Posts and Electronic Communications Code (CPCE) (telecom operators)
French law distinguishes the activities relating to ‘content’ accessible online (eg, user platforms, search engines, site hosting, portal management, edition of online content, etc) from telecommunication services, which concern the ‘container’. For example, the telecoms operators are not classified among the ‘digital service providers’ (see question 9).
Nonetheless, in practice, the boundaries are not as clearly defined. On the one hand, the telecoms operators offer cloud computing services. On the other, the content providers are more and more seeking to bring their content closer to the end clients and set up cache servers in the operators’ networks. Accordingly, in France, about 50 per cent of the incoming traffic to telecommunication service providers originate from the four main content providers - Google, Netﬂix, Akamai, Facebook (source: Regulatory Authority for Telecommunications (ARCEP), 2018 Report). This reflects a highly condensed market.
Yet, the telecoms network operators and the telecommunication service providers are subject to obligations specific to them, but which could or should also concern cloud computing services, such as the principle of internet neutrality (governed by (EU) Regulation No. 2015/2120 dated 25 November 2015), the protection of personal data, the protection of confidentiality of correspondence and the neutrality with regard to the content of the messages communicated (CPCE, article L32-1). Also, telecoms operators are obliged to ensure the conservation of technical communication data for the needs of the prosecution of criminal offences and the fight against terrorism.
Finally, the CPCE defines and regulates a service category which combines both telecom and cloud computing aspects - the ‘electronic safe’. The purpose of this service is the receipt, storage, removal and transmission of data and electronic documents in conditions that must retain their integrity and exactitude of origin (article L.103). The providers of these services must set up the security measures necessary to meet these conditions and to ensure the traceability of the operations made on the data and documents. They must set up a technical file to provide proof of their adherence to the legal requirements.
Defence Code (‘Fundamental Operators’)
Since the law of military programming No. 2013-1168 dated 18 September 2013, the Defence Code submits a specific category of players, the infrastructures and systems of which are strategic for the country, designated as ‘Fundamental Operators’ (OIV), to specific rules concerning the security of their information systems (article L1332-6-1 et seq). Each OIV is obliged to provide a map of its information system, ensure that it is homologated and establish a security policy for its system. The OIVs must inform the Prime Minister of the incidents affecting the functioning or security of their information systems. They must enable the ANSSI to carry out audits and must set up any security measures requested by the latter. Such obligations require the service agreements to be adapted, including those that they may enter into with digital service providers for cloud computing.
General tax code (clients)
All companies are obliged to retain the documents on which the French tax authorities have a right of communication, enquiry and control. The documents in question must be kept for at least six years (Tax Procedure Code, article L102 B). In this context, the use of a cloud computing service to store invoices must meet the various conditions concerning the terms of conservation of the documents and the countries of location of the storage servers (Tax Procedure Code, article L102 C). The invoices issued or received by a company must remain accessible from its principal establishment or registered office in France, regardless of the country of storage. The French tax authorities must be informed of the location of storage of the invoices.
Furthermore, when the accounting department works with automated systems (including SaaS), the tax authorities’ right of control applies to all the information, data and software processing that are used to establish the results and statements for the tax authorities, as well as the documentation relating to the analysis, programming and the performance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II).
For such a purpose, the tax authority may set up its own IT processing on the company’s equipment. Furthermore, since 2014, all companies must communicate their online accounting to the tax authorities according to the required standards (Fichier des Ecritures Comptables). Finally, the tax authority may, after court authorisation, launch a search and seizure, including the seizure of data hosted on IT servers. The location of servers abroad does not constitute an impediment (Paris Court of Appeal, Division 5, Chapter 7, Order dated 31 August 2012).
Cloud computing transactions are indirectly governed by sector-specific legislation or regulations, as discussed in question 13, as well as by data protection and privacy legislation applicable to any kind of personal data processing, as discussed in question 15.
More generally, all regulations governing business-to-business (B2B) relations apply to transactions between cloud computing service providers and businesses. For instance, French Law No. 2016-1691 on transparency, fight against corruption and modernisation of the economy of 9 December 2016 (Sapin II Law) requires large businesses to take measures to prevent and detect acts of corruption and subornation in France.
Back to top