Cloud Computing Regulation: Between France and the EU, Get Your (Data) Acts Together!

Members of the French Parliament are currently working on a bill entitled projet de loi visant à sécuriser et à réguler l’espace numérique (bill aiming to secure and regulate the digital space), hereinafter referred to as the “SREN bill”.

The legislative procedure was initiated by the government in May 2023. The SREN bill was adopted with modifications by the Senate on 5 July 2023 and by the National Assembly, with modifications, on 17 October 2023.

Among various provisions regarding online scams, cyber harassment, misinformation and access bans to pornographic websites for minors, the SREN bill also introduces measures related to cloud computing that may be of interest to businesses.

Pursuant to the impact assessment study (IAS) conducted by the French government regarding the SREN bill, “French companies make little use of cloud computing compared with European companies as a whole: in 2021, the percentage of companies using cloud computing services will be 41% in the European Union as a whole, compared with only 29% in France” (IAS, p. 103).

According to the French government, “the cloud sector remains a market dominated by a small number of operators who maintain practices likely to prevent competition” (IAS, p. 7), namely Amazon (AWS), Microsoft (Azure) and Google (Google Cloud Platform) (IAS, p. 103).

Through the SREN bill, the French government seeks to enhance the independence of national companies vis-à-vis these US “hyperscalers” and to promote the attractiveness of France’s cloud offering.

As remedies, the SREN bill intends to:

Cloud credits are quite common on the cloud computing market and consist in offering free services (free trials, supports programmes, etc) for a certain period of time (one year in most cases), by means of credits (of up to EUR100,000–150,000, for example).

Article 7 of the SREN bill provides that cloud computing service providers can only grant a cloud credit for a limited period of time and that the granting of a cloud computing credit may not be associated with any exclusivity condition whatsoever. A decree would specify the terms and conditions for this new regime and in particular the different types of cloud credits covered and the maximum period of validity for each type, which may not exceed one year.

As it stands, the SREN bill provides for an administrative fine of up to EUR1 million for a legal entity in the event of non-compliance (and up to EUR2 million in the case of a repeat offence within two years).

Another common practice addressed by the SREN bill is the charging of fees to transfer data to another cloud provider, including in case of multi-cloud situations.

According to the IAS, switching costs “currently amount to 125% of annual subscription costs and 60% of cloud computing customers face cost overruns” and lead to technological dependency.

In order to tackle this issue, Article 7bis of the SREN bill prohibits charging for data transfers and/or switching fees in connection with a change of provider that exceed the costs borne by the provider and directly linked to this change, including where the customer simultaneously uses more than one service provider. Data transfer fees would be charged in accordance with a maximum amount set by order of the Ministry of digital affairs.

It should be noted that this regime should not apply to tailor-made cloud services, nor to non-production/testing cloud services.

Lastly, the SREN bill provides for interoperability and portability obligations (Article 8).

In this regard, the IAS mentions that the lack of a programming interface to enable interoperability is the most important technical cause of companies’ proprietary lock-in to cloud computing services, particularly with regard to platform-as-a-service (PaaS) and software-as-a-service (SaaS) solutions.

As to the implementation of such obligations, the French electronic communications regulatory authority (ARCEP) is due to specify the applicable rules and procedures and issue specifications for interoperability and portability (Article 9). Also, such regime should not apply to tailor-made cloud services nor to non-production/testing cloud services (Article 9).

Regarding the current legislative process, a parliamentary joint committee has been convened for 18 October 2023 to reach agreement on a final version of the bill, most likely in first half of 2024.

But as digital regulation is a hot topic at an EU level as well as at the national one, the timetable  for passing the bill that was initially contemplated could be seriously affected.

It should be stressed that the above-mentioned provisions of the SREN bill have been notified to the European Commission in accordance with Directive 2000/31 and Directive 2015/1535.

Such SREN bill provisions shall have to be compatible with the upcoming Data Act, adopted by the European Council on 27 November 2023. Indeed, the Data Act that will become applicable in 2026 contains similar provisions, for instance with regard to gradual withdrawal of transfer/switching fees (Articles 23 to 31) and interoperability/portability (Articles 34 and 35).

But the provisions also diverge in that the Data Act did not address the credit cloud topic (even though the French government pushed in this direction).

The French government clearly admits its intention to anticipate the Data Act and tends to avoid overlapping in providing in the SREN bill extinction provisions respectively triggered on 15 February 2026 (interoperability/portability) and 15 February 2027 (prohibition of transfer/switching fees) in order for the European provisions to overwrite the French ones.

Despite these precautions, and also because it adds provisions that are not provided in the Data Act, the French government obviously seems to be willing to impose its calendar and position on the European Commission. The question remains therefore as to whether the afore-mentioned French provisions will be the subject of a detailed opinion from the European Commission, which has already criticised, on 25 October 2023, other provisions of the SREN bill with regard to their compatibility with the Digital Services Act.

The fate of the SREN bill will certainly be decided in Brussels (or even Luxembourg – see the EUCJ Google Ireland decision, 9 November 2023, C-376/22) rather than in Paris. By wanting to anticipate too much, the French government risks instead ending up with overcomplicating the applicable laws for businesses.

Indeed, looking ahead, we can already speculate about the consequences of the application of the upcoming SREN law on the future interpretation and application of the Data Act in France, and vice versa.

Qui trop embrasse mal étreint? Or, put more simply, who grabs too much, may lose all?