A formal reminder: on April 22, three ministers sent a letter to other members of the government, reminding them of the rules regarding the hosting of their sensitive data. The Ministers of Digital Affairs, Public Accounts and Public Action thus write that the "developments in the international context" give "particular acuity" to "data protection", report Politico and Contexte which also published the letter on Friday, May 2.
Sensitive data belonging to government officials must be stored on hosts that "comply with the requirements for protection against unauthorized access by public authorities of third countries," emphasize Laurent Marcangeli, Amélie de Montchalin, and Clara Chappaz. Translation: no more American hyperscalers like Amazon (AWS), Microsoft Azure, and Google Cloud, all three of which are subject to the "Fisa" law and the "Cloud Act." These extraterritorial American laws require any American company to communicate data they host, including in Europe, to local authorities, if the latter request it.
This is true even if the data comes from the Old Continent, and even if it is strategic or sovereign. This constitutes a "right of scrutiny" or even potential interference that the government wants to avoid, particularly in light of the new geopolitical context.
"Ensuring greater independence of the State"
A point on which Brad Smith, the president of Microsoft, sought to reassure on April 30, during the presentation of his "new digital commitments for Europe." The American firm is the target of several controversies in France – notably after the École Polytechnique and the National Education system, and less recently the Health Data Hub, the health data platform, chose this company to host certain data or to benefit from certain office tools.
The American firm sought to reassure Europeans by stating that it would fight in court any request to suspend its cloud operations in Europe that came from any government, including the American one. She added that she would "challenge any government request for access to data of public sector customers or EU companies, where there is a legal basis for doing so."
For the three ministers who issued this reminder, the objective of the French rules is to "ensure greater independence of the State." As a result, all members of the government must "imperatively ensure" that their administrations use "hosting" that complies with "these requirements for protection against unauthorized access by public authorities of third-party states" in the case of sensitive data.
Alongside the cloud, office solutions, messaging and AI solutions are also affected
But it's not just cloud hosting that is affected: this rule also applies to "cloud office and messaging solutions as well as artificial intelligence solutions." In addition to the ministries, the organizations under their supervision, as well as the GIPs, the public interest groups – of which the Health Data Hub is a part – are also targeted.
On the office suite side, the three ministers highlight "the collaborative and secure tools offered by the Interministerial Digital Directorate, (including) the Digital Suite, which are fully sovereign and independent."
From May 31, all cloud purchases must be validated by DINUM, the interministerial digital department, with some exceptions, the authors of the letter remind us. Since the "SREN" law (aimed at securing and regulating the digital space), whose implementing decree should be published in the coming weeks, government administrations and operators, and certain GIPs, cannot choose just any cloud or digital solutions provider.
The "Cloud at the Center of the State" doctrine, now included in the SREN law, requires them to use a SecNumCloud-certified provider (the highest level of cybersecurity) for hosting all sensitive data. This label includes a clause providing immunity from extraterritorial laws, which effectively excludes American cloud giants like Amazon, Microsoft Azure, and Google Cloud, all three of which are subject to the "Fisa" law and the "Cloud Act."
0 Comments