🇪🇺 | IDs/servers/IP/timestamps | Indexing/log policies vary |
| B – Workplace/collab | Skype | Host | 🟠 | ⚠ | Optional | US | 🇺🇸 | EU/US (Microsoft) | 🇪🇺/🇺🇸 | IDs/call metadata | Legacy + Teams ecosystem |
| B – Workplace/collab | Zoom Chat | Host | ✅ | ⚠ | No (chat only) | US | 🇺🇸 | US/EU selectable | 🇺🇸/🇪🇺 | IDs/device/IP/timestamps | DPA & regional routing options |
| B – Workplace/collab | Google Chat | Host | ✅ | ⚠ | No | US | 🇺🇸 | EU/US (data regions) | 🇪🇺/🇺🇸 | IDs/device/IP/timestamps | Google Workspace DPA |
| B – Workplace/collab | Microsoft Teams | Host | ✅ | ⚠ | No | US | 🇺🇸 | EU/US (M365) | 🇪🇺/🇺🇸 | IDs/tenant logs | EU DPA; geo options |
| B – Workplace/collab | Slack | Host | ✅ | 🔴 | No | US | 🇺🇸 | US/EU (Enterprise Grid options) | 🇺🇸/🇪🇺 | IDs/workspace logs | SCCs; transfers to US |
| B – Workplace/collab | Mattermost | Host (per instance) | 🟠 | 🛡️ | Optional | US | 🇺🇸 | Self-host (varies) | 🏠 | Server/admin-defined | Instance-specific exposure |
| B – Workplace/collab | Rocket.Chat | Host (per instance) | 🟠 | 🛡️ | Optional | BR | 🇧🇷 | Self-host (varies) | 🏠 | Server/admin-defined | Instance-specific exposure |
| B – Workplace/collab | Zulip | Host (per instance) | 🟠 | 🛡️ | Optional | US | 🇺🇸 | Self-host (varies) | 🏠 | Server/admin-defined | Instance-specific exposure |
| B – Workplace/collab | Element One (Matrix) | Host | 🟠 | 🛡️ | Optional | UK | 🇬🇧 | EU/UK | 🇪🇺/🇬🇧 | Server logs/IDs per policy | Depends on homeserver |
| B – Workplace/collab | Wire Pro (business) | Host | 🟠 | 🛡️ | Yes | CH | 🇨🇭 | EU (DE/IE) mainly | 🇩🇪/🇮🇪 | Minimal (IDs/timestamps) | Enterprise controls |
| B – Workplace/collab | Wickr Gov | Host | 🟠 | ⚠ | Yes | US | 🇺🇸 | US Gov clouds | 🇺🇸 | Minimal (IDs/timestamps) | Government/compliance focus |
| B – Workplace/collab | Threema Work | Host | 🟠 | 🛡️ | Yes | CH | 🇨🇭 | EU/CH | 🇪🇺/🇨🇭 | Minimal (IDs/timestamps) | Enterprise variant |
| B – Workplace/collab (text-only sovereign) | CryptPeer® Text (HSM PGP) | Local tool / P2P | 🟢 | 🛡️ | N/A | AD | 🇦🇩 | Device-local | 📱 | No host-held data | Out of scope as a tool; network layers still in scope — HQ: Andorra (🇦🇩) |
| B – Workplace/collab (sovereign) | CryptPeer® HSM PGP | Local tool / P2P | 🟢 | 🛡️ | N/A | AD | 🇦🇩 | Device-local | 📱 | No host-held data | Offline hardware crypto — HQ: Andorra (🇦🇩) |
| B – Workplace/collab (sovereign) | em609™ (text-only) | Local tool / P2P | 🟢 | 🛡️ | N/A | AE (client deployment) | 🇦🇪 | Device-local | 📱 | No host-held data | Developed by Freemindtronic for a Dubai-based company |
| C – Email services | Gmail / Outlook | Host | ✅ | 🔴 | No | US | 🇺🇸 | Global/EU | 🌐/🇪🇺 | Indexed content + metadata | Extra-EU transfers |
| C – Email services | Tutanota / Proton | Host | 🟠 | 🛡️ | Yes | DE/CH | 🇩🇪/🇨🇭 | EU/CH | 🇪🇺/🇨🇭 | Minimization | Privacy-first |
| C – Email services | iCloud Mail | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Apple IDs/IP/timestamps | Contractual safeguards |
| C – Email services | Yahoo Mail | Host | ✅ | 🔴 | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Indexed content + metadata | Transfers to US |
| C – Email services | Fastmail | Host | ✅ | ⚠ | No | AU | 🇦🇺 | AU/EU | 🇦🇺/🇪🇺 | Mail metadata/logs | Privacy forward |
| C – Email services | Posteo | Host | 🟠 | 🛡️ | No | DE | 🇩🇪 | DE/EU | 🇩🇪/🇪🇺 | Minimization | Privacy-first |
