Presentation of the provisions of the law on securing and regulating the digital space, aimed in particular at better regulation of the cloud market, with new competition rules designed to rebalance the European cloud computing market and promote European strategic autonomy.
The law to secure and regulate the digital space (the "SREN Law") was adopted on May 21st and published in the "Journal Officiel" on May 22nd1.
It harmonizes national law with European Union law, to establish a single digital market.
In addition to provisions concerning the protection of minors
online (Title I), the protection of citizens in the digital
environment (Title II), and the development of the monetizable
digital object games ("JONUM") economy (Title IV),
the SREN Law is of particular significance to the cloud
computing market, introducing provisions designed to enhance
confidence and competition in the data economy (Title
III), the subject of this paper.
I. Against unfair commercial practices in the cloud market
The Commercial Code2has been amended to regulate existing commercial practices on the cloud market.
Among the practices that render customers captive, the "cloud computing credit" - consisting of an allocation of services accessible free of charge within a defined timeframe - is now regulated. A "cloud computing service" provider may only grant a "cloud computing credit" to entities engaged in production, distribution or service activities, for a limited test period and without any associated condition of exclusivity for the benefit of the credit provider, subject to sanctions3. The aim is to encourage customers to use free trial offers and to enable them to exit without excessive financial penalties.
In this respect, in line with the European "cost approach", the text aims to disrupt the prevailing practices of dominant service providers in the cloud market, by stipulating that charges for switching cloud providers may not exceed the actual costs incurred by the latter in connection with the transfer, except in the case of specific developments outside the service catalog4.
These provisions will be in force until January 12, 2027, i.e.
until the Data Act comes into force.
Similarly, the practice of "self-preference" may be
sanctioned, wherein a cloud computing service provider who also
supplies software offers unjustifiably different pricing and
functional conditions depending on whether or not the customer
subscribes to its cloud computing service.
II. Interoperability of cloud services
To prevent technical barriers for emerging players and address the lack of interoperability, new obligations aim to reduce customer lock-in and exclusivity favoring dominant market players.
In the interim period before the Data Act's entry into force, cloud providers must ensure that their services comply with essential requirements for (i) secure interoperability with the customer's own services, or with those provided by other cloud providers for the same type of service, (ii) portability of digital assets and exportable data to the customer's own services or to those provided by other suppliers covering the same type of service, (iii) free provision to customers and to third-party service providers designated by these customers of the application programming interfaces (APIs) necessary to fulfill interoperability and portability requirements. These essential requirements will be detailed by decree.
III. Protecting strategic and sensitive data in the
cloud market
To protect "sensitive" data critical to national
security, and in line with the "Cloud at the center"
5doctrine, State administrations, operators and public
interest groups that use a cloud service to host "particularly
sensitive" data will have to comply with security and
protection criteria designed to prevent access to this data by
public authorities in third countries.
These security and protection criteria will be defined by decree
of the "Conseil d'Etat", to be issued within six
months of the promulgation of the SREN Act, which will also outline
conditions under which any derogations may be granted under the
responsibility of the Prime Minister, for a maximum period of
eighteen months from the date a cloud service offering becomes
available in France.
Particularly sensitive data - whether personal or not - includes (i) "data that is subject to secrets protected by law, notably under the "Code des relations entre le public et l'administration"6; and (ii) "data necessary for the execution of essential State missions, notably safeguarding national security, maintaining public order and protecting the health and life of individuals".
The regime governing the hosting of health data has been streamlined, and the electronic archiving service provider will be subject to certification similar to any other health data host7.
Furthermore, the hosting provider will be required to store
"such data on the territory of a Member State of the EU or
party to the agreement on the European Economic Area",
and contractually stipulate "the measures taken to address
the risks of transfer of or unauthorized access to such data by
States outside the European Union or the European Economic
Area". A decree issued by the "Conseil
d'Etat" will detail these obligations and set the date for
their enforcement, which may not be later than July 1, 2025.
The Health Data Hub ("HDH") 8is expressly
included in the scope of these provisions and will be required to
use a hosting solution that meets the security criteria defined in
the ANSSI SecNumCloud 9reference framework, as per the
Secretary of State for Digital Affairs.
IV. Transparency in the cloud market
Users will be better informed about how their data is used. Cloud service providers must ensure transparency on their websites by providing users with new information regarding (i) the competent jurisdictions concerning the infrastructure deployed for data processing under their various services, and (ii) the technical, organizational and contractual measures implemented to prevent unauthorized access to non-personal data held in the EU or the transfer of such data by third countries, where such transfer or access contravenes European or national law.
These provisions apply until January 12, 2027, when the Data Act
comes into force.
Additionally, cloud computing service providers must publish
information on the environmental footprint of their services,
including carbon footprint, water consumption and energy
consumption. The content, application procedures and implementation
deadlines for this obligation, as well as the activity thresholds,
have yet to be specified by decree.
V. Adaptation of the French Data Protection Act ("LIL")
The scope of "monitoring of personal behavior"10has been extended to make the French Data Protection Act applicable to non-EU operators and services impacting individuals on French territory11.
Non-EU players processing "personal data of individuals on French territory by a controller or processor not established in the European Union, where such processing is linked to monitoring the behavior of such individual within the EU, particularly by collecting their personal data with the intent to match it with data linked to their online activity" must now comply with the LIL.
All these new provisions aim to better regulate the cloud market, with new competition rules designed to rebalance the European cloud computing market and promote European strategic autonomy...
Footnotes
1 Law no. 2024-449 of May 21, 2024 to secure and regulate the digital space
2 Art. L.442-12 French Commercial Code
3 Up to 200,000 euros for an individual and 1 million euros for a legal entity (.)
4 The maximum amount will be set by ministerial decree on the recommendation of the French regulatory authority for electronic communications, postal services and press distribution.
5 Circular "Cloud at the center" of 31-05-2023
6 Pursuant to art. L. 311-5 and L. 311-6 of the French Code on relations between the public and the administration
7 Previously subject to approval "by the Ministry of Culture for the storage of such data on paper or digital media" (Art. L.1111-8 III CSP before amendment by the SREN Act).
8 "Health data platform" GIP
9 Statement by Mrs. Marina Ferrari, Secretary of State for Digital Affairs, on the bill to secure and regulate the digital space, at the National Assembly on 10-04-2024
10 Within the meaning of art. 3, 2 of the RGPD
11 Following the deliberation LUSHA SYSTEMS Inc CNIL, Deliberation SAN-2022-024 of December 20, 2022
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.