The use of Micro­soft 365 in France

The Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are known to be cri­ti­cal of the use of Micro­soft 365. Howe­ver, not least becau­se of the full har­mo­ni­sa­ti­on of the GDPR, the voices of other data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are also rele­vant in data pro­tec­tion assess­ments. In this respect, it is par­ti­cu­lar­ly inte­res­t­ing to look across the bor­der at France.

French govern­ment reli­es on its own cloud solutions

In a cir­cu­lar dated 15 Sep­tem­ber 2021, the inter-ministerial direc­tor for the digi­ti­sa­ti­on of the sta­te urged French aut­ho­ri­ties to stop rely­ing on Micro­soft 365 for digi­ti­sa­ti­on of minis­tries becau­se of pos­si­ble access by US intel­li­gence agen­ci­es. The use of Micro­soft 365 was alle­gedly not com­pa­ti­ble with the French “cloud doc­tri­ne”. Unvei­led in May 2021, the doc­tri­ne aims to migra­te French admi­nis­tra­ti­ve ope­ra­ti­ons to the cloud, though not to Micro­soft. Ins­tead, solu­ti­ons deve­lo­ped by the French sta­te or cer­ti­fied with the “SecNum­Cloud” label by the French cyber­se­cu­ri­ty aut­ho­ri­ty are to be used.

Fol­lo­wing a par­lia­men­ta­ry ques­ti­on, the French Minis­ter of Edu­ca­ti­on also recent­ly com­men­ted on Micro­soft 365 at edu­ca­tio­nal insti­tu­ti­ons. The par­lia­men­ta­ry ques­ti­on from an MP was actual­ly aimed at the issue of whe­ther ver­si­ons of the respec­ti­ve cloud pro­ducts pro­vi­ded free of char­ge by Micro­soft (but also Goog­le) for edu­ca­tio­nal insti­tu­ti­ons might not con­sti­tu­te a dis­tor­ti­on of com­pe­ti­ti­on. Ins­tead of ela­bo­ra­ting on this issue, the respon­si­ble minis­ter sta­ted that the edu­ca­tio­nal insti­tu­ti­ons are being asked not to use the respec­ti­ve solutions.

No expli­cit deter­mi­na­ti­on by the CNIL

Howe­ver, both of the afo­re­men­tio­ned cases mere­ly reflect the poli­ti­cal view of the French govern­ment and, with the minis­tries and edu­ca­tio­nal insti­tu­ti­ons, also refer to indi­vi­du­al­ly deli­mi­t­ed are­as. The respon­si­ble French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), has not yet issued a gene­ral state­ment on the use or data pro­tec­tion com­pli­ance of Micro­soft 365. Howe­ver, in an infor­ma­ti­ve let­ter dated 27 May 2021, in respon­se to the ECJ’s “Schrems II” Ruling, the CNIL recom­men­ded that uni­ver­si­ties use pro­ducts from Euro­pean ven­dors. At the same time, howe­ver, the CNIL stres­sed that a tran­si­ti­on peri­od was jus­ti­fied due to the chal­lenges posed by the pan­de­mic and to main­tain edu­ca­tio­nal and rese­arch projects.

Sum­ma­ry

The CNIL has not yet taken an expli­cit posi­ti­on against the use of Micro­soft 365 in France and has not made a final data pro­tec­tion assess­ment. It is striking that all comm­ents, some of which date back seve­ral years, refer signi­fi­cant­ly to the repea­led ade­quacy decis­i­on on the EU-US Pri­va­cy Shield. In the mean­ti­me, howe­ver, Micro­soft has made num­e­rous chan­ges to its order pro­ces­sing agree­ment and has begun imple­men­ting the EU Data Boun­da­ry. In addi­ti­on, a new Exe­cu­ti­ve Order from the US Pre­si­dent has ente­red into force and an ade­quacy decis­i­on from the EU Com­mis­si­on on the Trans-Atlantic Data Pri­va­cy Frame­work can be expec­ted soon. Con­se­quent­ly, the basis of the assess­ment at that time has chan­ged dra­ma­ti­cal­ly and a reas­sess­ment is requi­red. Accor­ding to our infor­ma­ti­on, the CNIL is likely to take a new posi­ti­on on this issue in the fore­seeable future.