| C – Email services | Mailbox.org | Host | 🟠 | 🛡️ | No | DE | 🇩🇪 | DE/EU | 🇩🇪/🇪🇺 | Minimization | Privacy-first |
| C – Email services | Hey by Basecamp | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Mail metadata/logs | US provider |
| C – Email services | Zoho Mail | Host | ✅ | ⚠ | No | IN | 🇮🇳 | IN/EU/US | 🇮🇳/🇪🇺/🇺🇸 | Mail metadata/logs | EU data center options |
| D – Infrastructure & transport | ISPs / Telecoms | Network operator | ✅ | ⚠ | N/A | Varies | 🌐 | National/EU | 🇪🇺 | Traffic/location categories per CPCE R.10-13(V) | Proportionality controls |
| D – Infrastructure & transport | EU Cloud Providers | Host | ✅ | ⚠ | N/A | EU | 🇪🇺 | EU regions | 🇪🇺 | Logging + access logs | NIS2/DORA interplay |
| D – Infrastructure & transport | DNS / CDN operators | Routing provider | 🟠 | 🔴 | N/A | Varies | 🌐 | Global | 🌐 | Systemic profiling risk | Third-party dependence |
| A – Public messaging | X (Twitter) DMs | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU mix | 🇺🇸/🇪🇺 | IDs/device/IP/timestamps | Policies evolving |
| A – Public messaging | TikTok DMs | Host | ✅ | 🔴 | No | CN | 🇨🇳 | Global incl. EU | 🌐/🇪🇺 | IDs/device/IP/timestamps | Non-EU core + profiling risk |
| A – Public messaging | Reddit Chat | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Account/IDs/IP/timestamps | Community platform |
| A – Public messaging | Twitch Whispers | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | Account/IDs/IP/timestamps | Amazon group |
| A – Public messaging | Mastodon DMs | Host (per instance) | 🟠 | 🛡️ | Optional | Varies | 🌐 | Self-host (varies) | 🏠 | Server/admin-defined | Federated; instance-dependent |
| A – Public messaging | Bluesky DMs | Host | 🟠 | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | IDs/device/IP/timestamps | AT Protocol; evolving |
| A – Open/decentralized | XMPP/Jabber (ejabberd/Prosody) | Host (per server) | 🟠 | 🛡️ | Optional | Varies | 🌐 | Self-host (varies) | 🏠 | Server/admin-defined | Exposure per operator |
| A – Open/decentralized | IRC networks (Libera/OFTC) | Host | 🟠 | ⚠ | No | Varies | 🌐 | Distributed | 🌐 | Limited logs vary by network | Heterogeneous policies |
| A – Open/decentralized | Delta Chat (IMAP/SMTP) | Depends on email host | 🟠 | ⚠ | Optional | Varies | 🌐 | Depends on mailbox host | 🌐 | Mail host metadata applies | Chat over email |
| A – Open/decentralized | Briar | P2P/Local tool | 🟢 | 🛡️ | Yes (over Tor) | AT | 🇦🇹 | Device-local | 📱 | No host-held data | Serverless/mesh/Tor |
| A – Open/decentralized | Session | Decentralized (LLARP/Oxen) | 🟠 | ⚠ | Yes | Varies | 🌐 | Distributed service nodes | 🌐 | Minimal/relay metadata | Mixed jurisdictions |
| A – Open/decentralized | Jami (ex-Ring) | P2P/Local tool | 🟢 | 🛡️ | Yes | CA/FR | 🇨🇦/🇫🇷 | Device-local | 📱 | No host-held data | Serverless |
| A – Open/decentralized | Tox | P2P/Local tool | 🟢 | 🛡️ | Yes | Varies | 🌐 | Device-local | 📱 | No host-held data | Distributed DHT |
| A – Open/decentralized | Ricochet | Onion-routed P2P | 🟢 | 🛡️ | Yes | Varies | 🌐 | Device-local (Tor) | 📱 | No host-held data | Hidden-service IDs |
| A – Open/decentralized | SimpleX Chat | P2P/relays | 🟢/🟠 | 🛡️ | Yes | Varies | 🌐 | Private relays (optional) | 🌐 | Minimal relay metadata | Serverless paradigm |
