NEWSLETTER N° 28 // Friday 23 July 2021
|
|
|
|
CLOUD: THE EUROPEAN BATTLE FOR TRUST! |
|
|
|
This month, la Lettre du DPO interviewed Henri d’Agrain (General Delegate of the Cigref, appointed by the Secretary of State for Digital Transformation to lead the European GAIA-X project) and David Chassan (Director of Strategy at Outscale, a “Trusted Cloud” provider with the “SecNumCloud” label). They provide la Lettre du DPO with their experience and practical guidance on Cloud computing, which is now a key technological and industrial link for competitiveness, but also for the economic and political influence of Europe.
A recent concept, driven by the digital revolution. Presented in French by the expression “informatique nuagique” (or by the contraction “infonuagique”), the term Cloud computing has appropriated a celestial feature, not without advertising motivations intended to sublimate the nature of this new form of configuration and use of IT resources. Born out of the incredible growth in IT demand at the turn of the years 2000, the Cloud, unlike other forms of IT outsourcing, is characterised by its externality (recourse to remote resources outside the user’s information system (“IS”), its mutualisation and its flexibility. It thus enables suppliers to move data from one server to another, in order to optimise costs and to guarantee the user payment according to use, as well as an elastic sizing capacity.
The different types of Cloud. First of all, a distinction must be made between two types of Cloud services: the first is aimed at developers (“IaaS”, i.e. Infrastructure as a Service”, if the services provided correspond to the lower layer of the IS, and “PaaS”, i.e. “Platform as a Service” if the services consist of the provision of a platform facilitating the deployment and execution of applications); the second, commonly referred to as “SaaS” (i.e. “Software as a Service”), is the most widespread and consists of making a catalogue of application software available to a population of user customers. Next, a distinction must be made between two types of deployment for the Cloud: the first corresponds to an infrastructure dedicated to the needs of an organisation, which can decide either to host and manage such infrastructure using its own resources (this is known as an “internalised private” Cloud) or to entrust such hosting and management to a third party who will operate it using resources under its control (this is known as an “outsourced private” Cloud); the second corresponds to an infrastructure belonging to and remaining under the control of a supplier who offers a set of services (IaaS, PaaS, SaaS) which are not dedicated to a particular organisation but are offered to a wide spectrum of users.
A strategic industry. Presented as an important source of direct cost reduction (for hardware and software infrastructures), but also indirectly (by reducing exposure to risks, due to the high level of security practised by certain Cloud suppliers), and lastly by increasing flexibility and improving the IT capacities of organisations, the Cloud is now being perceived by the public authorities as a supplier sector to be developed on both national and Community territory, as it generates employment. Some consider that it would be appropriate to restrict the use of the Cloud, in respect of certain data, to suppliers operating on national territory, thus making the Cloud an issue of sovereignty. Initiatives, such as that of GAIA-X, aim to re‑establish a European alternative, distinguished by strong guarantees of security and compliance, which the pandemic has shown to be highly fragile and vulnerable.
Enjoy your read!
Matthieu Bourgeois and Laurent Badiane, partners in charge of the Intellectual Property and Digital Law Team.
To subscribe, click here
|
|
|
|
« THE CLOUD IS NOT JUST ANOTHER SUBDOMAIN OF THE DIGITAL SECTOR ; IT IS THE DOMAIN THAT DRIVES ALL THE OTHERS» |
|
|
|
| As a naval officer for 27 years, Henri d’Agrain has alternated operational and command positions in the maritime sector with responsibilities in the field of IT and communication channels: a career that clearly illustrates the proximity – suggested by some – between the maritime space and the digital space. Since 2017, he has held the position of General Delegate of the Cigref (formerly the Club Informatique des Grandes Entreprises Françaises, created in 1970). The Cigref is a strong advocate of a proactive strategy to revitalise the European IT industry through the emergence of a trusted Cloud. Henri d’Agrain, himself an advocate of enlightened colbertism in this area, shares the Cigref’s vision on the subject with La Lettre du DPO.
1/- Can you tell us about your background and how you became interested in digital technology and data?
