Posts and Electronic Communications Code (CPCE) (telecom operators)
Under the existing EU ‘telecom package,’ services relating to digital ‘content’ provided online (eg, online platforms, search engines, site hosting, portal management, edition of online content, etc) are distinguished from telecommunication services, which concern the ‘container’. Telecommunication operators are governed by their own provisions which, historically, have been more burdensome than those applicable to cloud and other digital services providers, for instance, as regards internet neutrality (governed by EU Regulation No. 2015/2120 dated 25 November 2015), personal data protection, confidentiality of correspondence, neutrality in respect of messages content or access to emergency numbers. Yet, in practice, the boundaries between services are not as obvious. For instance, the main digital services providers set up cache servers in the operators’ networks in order to bring their content closer to end customers. Accordingly, about 50 per cent of the incoming traffic to internet access providers originate from the four main content providers - Google, Netﬂix, Akamai, Facebook (Regulatory Authority for Telecommunications (ARCEP), 2019 Report). It was not until recently that the European Court of Justice itself had to determine whether Skype should be considered as a telecommunication service and fall within the telecommunication regulatory regime (ECJ, No. C142-18, Skype Communications Sarl v IBPT, 5 June 2019).
The forthcoming EU Electronic Communications Code (due to be transposed by the member states by 21 December 2020) attempts to restore fairer competition conditions. It will cover the existing telecommunications services but also ‘interpersonal communications services’, regardless of whether users connect through publicly assigned numbering resources or otherwise. Voice over IP and messaging SaaS services such as Skype, WhatsApp, Wechat or Facebook Messenger should, therefore, fall within the scope of the regulated services.
On another note, the CPCE defines and regulates a service category which combines both telecom and cloud computing aspects, the ‘electronic safe’. The purpose of this service is the receipt, storage, removal and transmission of data and electronic documents in conditions that must retain their integrity and exactitude of origin (article L.103). The providers of these services must set up the security measures necessary to meet these conditions and to ensure the traceability of the operations made on the data and documents. They must set up a technical file to provide proof of their adherence to the legal requirements.
Defence Code (Fundamental Operators)
Since the law of military programming No. 2013-1168 dated 18 September 2013, the Defence Code submits a specific category of players, the infrastructures and systems of which are strategic for the country, designated as Fundamental Operators (OIV), to specific rules concerning the security of their information systems (article L1332-6-1 et seq). Each OIV is obliged to provide a map of its information system, ensure that it is homologated and establish a security policy for its system. The OIVs must inform the Prime Minister of the incidents affecting the functioning or security of their information systems. They must enable the ANSSI to carry out audits and must set up any security measures requested by the latter. Such obligations require the service agreements to be adapted, including those that they may enter into with digital service providers for cloud computing.
General tax code (clients)
All companies are obliged to retain the documents on which the French tax authorities have a right of communication, enquiry and control. The documents in question must be kept for at least six years (Tax Procedure Code, article L102 B). In this context, the use of a cloud computing service to store invoices must meet the various conditions concerning the terms of conservation of the documents and the countries of location of the storage servers (Tax Procedure Code, article L102 C). The invoices issued or received by a company must remain accessible from its principal establishment or registered office in France, regardless of the country of storage. The French tax authorities must be informed of the location of storage of the invoices.
Furthermore, when an accounting department works with automated systems (including SaaS), the tax authorities’ right of control applies to all the information, data and software processing that are used to establish the results and statements for the tax authorities, as well as the documentation relating to the analysis, programming and the performance of IT processing (Tax Procedure Code, articles L13, IV and L47 A,II).
For such a purpose, the tax authority may set up its own IT processing on the company’s equipment. Furthermore, since 2014, all companies must communicate their online accounting to the tax authorities according to the required standards (Fichier des Ecritures Comptables). Finally, the tax authority may, after court authorisation, launch a search and seizure procedure, including the seizure of data hosted on IT servers. The location abroad of the servers concerned does not constitute an excuse (Paris Court of Appeal, order dated 31 August 2012).
Other examples may be found in a variety of texts, including the second version of the European Payment Services Directive (PSD2), which entered into force in January 2018 and makes strong authentication mandatory for payments over €30.
Furthermore, cloud computing transactions are indirectly governed by sector-specific legislation or regulations, as discussed in question 13, as well as by data protection and privacy legislation applicable to any kind of personal data processing, as discussed in question 15.
More generally, all regulations governing business-to-business (B2B) relations apply to transactions between cloud computing service providers and businesses. For instance, the French Law No. 2016-1691 on transparency, fight against corruption and modernisation of the economy of 9 December 2016 (Sapin II Law) requires large businesses to take measures to prevent and detect acts of corruption and subornation. Cloud computing records will be key to demonstrating compliance.
Back to top