| B – Workplace/collab | Cisco Webex App (messaging) | Host | ✅ | ⚠ | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | IDs/device/IP/timestamps | Enterprise DPA |
| B – Workplace/collab | Cisco Jabber | Host | 🟠/✅ | ⚠ | Optional | US | 🇺🇸 | On-prem/Cloud | 🏠/🌐 | Server/admin-defined | Depends on deployment |
| B – Workplace/collab | Workplace Chat (Meta) | Host | ✅ | 🔴 | No | US | 🇺🇸 | US/EU | 🇺🇸/🇪🇺 | IDs/workspace logs | Transfers to US |
| B – Workplace/collab | Symphony | Host | ✅ | ⚠ | Yes | US | 🇺🇸 | EU/US | 🇪🇺/🇺🇸 | Regulated archives | Finance compliance |
| B – Workplace/collab | Bloomberg IB Chat | Host | ✅ | ⚠ | No | US | 🇺🇸 | EU/US | 🇪🇺/🇺🇸 | Trade/comm logs | Finance sector |
| B – Workplace/collab | Refinitiv Messenger | Host | ✅ | ⚠ | No | UK | 🇬🇧 | EU/UK | 🇪🇺/🇬🇧 | IDs/session logs | Finance sector |
| B – Workplace/collab | Mattermost Cloud | Host | ✅ | ⚠ | Optional | US | 🇺🇸 | EU/US (regions) | 🇪🇺/🇺🇸 | IDs/workspace logs | Managed SaaS |
| B – Workplace/collab | Rocket.Chat Cloud | Host | ✅ | ⚠ | Optional | BR | 🇧🇷 | EU/US (regions) | 🇪🇺/🇺🇸 | IDs/workspace logs | Managed SaaS |
| B – Workplace/collab | Zulip Cloud | Host | ✅ | ⚠ | Optional | US | 🇺🇸 | EU/US (regions) | 🇪🇺/🇺🇸 | IDs/workspace logs | Managed SaaS |
| B – Workplace/collab | Zoho Cliq | Host | ✅ | ⚠ | No | IN | 🇮🇳 | IN/EU/US | 🇮🇳/🇪🇺/🇺🇸 | IDs/device/IP/timestamps | Zoho EU options |
| F – Infra (annex) | Cloudflare (DNS/CDN/Workers) | Routing/host | 🟠 | 🔴 | N/A | US | 🇺🇸 | Global | 🌐 | Systemic profiling risk | Third-party dependence |
| F – Infra (annex) | Akamai | CDN | 🟠 | 🔴 | N/A | US | 🇺🇸 | Global | 🌐 | Systemic profiling risk | Third-party dependence |
| F – Infra (annex) | Fastly | CDN | 🟠 | 🔴 | N/A | US | 🇺🇸 | Global | 🌐 | Systemic profiling risk | Third-party dependence |
| F – Infra (annex) | Public DNS (1.1.1.1/8.8.8.8/9.9.9.9) | DNS resolver | 🟠 | ⚠ | N/A | Varies | 🌐 | Global | 🌐 | Resolver logs policies vary | Privacy claims differ |
| F – Infra (annex) | Apple Push (APNs) | Push/notifications | 🟠 | ⚠ | N/A | US | 🇺🇸 | Global | 🌐 | Notification routing metadata | Device ecosystem |
| F – Infra (annex) | Google FCM | Push/notifications | 🟠 | ⚠ | N/A | US | 🇺🇸 | Global | 🌐 | Notification routing metadata | Android ecosystem |
| Scope note: Classification is indicative; depends on instance, hosting, and metadata actually held. Icons: 🟢 Not covered · 🟠 Partially covered · ✅ In scope | 🛡️ Strong · ⚠ Watchpoints · 🔴 Notable risk. Last verified: 2025-11-09 (CET). | |||||||||||
E. Social platforms — integrated messengers
| Service | Type | Decree status | GDPR/CJEU compatibility |
|---|---|---|---|
| LinkedIn Messages | Social platform / Cloud | ✅ | ⚠ Transfers under DPA/SCC; extensive metadata |
| Facebook Messenger | Social platform / Cloud | ✅ | 🔴 Marketing profiling; extra-EU transfers |
| Instagram Direct | Social platform / Cloud | ✅ | 🔴 Behavioral data; extra-EU transfers |
| X (ex-Twitter) DM | Social platform / Cloud | ✅ | 🔴 Hosting/processing outside the EU; logging |
| TikTok Messages | Social platform / Cloud | ✅ | 🔴 Governance and extra-EU transfers; profiling risks |
Operational summary
1️⃣ Electronic communications operators and LCEN Art. 6 I (1°–2°) actors (ISPs and hosting providers) are directly targeted (one-year retention) — see
Decree 2025-980 and
LCEN Art. 6.
