CNIL calls for changes in the use of US collaborative tools by French universities
Following the Schrems II ruling, the CNIL was asked by the Conférence des présidents d'université and the Conférence des grandes écoles to comment on the use of "collaborative suites for education" proposed by US companies, particularly regarding international transfers of personal data. Given the risk of illegal access to data, the CNIL calls for changes in the use of these tools and will support organisations in identifying possible alternatives.
The Conférence des grandes écoles (CGE) and the Conférence des présidents d'université (CPU) have consulted the CNIL on the compliance with GDPR of some collaborative tools edited by US-based companies. This request comes in the wake of the invalidation of the Privacy Shield by the Court of Justice of the European Union (CJEU), in the context of the digital transformation of higher education, and more broadly of all public and private organisations, and where cloud computing technologies are often rolled out. Such technologies raise issues relating international data flows, data access by authorities in third countries, but European digital sovereignty. In addition, on 17 May 2021, the government announced a national strategy for the cloud, in order address the major challenges of this technology, with the aim of better protecting the data processed in these services while reaffirming our sovereignty.
The consequences of the invalidation of the Privacy Shield
On 16 July 2020, the CJEU ruled that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.
While the CNIL and its counterparts are still analysing all the consequences of this decision, French and European public and private organisations must already comply with these new rules by favouring solutions that comply with the GDPR, particularly when they use cloud computing solutions.
In particular, this ruling had consequences in France on the implementation of the Health Data Hub, which is currently hosted in a US infrastructure (Microsoft Azure). Indeed, the Council of State has recognised a risk of transferring health data to the United States, due to Microsoft's submission to US law, and has requested additional guarantees accordingly. Sharing this concern, the CNIL asked and obtained new guarantees from the Ministry of Health, and in particular that the technical solution would be changed within a specified timeframe. The Health Data Hub will thus be hosted in a way that mitigates this risk within 12 to 18 months and, in any event, no more than two years after November 2020.
CNIL's position on US tools for higher education and research
The documents transmitted by the CPU and the CGE exhibit, in some cases, transfers of personal data to the United States in the context of the use of "collaborative suites for education". For universities that use these tools, the data processed potentially concerns a large number of users (students, researchers, teachers, administrative staff), and these tools may lead to the processing of a considerable quantity of data, some of which may be sensitive (e.g. health data in some cases, research data or data relating to minors).
The CNIL supports the development of solutions that protect personal data in the sphere of higher education and research:
- It is necessary to put in place additional measures or to ensure that the transfer is based on one of the Article 49 derogations. However:
- The European Data Protection Board (EDPB) has still not identified any additional measures that would ensure an adequate level of protection when a transfer is made to a cloud computing service provider or to other subcontractors who, as part of their services, need to access the data in clear text or who have access to the encryption keys, and who are subject to US laws,
- Derogatory transfers cannot become the rule and must remain the exception. These derogations are subject to specific conditions, of strict interpretation, detailed in Article 49 of the GDPR;
- Regardless of any transfers, US laws apply to data stored by US companies outside the US. There is therefore a risk of access by US authorities to data stored in the EU. Such access, if not based on an international agreement, would constitute an unauthorised disclosure under EU law, in violation of Article 48 of the GDPR.
In this context, regardless of other characteristics of the processing that may also require measures to ensure compliance, the CNIL considers that the risk of unlawful access to this data by the US authorities must be mitigated.
Support in identifying alternative solutions
Given the challenges resulting from such an analysis, particularly in the context of the sanitary crisis, the need for these institutions to ensure the continuity of their missions justifies a transition period.
In the meantime, the CNIL will provide all necessary assistance to these organisations to help them identify possible alternatives. It will support them in their compliance efforts, as described for in the CNIL's support charter for professionals (in French) and with the support of the sector's "network heads".
As the digital transition intensifies, the issues of data protection and European sovereignty have become more essential than ever to the sustainable development of the digital economy. The CNIL will continue to work to ensure that the right to privacy is respected, while ensuring that data protection fosters innovation and remains a hallmark of public and private sector action.