Thanks to my military career, I became interested very early on in communications systems, which are essential for combat at sea. That is why, after joining the French Navy, I became head of its “information and communications systems” office – the equivalent of a company’s information systems department – where I worked a lot on the digitisation of battle space. After retiring from the Navy in 2013, I co‑founded and chaired Small Business France, a company that helps French technology and innovative companies to access public procurement and large group purchases. Then, from 2014 to 2016, I became director of the Centre des Hautes Études du Cyberespace (CHECy) (the French Centre for Advanced Cyberspace Studies), which I created in partnership with the École Européenne d’Intelligence Économique (the European School of Economic Intelligence), to offer high-level training to executives and managers from both the public and private sectors on the concepts and challenges of cyberspace.
2/- What strategic approaches do you currently defend within the Cigref, and what role does it play in the GAIA-X project?
|
|
Cigref’s independence (ensured not only by the origin of its members, i.e. users of digital solutions, except suppliers, but also by its financial resources, i.e. membership fees, except any sponsorship or subsidy) enables us to work on three strategic approaches: firstly, collective intelligence (through the publication of studies and positions on subjects of common interest); secondly, influence (through the defence of common positions taken by our members, who can thus restore the balance of the relationship with suppliers of digital products/services); thirdly, exchanges (through the creation of trust and conviviality spaces), in order to establish a connection between users and the ecosystem, conducive to a better understanding and common awareness. GAIA-X is precisely the result of these exchanges, which have led to an awareness of the weakness in European industry and the need to promote the emergence of a trusted Cloud offer, characterised by strong guarantees of security, compliance and flexibility. In practice, GAIA-X will be a sort of selective catalogue of secure Cloud offers that meet standards (security, compliance, no obligation to respect certain foreign regulations, etc.). For Cloud users, this platform will be a powerful tool for making the offer clearer. The Cigref has been officially appointed by the French Secretary of State for Digital Transformation as leader of this project, without it being a member of the GAIA-X association.
3/- What are your convictions for the future, especially concerning the Cloud?
I am convinced that the Cloud is not just another subdomain of the digital sector. It is the domain that drives all the others. The health crisis has shown the extent to which Europeans are dependent on foreign players, particularly Americans, who do not always play by the same rules. And it is not the European companies using these services that will be able to make up for several decades of European industrial policy shortcomings with regard to the digital industry. It is up to Europe, and the public authorities of all its Member States, to pursue a policy that facilitates a European offer, because sovereignty is an attribute of the States and of organisations such as the European Union to which they delegate competences in this area. This sovereignty also requires a secure digital space, protected, as much as possible, from foreign legislation and able to protect users from the risks of technological dependence. In the future, the State will also have to integrate environmental constraints by regulating the use of digital technology rather than by restricting the offer (because the Cloud offer enables optimisation of data processing).
|
|
|
|
IT IS ESSENTIAL FOR THE CUSTOMER TO MAKE AN INFORMED CHOICE IN ORDER TO AVOID TECHNOLOGICAL DEPENDENCE ON THE PROVIDER |
|
|
|
In the light of growing and increasingly sophisticated threat, the choice of hosting services provider represents a strategic issue for both public and private organisations. 3DS Outscale is a French company specialised in cloud computing that offers Infrastructure as a Service (IaaS, a type of cloud computing that provides essential computing, storage and networking resources on demand and on a pay-per-use basis). Founded in 2010 in France to address the issue of data sovereignty, with the support of Dassault Systèmes, 3DS Outscale is one of the founding members of the GAIA-X association and has an international presence. 3DS Outscale has data centres in Europe, North America and Asia. David Chassan, Director of Strategy at 3DS Outscale, agreed to share his vision of the Trusted Cloud with La Lettre du DPO.
Ensure that the provider is able to prove security and has been audited
“With regard to hosting services, there should be no exemption from providing proof of security for the software publishing companies. They must show their credentials in order to act as trusted partners of their own customers. It is therefore not possible to be exempt from providing proof of security and the acquisition of standard labels, especially when participating in public and private tenders. In such cases, security must be demonstrated at all levels, regardless of the nature of the service provided (IaaS, PaaS or SaaS). In this regard, 3DS Outscale is certified ISO 27001 since 2014, ISO 27017 and ISO 27018 on all its activities. 3DS Outscale also has an HDS certification for health data hosting. Lastly, 3DS Outscale, which also provides a Public Sector Cloud offer, is the first IaaS infrastructure to be qualified SecNumCloud, the security visa of the French National Agency for Information Systems Security (ANSSI). This is the highest level of commitment regarding security. Obtaining the SecNumCloud standard enables 3DS Outscale to meet the most demanding needs in terms of security, privacy and digital sovereignty of public and semi-public actors and Operators of Vital Importance (OIV). To obtain this qualification, the service provider must respect a set of rules concerning the service provider, its staff and the way it provides its services. Furthermore, a series of audits conducted by the ANSSI evaluates the protection devices and data processing.”