2️⃣ Social platforms — integrated messengers (LinkedIn Messages, Facebook Messenger, Instagram Direct, X DM, TikTok Messages): directly targeted (✅) as online public communication services with hosting and metadata under the platform’s control (GDPR watchpoints: DPA/SCC, extra-EU transfers, profiling/marketing).
3️⃣ E2E-encrypted or highly minimising messengers (Signal, Olvid, Proton) show variable exposure (🟠) depending on territorial nexus and metadata actually held (no obligation to create data).
4️⃣ Sovereign offline tools/devices (DataShielder, CryptPeer® PGP, em609™) are out of scope as tools: no data, thus no retention — however, the underlying network layers remain subject to the decree.
5️⃣ Lists of targeted data:
CPCE R.10-13 V (traffic & location — operators) and
Decree 2021-1362 (identification data — hosts).
6️⃣ Judicial validation of the one-year “injunction” mechanism for national security:
Conseil d’État, 30 June 2023.
International Comparison — Organizations and Converging Jurisprudence
Across jurisdictions, civil society organizations have successfully challenged mass surveillance, unlawful data retention, and opaque intelligence practices. These legal victories have shaped global privacy standards and reinforced the legitimacy of encryption, metadata minimization, and sovereign digital infrastructures.
These converging jurisprudences validate the principle of “compliance through absence of data,” now central to sovereign technologies like SilentX™ HSM PGP and DataShielder™.
| Organization | Country | Notable Legal Outcome |
|---|---|---|
Privacy International |
United Kingdom | In 2021, the European Court of Human Rights ruled against GCHQ’s mass surveillance in Big Brother Watch v. UK.
ECHR – Big Brother Watch v. UK Reinforced proportionality and transparency in intelligence data collection. |
Electronic Frontier Foundation (EFF) |
United States | EFF challenged warrantless data collection under the Patriot Act, contributing to its partial repeal.
EFF – NSA Spying & Patriot Act Advocates for end-to-end encryption and public oversight of surveillance programs. |
Digital Rights Ireland |
Ireland | In case C-293/12, the CJEU invalidated the Data Retention Directive (2006/24/EC).
CJEU – C-293/12 Digital Rights Ireland Established metadata minimization as a legal standard across the EU. |
NOYB – European Center for Digital Rights |
Austria | Led the Schrems I and Schrems II cases, invalidating Safe Harbor and Privacy Shield.
NOYB – Schrems II & Privacy Shield Redefined transatlantic data transfers and reinforced EU data sovereignty. |
Bits of Freedom |
Netherlands | Filed constitutional challenges against Dutch surveillance laws.
Bits of Freedom – Mass Surveillance Cases Promotes citizen control and non-traceable digital infrastructures. |
Access Now |
Global | Advocated before the UN and regional courts for encryption as a human right.
Access Now – Why Encryption Matters Opposes biometric surveillance and anti-encryption legislation worldwide. |
Fundación Datos Protegidos |
Chile | Secured constitutional rulings against unlawful surveillance and non-consensual data collection.
Datos Protegidos – Official Site Contributes to cybersecurity law reform in Latin America. |
Panoptykon Foundation |
Poland | Challenged algorithmic profiling and social scoring systems.
Panoptykon – Surveillance & AI Influences EU policy on AI governance and digital autonomy. |
APC – Association for Progressive Communications |
South Africa / Global South | Filed complaints before the African Commission on Human Rights regarding digital surveillance.
APC – African Commission Resolution Defends digital rights in emerging democracies and fragile states. |
Frënn vun der Ënn |
Luxembourg | Won a Council of State ruling limiting metadata retention in public services.
Frënn vun der Ënn – Official Site Promotes administrative transparency and sovereign data protection. |
Shared Legal Themes and Strategic Impact
- Challenging indiscriminate surveillance and blanket data retention laws.
- Defending end-to-end encryption and metadata-free architectures.
- Promoting digital sovereignty and individual control over personal data.
- Leveraging strategic litigation before the CJEU, ECHR, UN, and national courts.
Sovereign technologies like SilentX™ HSM PGP and DataShielder™ offer a technical response aligned with these international standards.
International Comparison — Organizations and Converging Jurisprudence
Across jurisdictions, civil society organizations have successfully challenged mass surveillance, unlawful data retention, and opaque intelligence practices. These legal victories have shaped global privacy standards and reinforced the legitimacy of encryption, metadata minimization, and sovereign digital infrastructures.
These converging jurisprudences validate the principle of “compliance through absence of data,” now central to sovereign technologies like SilentX™ HSM PGP and DataShielder™.
| Organization | Country | Notable Legal Outcome |
|---|---|---|
Privacy International |
United Kingdom | In 2021, the European Court of Human Rights ruled against GCHQ’s mass surveillance in Big Brother Watch v. UK.
ECHR – Big Brother Watch v. UK Reinforced proportionality and transparency in intelligence data collection. |
Electronic Frontier Foundation (EFF) |
United States | EFF challenged warrantless data collection under the Patriot Act, contributing to its partial repeal.
EFF – NSA Spying & Patriot Act Advocates for end-to-end encryption and public oversight of surveillance programs. |
Digital Rights Ireland |
Ireland | In case C-293/12, the CJEU invalidated the Data Retention Directive (2006/24/EC).
CJEU – C-293/12 Digital Rights Ireland Established metadata minimization as a legal standard across the EU. |
NOYB – European Center for Digital Rights |
Austria | Led the Schrems I and Schrems II cases, invalidating Safe Harbor and Privacy Shield.
NOYB – Schrems II & Privacy Shield Redefined transatlantic data transfers and reinforced EU data sovereignty. |
Bits of Freedom |
Netherlands | Filed constitutional challenges against Dutch surveillance laws.
Bits of Freedom – Mass Surveillance Cases Promotes citizen control and non-traceable digital infrastructures. |
Access Now |
Global | Advocated before the UN and regional courts for encryption as a human right.
Access Now – Why Encryption Matters Opposes biometric surveillance and anti-encryption legislation worldwide. |
Fundación Datos Protegidos |
Chile | Secured constitutional rulings against unlawful surveillance and non-consensual data collection.
Datos Protegidos – Official Site Contributes to cybersecurity law reform in Latin America. |
Panoptykon Foundation |
Poland | Challenged algorithmic profiling and social scoring systems.
Panoptykon – Surveillance & AI Influences EU policy on AI governance and digital autonomy. |
APC – Association for Progressive Communications |
South Africa / Global South | Filed complaints before the African Commission on Human Rights regarding digital surveillance.
APC – African Commission Resolution Defends digital rights in emerging democracies and fragile states. |
Frënn vun der Ënn |
Luxembourg | Won a Council of State ruling limiting metadata retention in public services.
Frënn vun der Ënn – Official Site Promotes administrative transparency and sovereign data protection. |
Shared Legal Themes and Strategic Impact
- Challenging indiscriminate surveillance and blanket data retention laws.
- Defending end-to-end encryption and metadata-free architectures.
- Promoting digital sovereignty and individual control over personal data.
- Leveraging strategic litigation before the CJEU, ECHR, UN, and national courts.
Sovereign technologies like SilentX™ HSM PGP and DataShielder™ offer a technical response aligned with these international standards.
International Comparative Context of the French Lecornu Decree 2025-980
The French Lecornu Decree 2025-980 is part of a global movement to reassert digital sovereignty and national control over data flows.
Several countries have adopted comparable frameworks, balancing national security, proportionality, and privacy protection.
Approaches differ depending on constitutional structures and available judicial safeguards.
- 🇺🇸 United States — Patriot Act (2001), later Freedom Act (2015): allows targeted retention under supervision of the FISA Court.
Bulk collection curtailed after the 2015 USA Freedom Act ruling. - 🇬🇧 United Kingdom — Investigatory Powers Act (2016): extensive retention and access regime, criticized by the ECHR (Big Brother Watch, 2021) for insufficient independent oversight.
