In a press release issued on May 17, 2021, the French government outlined its strategy for the use of cloud technology to protect personal data following increasing concerns in Europe over the surveillance risks posed by global privacy laws with extra-territorial scope affecting EU citizens.
The policy looks to locate cloud service providers’ servers in France, allowing only European companies to operate them, and limiting the ability to transfer data to a third country. Speaking to OneTrust DataGuidance, Sonia Cissé, Counsel at Linklaters said “It is clear that the government’s new policy on the development of a French cloud also aims to address the data transfer issues raised by the Schrems II judgment […] [The policy] would limit global data transfers and offer an alternative to the extraterritorial investigation powers of certain foreign authorities.”
What does the National Cloud Strategy say?
In Monday’s press release, the French Government highlighted the economic and industrial opportunities in France of cloud technologies, whilst also noting the risks posed to the integrity of French data in light of potential foreign access to such data.
The national cloud strategy has three main pillars:
What about US-based cloud providers such as Google and Microsoft?
At a news conference, French Finance Minister Bruno Le Maire said it was his vision that cloud providers such as Google and Microsoft could license their technologies to French companies as part of an initiative to guarantee the location of servers in France as well as European ownership of the companies that store and process the data. This would enable the technological sovereignty being sought by the French Government as well as increase the levels of security around the data of French citizens – the comment was welcomed by both Google and Microsoft.
What is next for the National Cloud Strategy in France?
At this stage, the announcement is a statement of intent from French ministers, however, there are considerations that organizations operating in Europe can bear in mind should these new requirements for public data become law: