France: ANSSI updates certification framework for cloud service providers to account for Schrems II requirements, endorsed by CNIL
The National Cybersecurity Agency for France ('ANSSI') annnounced, on 9 March 2022, that it had published version 3.2 of its certification framework for cloud service providers ('SecNumCloud'). In particular, ANSSI highlighted that the framework serves to promote, enrich, and improve the offer of trusted service providers intended for public and private entities wishing to outsource the hosting of their data, applications, or information systems. Notably, ANSSI outlined that the updated requirements aim to ensure that cloud service providers and the data they process cannot be subject to non-European laws. In this regard, ANSSI stated that the framework is compliant with European requirements relating to personal data protecton and the consequences of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').
Moreover, the French data protection authority ('CNIL') backed up this claim, stating that although the Schrems II Case calls for a case-by-case analysis which can be complex, the framework provides an answer which is compliant by design with the Court of Justice of the European Union's ('CJEU') requirements for data protection in the cloud. As such, CNIL outlined that it recommends the use of the framework for data controllers who want to guarantee a high level of protection of personal data.