- 🇩🇪 Germany — Bundesdatenschutzgesetz: highly restricted retention, partially invalidated by the CJEU in SpaceNet C-793/19 for breaching temporal and geographic proportionality.
- 🇪🇸 Spain — Ley Orgánica 7/2021 on data processing for law enforcement: temporary retention permitted under the supervision of the Data Protection and Transparency Council.
- 🇵🇱 Poland — Telecommunications Law: mandatory 12-month retention, criticized by the CJEU (Case C-140/20) for lack of prior judicial review.
- 🇨🇦 Canada — Communications Security Establishment Act (2019): allows targeted collection and retention, supervised by the National Security and Intelligence Review Agency (NSIRA).
- 🇦🇺 Australia — Assistance and Access Act (2018): obliges operators to provide technical access without generalized retention, under specific judicial orders.
- 🇰🇷 South Korea — Communications Secrets Protection Act: permits one-year retention for national security or severe cybercrime cases, under PIPC supervision.
Retention Duration / Independent Oversight
- United States: 6 months / FISA Court review
- United Kingdom: 12 months / Investigatory Powers Commissioner
- Germany: 10 weeks / Bundesnetzagentur oversight
- Spain: 12 months / pending CJEU review (2024)
- Poland: 12 months / ongoing constitutional review (CJEU 2025)
- France: 12 months / CNCTR + Conseil d’État supervision
Complementary Reference
Council of Europe Resolution 2319 (2024) on Algorithmic Surveillance and the Protection of Fundamental Rights calls on Member States to legally regulate any data retention enabling automated behavioral analysis.
This resolution extends ECHR jurisprudence, emphasizing algorithmic transparency and strict retention limits.
Comparative Analysis
France occupies an intermediate model between Anglo-Saxon broad retention regimes (United States, United Kingdom) and European frameworks of strict proportionality (Germany, Spain).
The French Lecornu Decree 2025-980 applies the “serious and current threat” clause defined by the CJEU, while maintaining reinforced administrative oversight via the CNCTR and judicial control through the Conseil d’État.
Autonomous cryptographic architectures such as DataShielder NFC HSM and DataShielder HSM PGP offer a universal alternative: they neutralize the issue of data retention by eliminating any generation or logging of metadata.
This compliance-through-data-absence model aligns with democratic legal systems worldwide, and stands as a resilient blueprint against state-mandated traceability.
Out of Scope — What This Chronicle Does Not Cover in Relation to the Lecornu Decree on Digital Sovereignty
To maintain analytical rigor and prevent misinterpretation, the following areas are deliberately excluded from this Chronicle.
The Lecornu Decree on Digital Sovereignty is examined solely from the perspective of metadata retention, without extending to other technical, judicial, or operational domains.
- Communication content (lawful interception, monitoring) — the decree concerns metadata retention only, not access to message content.
- Criminal procedures (searches, digital seizures, judicial investigations) — outside the legal scope of this analysis.
- Sector-specific regimes (health, finance, defense, ePrivacy, open data) — mentioned only when intersecting with GDPR, NIS2, or DORA frameworks.
- Technical implementation details (log formats, access protocols, operator APIs) — omitted to preserve regulatory neutrality.
- Internal practices of platforms and messaging apps (WhatsApp, Signal, Telegram, etc.) — cited comparatively, without compliance assessment.
- Cryptographic weakening, backdoors, or offensive methods — excluded for ethical, legal, and sovereignty reasons.
- Individual legal advice, GDPR audit, or compliance consulting — not provided; this Chronicle constitutes neither legal counsel nor expert service.
- Export control regimes (cryptology licensing, ITAR, EAR) — cited only for reference.
- Product tutorials (installation, configuration, performance of DataShielder solutions) — deliberately excluded to maintain editorial neutrality and ethical integrity.
This Chronicle is limited to analyzing the legal qualification of metadata retention under French Decree No. 2025-980. It explains how and why offline cryptographic architectures — such as DataShielder NFC HSM and DataShielder HSM PGP — fall outside the scope of application, by virtue of their disconnected and non-traceable design.