Choose interoperability
“It is essential for the customer to make an informed choice in order to avoid technological dependence on the provider. It is also important to pay particular attention to reversibility costs (network costs are significant in the event of massive data collection). In this respect, 3DS Outscale uses application programming interfaces (APIs) that are compatible with market standards, in particular Amazon Web Services APIs, and the developments carried out on its infrastructures are easily adaptable to compatible and interoperable infrastructures.”
|
|
|
|
The French Trusted Cloud label and the IPCEI Cloud: the “spearheads” of digital sovereignty? |
|
|
|
The French government has announced the creation of a new Cloud label, based on the ANSSI’sSecNumCloud, to move towards a French sovereign Cloud project. This label enables identification of servers outside American law competence by way of three criteria relating to nationality (server location, nationality of the companies and of their owners).
For more information click here
Meanwhile, the European Union has undertaken an IPCEI (Important Project of Common European Interest) with respect to the Cloud. It is funded by the Member States and the EU Recovery Plan, and is to be "synchronised with the values and European norms of GAIA-X". The construction of this common and decentralised infrastructure would allow for a "multi-provider continuum" between the Cloud and edge computing.
For more information click here
|
|
|
|
The European Commission's new standard contractual clauses |
|
|
|
The European Commission is drawing lessons from the Court of Justice's decision in the "Schrems II" case (CJEU, 16 July 2020, C-311/18). The new standard contractual clauses ("SCC") adopt a modular structure, corresponding to different transfer scenarios. In this way, they include two new transfer situations compared to its previous formulations, and now make it possible to cover transfers from EU data processors to non-EU data controllers, as well as transfers between EU data processors and non‑EU data processors. They also include multiparty clauses, enabling any new data controller or processor to become a party to these SCCs, and to avoid the need for a new contract. Furthermore, they require the exporter to take into account the legislation applicable to the importer in determining whether or not SCCs will be fully effective. Lastly, the parties agree on the technical and organisational measures set out in Annex II. These new clauses will replace the old ones from September 2021, with a three-month transition period for processors to implement them. Data exporters and importers will have a further 15 months to invoke the old clauses, after which they will all have had to update their standard contractual clauses or other transfer tool.
For more information click here
|
|
|
|
BRICO PRIVEE fined €500,000 by the CNIL
|
|
|
|
On 14 June 2021, the CNIL, the lead authority in this case, issued a fine of €500,000 against the company Brico Privé, publisher of the private sales website bricoprive.com dedicated to DIY, gardening and home improvement. The reasons why? First, with regard to the GDPR, the CNIL considers that by keeping the data of 16,000 customers, who have not placed an order for more than 5 years, the company Brico Privé has not respected the retention periods it had set. In addition, the company failed to implement security measures by not requiring the creation of a strong password when creating an account on its website and when using customer management software internally. The CNIL also noted that several advertising cookies were placed on users' terminals without their prior consent. In addition to the GDPR and the French Data Protection Act breaches, the CNIL also sanctioned Brico Privé, on the basis of Article L.34-5 of the French Post and Telecommunications Code, for having sent prospecting emails without the prior consent of prospects. This decision is in line with the sanction imposed on another online retailer, Spartoo, on 20 July 2020.
For more information, click here
|
|
|
|
Summer school OBVIA-SCAI on IA responsbility, sustainable health and climate chang
|
|
|
|
The Sorbonne Center for Artifical Intelligence (SCAI) and the International observatory on the societal impacts of AI and digital technology (OBVIA) are organising a summer school on IA responsbility, sustainable health and climate change, adressed to students and researchers. The themes include predictive and augmented medicine, inclusion, and biais reduction. The platform is open for all of August, and will be followed by discussions (30 August - 3 September) and a prospective story competition (October).
For more information, click here
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the IT Law and Intellectual Property team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all the issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of KGA Avocats which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
