Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The concept of cloud computing has been acknowledged by the official texts since 2010, when the terminology commission in charge of establishing the official definition of new terms in the French language defined ‘cloud computing’ (that is, a ‘means of processing client data, the exploitation of which is made via internet, in the form of services provided by a service provider’) and provided an official translation in the French language.

For the purpose of implementing the EU directive on Network and Information System Security of 9 July 2016, the French legislator enacted in February 2018 a statutory definition of the ‘cloud computing service’ (that is, ‘a digital service that enables access to a set of flexible and variable IT resources that may be shared’). This service is classified among the ‘digital services’, along with online platforms and search engines, for which the providers are obliged to comply with certain security obligations (see question 9).

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The Law No. 2018-133 dated 26 February 2018 transposed Directive No. 2016/1148 of the European Parliament and the Council dated 6 July 2016, which aims to meet a uniform high level of security for the networks and information systems set up in the EU (NIS).

This law obliges digital services providers (including cloud computing providers) to identify the risks that affect their networks and information systems’ security and to take the technical and organisational measures necessary for managing these risks, to guarantee the continuity of their services.

These providers must notify the National Cybersecurity Agency (ANSSI) of any incident that has a significant impact on the provision of their services. Upon the Prime Minister’s initiative, they may be subject to compliance and security controls, which will be made by the same agency. When they offer their services in the EU but are located in a third-party state, such providers must designate a representative in a member state.

Further to the adoption of the General Data Protection Regulation (GDPR) (see question 15), the EU enacted on 14 November 2018 Regulation No. 2018/1807, which establishes a framework for the free flow of non-personal data within the EU. Specifically, this text prohibits member states from requiring the localisation on their territory of the processing of data that is neither personal data nor ‘inextricably linked’ to personal data. Exceptions are allowed only if based on public safety grounds and balanced accordingly and must be reported to the EU Commission by 30 May 2021. These provisions will concern, in particular, the use of cloud computing services by state administrations and other public bodies, whose data are currently considered as ‘public archives’ and must not be exported out of the territory (Heritage Code, article L111-7).

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Posts and Electronic Communications Code (CPCE) (telecom operators)

Under the existing EU ‘telecom package,’ services relating to digital ‘content’ provided online (eg, online platforms, search engines, site hosting, portal management, edition of online content, etc) are distinguished from telecommunication services, which concern the ‘container’. Telecommunication operators are governed by their own provisions which, historically, have been more burdensome than those applicable to cloud and other digital services providers, for instance, as regards internet neutrality (governed by EU Regulation No. 2015/2120 dated 25 November 2015), personal data protection, confidentiality of correspondence, neutrality in respect of messages content or access to emergency numbers. Yet, in practice, the boundaries between services are not as obvious. For instance, the main digital services providers set up cache servers in the operators’ networks in order to bring their content closer to end customers. Accordingly, about 50 per cent of the incoming traffic to internet access providers originate from the four main content providers - Google, Netflix, Akamai, Facebook (Regulatory Authority for Telecommunications (ARCEP), 2019 Report). It was not until recently that the European Court of Justice itself had to determine whether Skype should be considered as a telecommunication service and fall within the telecommunication regulatory regime (ECJ, No. C142-18, Skype Communications Sarl v IBPT, 5 June 2019).

The forthcoming EU Electronic Communications Code (due to be transposed by the member states by 21 December 2020) attempts to restore fairer competition conditions. It will cover the existing telecommunications services but also ‘interpersonal communications services’, regardless of whether users connect through publicly assigned numbering resources or otherwise. Voice over IP and messaging SaaS services such as Skype, WhatsApp, Wechat or Facebook Messenger should, therefore, fall within the scope of the regulated services.

On another note, the CPCE defines and regulates a service category which combines both telecom and cloud computing aspects, the ‘electronic safe’. The purpose of this service is the receipt, storage, removal and transmission of data and electronic documents in conditions that must retain their integrity and exactitude of origin (article L.103). The providers of these services must set up the security measures necessary to meet these conditions and to ensure the traceability of the operations made on the data and documents. They must set up a technical file to provide proof of their adherence to the legal requirements.