Sovereign Glossary — Key Terms Related to the Lecornu Decree No. 2025-980 and Sovereign Cryptology
- ANSSI — French National Cybersecurity Agency: authority responsible for certification and compliance of cryptographic products. https://www.ssi.gouv.fr/en/
- CNCTR — National Commission for the Control of Intelligence Techniques: independent authority supervising intelligence practices in France. https://www.cnctr.fr/
- CNIL — French Data Protection Authority: regulator ensuring personal data protection and GDPR compliance. https://www.cnil.fr/en/
- CJEU — Court of Justice of the European Union: highest EU court ensuring the interpretation and application of EU law. https://curia.europa.eu/
- ECHR — European Court of Human Rights: ensures national laws comply with the European Convention on Human Rights. https://www.echr.coe.int/
- GDPR — General Data Protection Regulation (EU 2016/679): cornerstone framework for personal data protection in the European Union. Official GDPR Text
- NIS2 — Directive (EU) 2022/2555: strengthens cybersecurity obligations for essential service operators and critical infrastructure. Official NIS2 Directive
- DORA — Regulation (EU) 2022/2554: establishes digital operational resilience requirements for the financial sector. Official DORA Regulation
- HSM — Hardware Security Module: a secure hardware device isolating cryptographic keys from software environments.
- NFC HSM — Near Field Communication Hardware Security Module: autonomous cryptographic device using ISO 15693/14443 contactless standards for local encryption.
- Privacy by Design — GDPR principle requiring that privacy and data protection be integrated into systems from the earliest stages of design.
- Compliance Through Data Absence — Freemindtronic Doctrine:
a digital sovereignty principle that ensures legal compliance by designing systems that store no exploitable data at all.
Express FAQ — French Lecornu Decree 2025-980
An Evolving Legal Framework
Since 2015, France has progressively strengthened a framework of supervised and controlled surveillance — beginning with the creation of the CNCTR, followed by Constitutional Council rulings, and finally adapting to European directives.
Within this dynamic, the French Lecornu Decree on Digital Sovereignty establishes a model of targeted, limited, and supervised metadata retention.
Toward Disconnected Sovereign Cryptology
In parallel, advances in encryption technologies have led to the emergence of sovereign cryptology.
Thanks to autonomous HSMs, secure local storage, and zero-logging design, an offline ecosystem has taken shape — one that, by design, lies outside the scope of the Lecornu Decree on Digital Sovereignty.
This embodies the core of Freemindtronic’s doctrine: to secure without surveilling.
Regulatory Milestones and European Turning Points
- 2015 – Law No. 2015-912: legalization of intelligence techniques, creation of the CNCTR.
- 2016 → 2018 – CJEU Tele2 Sverige / Watson: prohibition of generalized data retention.
- 2021 – Decision No. 2021-808 DC: conditional validation, proportionality requirement. Official source
- 2022 – NIS2 Directive & DORA Regulation: European resilience and operational security framework.
- 2024 – Revision of Book VIII of the French Internal Security Code: integration of EU principles.
- 2025 – Lecornu Decree No. 2025-980: one-year metadata retention under CNCTR supervision. Official text
Two Logics, One Balance Point
The Lecornu Decree on Digital Sovereignty represents a balance between two complementary dynamics:
- State Logic: anticipate threats through targeted, temporary, and proportionate traceability.
- Sovereign Logic: restore confidentiality and user autonomy via local, decentralized cryptology.
Thus, targeted traceability becomes a legitimate instrument of public security —
yet offline autonomous architectures (such as DataShielder NFC HSM and DataShielder HSM PGP) maintain this balance without falling under legal retention requirements.
A Strategic Paradigm Shift
Between 2015 and 2025, France has evolved from a model of preventive retention to one of legal and technical resilience.
While the French Lecornu Decree concentrates on proportionality, Freemindtronic demonstrates the inverse approach:
eliminating traceability by design.
This duality outlines the future of European digital sovereignty.
A Four-Level Doctrinal Matrix
Level 1: National framework (French Lecornu Decree 2025-980).
Level 2: Independent oversight (CNCTR, Conseil d’État).
Level 3: European compliance (CJEU, ECHR, GDPR, NIS2, DORA).
Level 4: Sovereign innovation (DataShielder — Compliance Through Data Absence).
This four-tier structure now defines the policy of targeted traceability and sovereign cryptography within the European Union.
Technical Scope of the Decree
No. Self-hosted P2P communications, without third-party servers or centralized infrastructure, generate no exploitable metadata for operators.
They therefore fall outside the scope of the Lecornu Decree on Digital Sovereignty.
