In a press release issued on May 17, 2021, the French government outlined its strategy for the use of cloud technology to protect personal data following increasing concerns in Europe over the surveillance risks posed by global privacy laws with extra-territorial scope affecting EU citizens.
The policy looks to locate cloud service providers’ servers in France, allowing only European companies to operate them, and limiting the ability to transfer data to a third country. Speaking to OneTrust DataGuidance, Sonia Cissé, Counsel at Linklaters said “It is clear that the government’s new policy on the development of a French cloud also aims to address the data transfer issues raised by the Schrems II judgment […] [The policy] would limit global data transfers and offer an alternative to the extraterritorial investigation powers of certain foreign authorities.”
What does the National Cloud Strategy say?
In Monday’s press release, the French Government highlighted the economic and industrial opportunities in France of cloud technologies, whilst also noting the risks posed to the integrity of French data in light of potential foreign access to such data.
The national cloud strategy has three main pillars:
- The Trusted Cloud Label: A certification will likely be introduced to signal that cloud providers are offering the greatest level of data protection possible, in line with the values of EU data protection law. The certification will be based on the SecNumCloud issued by ANSSI and will be a label of a trusted cloud service provider.
- A “Cloud at the Centre” Policy: This pillar of the national strategy aims to put cloud computing at the centre of any new digital project in France and seeks to accelerate digital transformation in the country.
- Ambitious Industrial Strategy: The strategy is aimed at supporting industrial projects that develop cloud technologies in France with a particular focus on PaaS that assist with Big Data and Artificial Intelligence initiatives. The strategy also aims to enhance the technological sovereignty of France and Europe as a whole.
What about US-based cloud providers such as Google and Microsoft?
At a news conference, French Finance Minister Bruno Le Maire said it was his vision that cloud providers such as Google and Microsoft could license their technologies to French companies as part of an initiative to guarantee the location of servers in France as well as European ownership of the companies that store and process the data. This would enable the technological sovereignty being sought by the French Government as well as increase the levels of security around the data of French citizens – the comment was welcomed by both Google and Microsoft.
What is next for the National Cloud Strategy in France?
At this stage, the announcement is a statement of intent from French ministers, however, there are considerations that organizations operating in Europe can bear in mind should these new requirements for public data become law:
- Store your data in France
- Use cloud providers that hold the ANSSI certification
- Use due diligence to ensure the European ownership of the organizations that store and process data
