CNIL Highlights Concerns Over EU Cloud Certification and Data Protection

The CNIL has raised significant concerns about the current state of the European Cloud Certification (EUCS) scheme, highlighting the lack of provisions to protect sensitive data from access by non-European authorities. Unlike France's SecNumCloud certification, which ensures data protection against foreign jurisdictions, the EUCS lacks similar guarantees, even at its highest certification levels.

According to the CNIL (see article here), this absence poses several risks, particularly for highly sensitive data such as health records, criminal data, and information about minors. Without these protections, there is an increased risk that data stored by cloud providers with non-European parent companies could be disclosed to foreign public authorities. The CNIL emphasises that enhanced safeguards are necessary to maintain the highest level of data protection for European citizens. The CNIL calls for the inclusion of "immunity" criteria, inspired by the SecNumCloud standards, in the EUCS certification. This move is aimed at ensuring that sensitive data processing operations are not vulnerable to non-European legal pressures. The CNIL's stance underscores the importance of robust data protection measures in supporting the digital sovereignty and security of European cloud services.

Authors: Nicolas Quoy (Partner); Antoine Boullet (Senior Associate); Anne Wecxsteen (Trainee Solicitor)