Sovereign hosting for VIO - P. Latombe [10 May 2023]
10th May 2023
Today, it is all too common for French organizations, including those designated as “operators of vital importance”, to use non-European services to host their data, including sensitive data.
However, some non-European cloud providers are currently subject to extraterritorial legislation and may be required by the foreign authorities on which they depend, without informing their clients, to transmit data that is potentially strategic for the Nation and the defense of its fundamental rights and interests.
Although the French National Agency for Information Systems Security (ANSSI) currently issues qualifications to identify organizations that meet the highest security standards and are immune to extra-EU law, this simple qualification, which is not binding, does not constitute real protection.
Aware of the importance of these issues for our country, I have just tabled and voted with several co-signatories, in the context of the review of the military programming law (LPM), an amendment proposing a new article aimed at putting an end to this situation, which poses a significant risk of capture of national data by foreign powers and is detrimental to the country’s fundamental interests.
By virtue of the protection of national security, this article aims to oblige operators of vital importance to identify their “sensitive” data, i.e. data processing carried out under their authority, the capture of which by a foreign power, a foreign organization or under foreign control would be potentially detrimental to the fundamental interests of the nation.
It ensures that these data are not entrusted to non-European companies or companies controlled by non-EU member states. These are companies whose share capital and voting rights are, directly or indirectly, more than 24% owned individually and more than 39% collectively, by third-party entities that have their registered office, central administration or principal place of business in a non-EU member state.
This is not the first time that I have tried, with the help of some of my colleagues who are aware of these issues, to take advantage of one of the vectors proposed by the legislative agenda to bring our legislative corpus into line with the imperative of our digital sovereignty. The latest attempt to do so was in the law relating to the 2024 Olympic and Paralympic Games. The transparent amendment subjecting video surveillance operators to the SecNumCloud standard, which was initially voted, was rewritten, emptied of its substance and effectiveness, following the lobbying of influence firms commissioned by GAFAM.
As the saying goes, once bitten, twice shy! I will therefore be vigilant as the LPM progresses… and this amendment. But this battle for digital sovereignty cannot be played out only in the National Assembly or the Senate. It is up to the national ecosystem to stand up and show its support and demands, so that the influence of foreign players, of a few large Cac 40 groups or ESNs does not scuttle legislative initiatives that are heading in the right direction.
I am well aware that it is necessary to give stakeholders a little time to comply with such a requirement, but it is essential that it be supported by the law. Otherwise, we are going to see another ball of fools and broken promises, of which the Health Data Hub is a textbook case.
I would remind you that the argument of any hindrance to the globalization of trade does not hold up any more with our allies across the Atlantic, who are the first to put up barriers to protect themselves, than with States that are by nature extremely concerned about their national prerogatives. If there is one argument that sweeps aside all others, it is that of our national sovereignty, a non-negotiable objective that alone conditions the policies to be implemented.
Député de la Vendée
Commission des Lois