Defence Code (Fundamental Operators)

Since the law of military programming No. 2013-1168 dated 18 September 2013, the Defence Code submits a specific category of players, the infrastructures and systems of which are strategic for the country, designated as Fundamental Operators (OIV), to specific rules concerning the security of their information systems (article L1332-6-1 et seq). Each OIV is obliged to provide a map of its information system, ensure that it is homologated and establish a security policy for its system. The OIVs must inform the Prime Minister of the incidents affecting the functioning or security of their information systems. They must enable the ANSSI to carry out audits and must set up any security measures requested by the latter. Such obligations require the service agreements to be adapted, including those that they may enter into with digital service providers for cloud computing.

General tax code (clients)

All companies are obliged to retain the documents on which the French tax authorities have a right of communication, enquiry and control. The documents in question must be kept for at least six years (Tax Procedure Code, article L102 B). In this context, the use of a cloud computing service to store invoices must meet the various conditions concerning the terms of conservation of the documents and the countries of location of the storage servers (Tax Procedure Code, article L102 C). The invoices issued or received by a company must remain accessible from its principal establishment or registered office in France, regardless of the country of storage. The French tax authorities must be informed of the location of storage of the invoices.

Furthermore, when an accounting department works with automated systems (including SaaS), the tax authorities’ right of control applies to all the information, data and software processing that are used to establish the results and statements for the tax authorities, as well as the documentation relating to the analysis, programming and the performance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II).

For such a purpose, the tax authority may set up its own IT processing on the company’s equipment. Furthermore, since 2014, all companies must communicate their online accounting to the tax authorities according to the required standards (Fichier des Ecritures Comptables). Finally, the tax authority may, after court authorisation, launch a search and seizure procedure, including the seizure of data hosted on IT servers. The location abroad of the servers concerned does not constitute an excuse (Paris Court of Appeal, order dated 31 August 2012).

Others

Other examples may be found in a variety of texts, including the second version of the European Payment Services Directive (PSD2), which entered into force in January 2018 and makes strong authentication mandatory for payments over €30.

Furthermore, cloud computing transactions are indirectly governed by sector-specific legislation or regulations, as discussed in question 13, as well as by data protection and privacy legislation applicable to any kind of personal data processing, as discussed in question 15.

More generally, all regulations governing business-to-business (B2B) relations apply to transactions between cloud computing service providers and businesses. For instance, the French Law No. 2016-1691 on transparency, fight against corruption and modernisation of the economy of 9 December 2016 (Sapin II Law) requires large businesses to take measures to prevent and detect acts of corruption and subornation. Cloud computing records will be key to demonstrating compliance.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

The Law No. 2018-133 dated 26 February 2018 (see question 9) sanctions the directors of digital service providers to a fine of €100,000 when they prevent audit and security operations from being carried out in accordance with the law, and a fine of €75,000 when they do not comply with security measures that they have been formally required to take as a result of such an audit. If they fail to declare an incident or disclose information to the public as legally required, these directors may be subject to a fine of €50,000.

The Posts and Electronic Communications Code sanctions operators and their agents to a one-year prison sentence and a fine of €75,000 for failure to delete or ensure the anonymity of any data relating to communications or for not retaining technical communication data in accordance with the legal requirements (article L39-3) (see question 10). Furthermore, those who offer a connection to the public enabling an online communication via an internet access, including for free, are required to comply with the provisions applicable to telecoms operators, including to register themselves with the competent regulatory authority (ARCEP). Accordingly, they are subject to the same sanctions as telecoms operators (article L34-1).

The Defence Code sanctions directors of the OIVs to a fine of €150,000 if they fail to set up a protection plan, to accomplish works they have scheduled or to carry out the works requested following an audit, or otherwise fail to comply with their legal obligations (article L1332-7). These sanctions may be multiplied fivefold for the operators as legal persons.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

With regard to consumers, the cloud computing service providers are obliged to respect the provisions of the Consumer Code. This code regulates the entire relationship with a client, from the obligation to provide pre-contractual information (article L111-1 et seq), the process for entering into an online contract (article L121-16), the prohibition or regulation of commercial practices and abusive clauses, the provision of guarantees, through to the terms for terminating such contracts.

