Locations
On 10 April 2024, the French National Assembly voted in favor of the bill to secure and regulate the digital space (the 'Law SREN'), based on the latest draft version agreed upon by the mixed joint committee ('Commission Mixte Paritaire') in the French Parliament.
The Law SREN aims to enhance users' online safety, fight misinformation, regulate digital assets and also touches upon cloud computing services, interoperability, and digital sovereignty requirements that will have a significant impact on the French cloud services market.
In 2021, the French government introduced its cloud strategy (named "Cloud au Centre") whereby public administrations must either use (i) the governmental cloud ("cloud interministériel") or a (i) cloud service providers who hold the SecNumCloud certification granted by the National Cybersecurity Agency (ANSSI), or a European certification ensuring a comparable level of security.
More recently, both the French government and economic stakeholders have shown eagerness to increase France's digital sovereignty, which has led to the adoption of the Law SREN.
- Introduction of new concepts and restrictions on the offering of cloud computing credits.
Article 7 of the Law SREN introduces four new definitions in the French Commercial code, namely 'cloud computing services', 'cloud computing credits', 'client' and 'self-preference'.
The notion of cloud credits refers to an advantage granted by a cloud computing service provider to a customer, usable across its services in the form of a credit amount or quantity of services offered.
In this respect, Art.7 states that a cloud computing service provider may only grant cloud computing credit to customers operating in production, distribution, or services industry for a limited period, provided that these credits are not subject to a condition of exclusivity. A decree by the Conseil d'Etat will further specify the types of credits that can be granted and the maximum validity period, which may not exceed one year.
French MPs consider that cloud credit may consist of an unfair competition practice to the extent that the prices proposed by US tech providers are highly advantageous and the validity period is too long, impacting European cloud services providers' competitiveness.
Non-compliance with these requirements is sanctioned by an administrative fine of up to 200.000 euros for a natural person and of 1 million euros for a legal entity. They can be doubled in case of repeated offense within two years from the date of the first sanction.
- Regulating data transfers and switching fees
Article 7bis prohibits cloud computing service provides from charging customers:
- Data transfers fees, when changing cloud service provider, that exceed the costs incurred by the provider and directly related to such change.
- Switching fees, other than those related to the extraction of the client's data, that exceed the costs incurred by the provider and directly related to such switch.
- Facilitating interoperability measures
Article 8 of the Law SREN, in line with Article 23 et seq. of the EU Data Act, provides that cloud computing service providers shall:
- ensure interoperability with the customer's services or with those of competitors for similar functionalities; and,
- provide access, free of charge, to customers and to third party providers designated by them,
- to the necessary application programming interface for the implementation of interoperability and portability; and,
- to sufficient detailed information on the relevant cloud computing service to enable customers or third-party service providers to communicate with that service.
- Digital sovereignty requirements for hosting data of a particular sensitivity
Article 10 bis A applies to public administration bodies, their operators (listed in a dedicated annex in the upcoming budget law) and public interest groups ('groupements d'intérêt public' - GIP) who handle data of a particular sensitivity whether personal data or not.
This includes data related to State secrets, or critical functions of the State such as national security or the protection of individuals' health and/or life) and the violation of which is likely to constitute a threat to public order, public safety, health and life of persons, or to the protection of intellectual property.
The organisations concerned must ensure that the cloud computing service providers they resort to are capable of providing robust security standards and measures aimed at preventing unauthorized access by foreign government authorities to the data.
The Article further states explicitly that the above provisions shall apply to the Health Data Hub, which is currently hosted by Microsoft.
The last version of Law SREN does not refer explicitly to the SecNumCloud certification nor to any other specific certification. It was made clear during the Joint Mixed Committee's discussions that this was an intentional choice from the legislator, considering the upcoming European Cybersecurity Certification Scheme for Cloud Services. A decree will specify the security standards required, notably regarding share capital.
It should be noted that the SecNumCloud Framework currently sets the threshold to 24 % (individually) and 39% (collectively) share capital by non-EU entities.
Moreover, an organisation can request an exemption if it already has an ongoing contract with a cloud computing service provider. Such exemption cannot exceed 18 months starting from the date of an 'acceptable offer' is made available in France.
- Criminalizing pornographic deep fakes that are generated by an AI system
The Law SREN introduces a new article in the Criminal Code which prohibits the public sharing of deepfakes depicting pornographic content that uses an individual's image or voice without his/her consent. Any violation of this prohibition may be criminally sanctioned by 2 years' imprisonment and a EUR 60.000 fine.
Those sanctions may be increased to 3 years of imprisonment and a fine of 75.000 euros where the publication of the deepfake is disseminated on an online platform.
The Law SREN will be enacted within 15 days and will enter into force in several phases, depending on the provisions concerned.
If you have any questions or comments, please reach out to the authors: Oliver Proust and Inès Benazzouz