Lhe final adoption of the law on the security of digital space (SREN law), on April 10, raises a certain number of questions regarding its practical application and its relevance, particularly for data hosting. After several months of discussions on legislation linked to the concept of digital sovereignty in France, it would be appropriate to focus on a less dogmatic approach to data protection, favoring instead operational implementation and technological innovation in a space digital without physical borders.
With this text, the legislator associated the protection of sensitive data with the need to protect them from potential access by third States, in the name of “digital sovereignty”. This approach was partly confirmed by the will of the government, displayed in a list of fifteen rules set out in the circular “Cloud at the center “, published on May 31 at Official newspaper (“Update of the doctrine of use of cloud computing by the State”).
The protection of sensitive data is certainly essential. However, this objective must be implemented intelligently in order to allow the use of innovative technologies, in particular to serve the general interest (health, research, environment, national security, etc.). Also, it would be more pragmatic to look at realistic and effective technological solutions already available.
Data security through technological solutions
In Europe, the approach adopted by the BSI, the German equivalent of the French National Information Systems Security Agency (ANSSI), is well worth studying. The BSI favors tight access to data through technological quality, in particular data encryption, rather than persisting on the dogma of legal security, which is in total inconsistency with France’s desire to attract foreign investors to boost innovation.
This is how some service providers ensure that they do not have the decryption keys for the data they host, thus making their disclosure impossible. This approach combining data protection and technological solutions is much more effective and encourages user trust and responsibility.
We invite the Council of State to consider this approach in drafting implementing decrees. The concept of legal security has never prevented access to data by those involved in cybercrime or espionage, as the Pegasus episode demonstrated.
You have 20.21% of this article left to read. The rest is reserved for subscribers.