Locations
Presentation of the provisions of the law on securing and regulating the digital space, aimed in particular at better regulation of the cloud market, with new competition rules designed to rebalance the European cloud computing market and promote European strategic autonomy.
The law to secure and regulate the digital space (the “SREN Law”) was adopted on May 21st and published in the "Journal Officiel" on May 22nd[1].
It harmonizes national law with European Union law, to establish a single digital market.
In addition to provisions concerning the protection of minors online (Title I), the protection of citizens in the digital environment (Title II), and the development of the monetizable digital object games (“JONUM”) economy (Title IV), the SREN Law is of particular significance to the cloud computing market, introducing provisions designed to enhance confidence and competition in the data economy (Title III), the subject of this paper.
I. Against unfair commercial practices in the cloud market
The Commercial Code [2] has been amended to regulate existing commercial practices on the cloud market.
Among the practices that render customers captive, the “cloud computing credit” - consisting of an allocation of services accessible free of charge within a defined timeframe - is now regulated. A “cloud computing service” provider may only grant a “cloud computing credit” to entities engaged in production, distribution or service activities, for a limited test period and without any associated condition of exclusivity for the benefit of the credit provider, subject to sanctions[3]. The aim is to encourage customers to use free trial offers and to enable them to exit without excessive financial penalties.
In this respect, in line with the European “cost approach”, the text aims to disrupt the prevailing practices of dominant service providers in the cloud market, by stipulating that charges for switching cloud providers may not exceed the actual costs incurred by the latter in connection with the transfer, except in the case of specific developments outside the service catalog[4].
These provisions will be in force until January 12, 2027, i.e. until the Data Act comes into force.
Similarly, the practice of “self-preference” may be sanctioned, wherein a cloud computing service provider who also supplies software offers unjustifiably different pricing and functional conditions depending on whether or not the customer subscribes to its cloud computing service.
II. Interoperability of cloud services
To prevent technical barriers for emerging players and address the lack of interoperability, new obligations aim to reduce customer lock-in and exclusivity favoring dominant market players.
In the interim period before the Data Act's entry into force, cloud providers must ensure that their services comply with essential requirements for (i) secure interoperability with the customer's own services, or with those provided by other cloud providers for the same type of service, (ii) portability of digital assets and exportable data to the customer's own services or to those provided by other suppliers covering the same type of service, (iii) free provision to customers and to third-party service providers designated by these customers of the application programming interfaces (APIs) necessary to fulfill interoperability and portability requirements. These essential requirements will be detailed by decree.
III. Protecting strategic and sensitive data in the cloud market
To protect “sensitive” data critical to national security, and in line with the “Cloud at the center” [5]doctrine, State administrations, operators and public interest groups that use a cloud service to host “particularly sensitive” data will have to comply with security and protection criteria designed to prevent access to this data by public authorities in third countries.
These security and protection criteria will be defined by decree of the "Conseil d'Etat", to be issued within six months of the promulgation of the SREN Act, which will also outline conditions under which any derogations may be granted under the responsibility of the Prime Minister, for a maximum period of eighteen months from the date a cloud service offering becomes available in France.
Particularly sensitive data - whether personal or not - includes (i) “data that is subject to secrets protected by law, notably under the "Code des relations entre le public et l'administration"[6]; and (ii) “data necessary for the execution of essential State missions, notably safeguarding national security, maintaining public order and protecting the health and life of individuals”.
The regime governing the hosting of health data has been streamlined, and the electronic archiving service provider will be subject to certification similar to any other health data host[7].
Furthermore, the hosting provider will be required to store “such data on the territory of a Member State of the EU or party to the agreement on the European Economic Area”, and contractually stipulate “the measures taken to address the risks of transfer of or unauthorized access to such data by States outside the European Union or the European Economic Area”. A decree issued by the "Conseil d'Etat" will detail these obligations and set the date for their enforcement, which may not be later than July 1, 2025.
The Health Data Hub (“HDH”) [8]is expressly included in the scope of these provisions and will be required to use a hosting solution that meets the security criteria defined in the ANSSI SecNumCloud [9]reference framework, as per the Secretary of State for Digital Affairs.
IV. Transparency in the cloud market
Users will be better informed about how their data is used. Cloud service providers must ensure transparency on their websites by providing users with new information regarding (i) the competent jurisdictions concerning the infrastructure deployed for data processing under their various services, and (ii) the technical, organizational and contractual measures implemented to prevent unauthorized access to non-personal data held in the EU or the transfer of such data by third countries, where such transfer or access contravenes European or national law.
These provisions apply until January 12, 2027, when the Data Act comes into force.
Additionally, cloud computing service providers must publish information on the environmental footprint of their services, including carbon footprint, water consumption and energy consumption. The content, application procedures and implementation deadlines for this obligation, as well as the activity thresholds, have yet to be specified by decree.
V. Adaptation of the French Data Protection Act (“LIL”)
The scope of “monitoring of personal behavior” [10] has been extended to make the French Data Protection Act applicable to non-EU operators and services impacting individuals on French territory[11].
Non-EU players processing “personal data of individuals on French territory by a controller or processor not established in the European Union, where such processing is linked to monitoring the behavior of such individual within the EU, particularly by collecting their personal data with the intent to match it with data linked to their online activity” must now comply with the LIL.
All these new provisions aim to better regulate the cloud market, with new competition rules designed to rebalance the European cloud computing market and promote European strategic autonomy...
[2] Art. L.442-12 French Commercial Code
[3] Up to 200,000 euros for an individual and 1 million euros for a legal entity (.)
[4] The maximum amount will be set by ministerial decree on the recommendation of the French regulatory authority for electronic communications, postal services and press distribution.
[5] Circular “Cloud at the center” of 31-05-2023
[6] Pursuant to art. L. 311-5 and L. 311-6 of the French Code on relations between the public and the administration
[7] Previously subject to approval “by the Ministry of Culture for the storage of such data on paper or digital media” (Art. L.1111-8 III CSP before amendment by the SREN Act).
[8] "Health data platform" GIP
[9] Statement by Mrs. Marina Ferrari, Secretary of State for Digital Affairs, on the bill to secure and regulate the digital space, at the National Assembly on 10-04-2024
[10] Within the meaning of art. 3, 2 of the RGPD
[11] Following the deliberation LUSHA SYSTEMS Inc CNIL, Deliberation SAN-2022-024 of December 20, 2022