Fragmentation and Non-Reconstructibility
No. Segmented-key technologies, such as those developed by Freemindtronic, rely on separating hardware, software, and cognitive components.
This architecture renders the cryptographic key non-reconstructible without full contextual input — excluding both legal and technical retention.
Compatibility with European Law
Partially. While the decree meets proportionality requirements, it remains under review by the CJEU and ECHR to ensure it does not constitute generalized retention.
Auditability Without Exposure
Organizations can document their technical architecture (absence of logging, self-hosting, key segmentation) through typological diagrams.
Such documentation demonstrates non-applicability of the decree without disclosing sensitive data.
ANSSI Regulatory Oversight
Sovereign cryptology technologies fall under the dual-use goods control regime. They must be declared to the ANSSI but are not subject to retention obligations if no exploitable metadata is generated. Official ANSSI Source
Regulatory Definition
According to the CNCTR, an intelligence technique is a surveillance method enabling, by infringing privacy, the collection of information about a person without their knowledge. Official CNCTR Source
Reference Legal Library — French Lecornu Decree 2025-980
This documentary corpus gathers all legal texts, decisions, and official sources cited throughout this Chronicle, ensuring full traceability and verifiability of the information presented.
🇫🇷 National Legal Framework — France
- Decree No. 2025-980 of 15 October 2025 — Metadata Retention by Digital Operators
- French Internal Security Code — Book VIII: Intelligence Techniques
- Article L. 801-1 — Principles of Necessity, Proportionality and Independent Oversight
- Article L. 833-4 — CNCTR Powers (Ex Ante and Ex Post Control)
- Article L. 871-6 — Prime Minister’s Authority to Enact Data Retention Decrees
- CNCTR — National Commission for the Control of Intelligence Techniques
- Law No. 2015-912 of 24 July 2015 — Intelligence Law
- Decision No. 2021-808 DC of 20 May 2021 — Anti-Terrorism and Intelligence Act
- Conseil d’État — Jurisdiction over Intelligence Techniques
- Decree No. 2007-663 of 2 May 2007 — Regulation of Cryptology Means and Services
- ANSSI — French National Cybersecurity Agency
- CNIL — French Data Protection Authority
🇪🇺 European Legal Framework — European Union
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
- Directive (EU) 2022/2555 — NIS2 Directive on Network and Information Systems Security
- Regulation (EU) 2022/2554 — DORA (Digital Operational Resilience Act)
- CJEU — Tele2 Sverige AB and Watson, Cases C-203/15 and C-698/15
- CJEU — Privacy International, Case C-623/17
- CJEU — La Quadrature du Net, Case C-511/18
- CJEU — SpaceNet, Case C-746/18
- Charter of Fundamental Rights of the European Union — Articles 7 & 8
🇪🇺 European Case Law and Doctrine — ECHR
- ECHR — Big Brother Watch v. United Kingdom (2021)
- ECHR — Centrum för Rättvisa v. Sweden (2021)
- ECHR — Ekimdzhiev and Others v. Bulgaria (2022)
Products and Compliance — Cryptology and Sovereignty
- DataShielder NFC HSM — Local Hardware Encryption Architecture
- DataShielder HSM PGP — Sovereign PGP Encryption Module
- CryptPeer® — P2P Self-Hosted Instant Messaging System with EviCall™ HSM PGP Technology
- Freemindtronic — Cryptology, Sovereignty and GDPR / NIS2 / DORA Compliance
Complementary Documentation
- CNIL — National Security and Personal Data
- CNCTR — Public Reports and Opinions
- EUR-Lex — Access to EU Law
- HUDOC — ECHR Case Law Database
- Constitutional Council of France — Decisions and Releases
Ultimately, the French Lecornu Decree 2025-980 on Digital Sovereignty illustrates the convergence between legal compliance and cryptographic autonomy.
Through their disconnected, zero-logging design, DataShielder and SilentX™ HSM PGP architectures embody genuine compliance by design —
where security arises not from constraint, but from sovereign non-traceability itself.
This model, grounded in the Freemindtronic Doctrine, foreshadows a Europe of Sovereign Cryptology:
law-compliant, infrastructure-independent, and protective of digital freedoms.
✪ Software Trust Chain — Mapping the flow of sovereign trust from hardware-generated credentials in PassCypher HSM, through local middleware, Tchap client validation, TLS 1.3 mutual authentication, and E2EE server layers.</caption]