The pre-contractual information must be provided in a legible and understandable manner and a written confirmation of the contract must be provided as well (article L221-5). Insofar as the request for cloud computing services usually implies immediate use, the usual right of withdrawal that lasts for 14 days will most often not apply (article L121-21-8 1°). Finally, the consumers benefit from a right of portability of their personal data within the conditions of the GDPR (see question 15).

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

A number of sector-specific legislation or regulations that do not specifically target cloud computing transactions actually apply indirectly thereto. In regulated sectors (eg, healthcare, banking, etc), regulations or recommendations in this respect are usually issued by the authority in charge of the sector. The following provides only a few examples.

General Security Referential (public sector)

Since Decree No. 2010-112 dated 2 February 2010, the state administrations, local authorities and other administrative bodies must guarantee the security of the information systems that they are using to provide the users with online services (for example, the payment of criminal fees for minor offences) and to correspond with them electronically. For such purpose, they must respect a general security referential, which defines the rules and best practices to be followed, and terms such as certification, official approval or security audits (www.ssi.gouv.fr/entreprise/reglementation/confiance-numerique/le-referentiel-general-de-securite-rgs/). This general referential indirectly applies to the service providers used by the administration, including for cloud computing services.

In this context, the ANSSI adopted a referential of specific requirements for cloud computing service providers called ‘SecNumCloud’. The last version of this document was published on 11 June 2018 (www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1 _anssi.pdf). It covers the various types of cloud computing services: the software delivered as online services, the infrastructures (offices and data centres) and the operating, management and operational procedures of the providers. This label is considered as much more demanding than others such as ISO 27000. So far, one provider is a ‘qualified service provider’ for cloud computing services under this referential (Oodrive). As at July 2019, six other certification applications were in progress (https://www.ssi.gouv.fr/liste-produits-et-services-qualifies).

Heritage Code (public sector)

The Heritage Code defines the legal regime for the archives of the state and other public bodies in general. It sets obligations for their safekeeping, which may only be outsourced if the provider is approved and if the archives are kept on French territory (article R212-23).

French Public Health Code (health sector)

Article L1111-8 of the French Public Health Code requires that health data hosting providers implement specific safeguards, fulfil certain commitments and be certified. Failure to meet the requirements defined by the public health agency (ASIP Santé) is sanctioned by a fine of €45,000 (and three years’ imprisonment (article L1115-1)).

Order dated 3 November 2014 of the French Finance Ministry relating to the internal control of companies in the banking sector and others (financial sector)

The French Supervisory and Regulatory Control Body (ACPR), which is in charge of preserving the stability of the financial system and protecting the customers, insurance policyholders, members and beneficiaries of the businesses under its control, clarified in 2013 that cloud computing services should comply with the rules governing the outsourcing of banking activities. These rules are now set forth in an Order of 3 November 2014. Among other requirements, this text provides that the relevant businesses must remain able to terminate at any time the outsourcing services they use without this affecting the continuity or quality of the services they provide.

More recently, the European Banking Authority issued ‘Recommendations on outsourcing to cloud service providers’ which address five key areas: the security of data and systems, the location of data and data processing, access and audit rights, chain sub-processing, and contingency plans and exit strategies (www.eba.europa.eu). These recommendations must be applied by the national authorities (eg, the ACPR) to the relevant businesses.

Inter-professional Agreement dated 3 October 2016 concerning the obligation to seek continued exploitation relating to cinematographic and audio-visual works (cinema sector).

In the cinema industry, a trade agreement provides for the film producers’ duty to ensure the conservation of the works used to create movies, so as to guarantee that such works are recorded in digital formats that enable their availability online. This agreement has been made mandatory by government decree. In furtherance thereof, a trade association, the Technical Superior Board of Image and Sound, has issued technical recommendations concerning, among others, the material conditions for the conservation of works under the contracts concluded with service providers (www.cst.fr: CST-RT043-2017-12-18-12h02.pdf).

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

The French Commercial Code provides the rules applicable to the insolvency of companies. No specific provision applies to cloud computing service providers, even though the consequences of their insolvency could be severe on consumers and professionals alike.

Therefore, appropriate precautions against the loss of data due to such situations should be incorporated into the contractual provisions governing the services, particularly with regard to reversibility and pricing.