France’s data protection authority, CNIL, is urging the country’s universities and colleges to amend how they use US-supplied collaborative tools, particularly in international transfers of personal data.
Students, researchers, lecturers and administrative staff use those tools to process a considerable quantity of data, some of which may be sensitive such as health data or information relating to minors.
CNIL’s suggestion follows last year’s ruling by the Court of Justice of the European Union in the Schrems II case which invalidated Privacy Shield, an arrangement allowing personal data to be transferred between the EU and US.
“Given the risk of illegal access to data, the CNIL calls for changes in the use of these tools and will support organisations in identifying possible alternatives,” the DPA said.
A problem area is the use of cloud computing technologies in higher education, CNIL noted.
“Such technologies raise issues relating to international data flows, data access by authorities in third countries, and European digital sovereignty,” it added.
But CNIL also commented: “The European Data Protection Board (EDPB) has still not identified any additional measures that would ensure an adequate level of protection when a transfer is made to a cloud computing service provider or to other subcontractors who, as part of their services, need to access the data in clear text or who have access to the encryption keys, and who are subject to US laws.”
The DPA also comments: “Regardless of any transfers, US laws apply to data stored by US companies outside the US. There is therefore a risk of access by US authorities to data stored in the EU. Such access, if not based on an international agreement, would constitute an unauthorised disclosure under EU law.”
CNIL also referred to the Schrems II ruling having had consequences on implementation of France’s health data hub. As it is currently hosted by a US infrastructure (Microsoft Azure), France’s council of state has recognised there is a risk in transferring health data to the US because Microsoft is subject to US law.
The council and CNIL therefore requested additional guarantees. The hub will be hosted in a way that mitigates this risk within 18 months.
The French government last month announced a national strategy for the cloud to address the major challenges the technology brings and better protect data processed by those services while reaffirming French sovereignty.