Cloud: the risks of a European certification allowing foreign authorities access to sensitive data

Sensitive data that must be particularly protected

Data stored by a company subject to non-European law, as is the case with hosting providers whose parent companies are located in the United States, may be exposed to a risk of having to disclose data to the public authorities of that country. This risk is generally considered to be limited, particularly in the case of non-sensitive data entrusted to service providers based in “adequate countries” in terms of personal data protection. This is particularly the case for the United States, which have been an ‘adequate country’ since the European Commission's decision of 10 July 2023 (under the conditions set out in the Data Privacy Framework). However, enhanced protection is required for the most sensitive data processing (e.g. large health databases, criminal data or data relating to minors), for which data hosted in the European Union should not be subject to a risk of unauthorized access by authorities in third countries.

In such cases, the CNIL recommends using a service provider that is exclusively subject to European law and offers an adequate level of protection. In France, for cloud computing services, the SecNumCloud certification from the Agence nationale de la sécurité des systèmes d'information (ANSSI) includes this criterion, protecting data against access by foreign authorities.

Shortcomings and risks of the EUCS European certification project

The possibility of ensuring, in the case of the most sensitive processing operations, that the data host is not subject to non-European legislation is no longer included in the EUCS project for European cybersecurity certification of the cloud, piloted by the European Union Agency for cybersecurity (ENISA), even at the highest levels of the certification and even as an option.

This development, which is due to be discussed again as soon as the new European Commission has been formed, deprives stakeholders of a concrete framework for guaranteeing the protection of fundamental rights and freedoms for European citizens in the context of such processing.

In France, the CNIL has long recommended that the most sensitive personal databases (such as the national health data system (SNDS) or data concerning minors) should be protected against possible disclosure to public authorities in third countries. The CNIL has expressed this concern on numerous occasions.

Furthermore, the absence of a level that includes “immunity” criteria poses problems from a legal, economic, technological and industrial point of view:

• It will not stimulate the European cloud offering, which is the technical means for meeting the development and deployment needs of artificial intelligence systems. Nor does it offer the means to facilitate access to public procurement for European suppliers, where the current dominant players have benefited fully in their home countries (in particular via the FedRAMP program in the United States).
   
• It does not allow public and private players to rely on EUCS certification to outsource their most sensitive projects to the cloud, in the same way as the French government's ‘Cloud au centre’ (‘cloud at the center’) policy for public administrations. This calls on public authorities to ensure that ‘particularly sensitive’ data hosted in the cloud is not subject to non-European laws that could lead to disclosure orders.

For all these reasons, the CNIL is calling for the inclusion, on an optional basis, of “immunity” criteria to non-European laws, which could be inspired by those of the SecNumCloud qualification already in place in France, in the EUCS European certification scheme in order to ensure the highest protection of the most sensitive personal data processing for European industrial players.