In a recent response to an interrogation by a Member of the Parliament, the French Minister of Education clarified that French schools should not use Microsoft 365 and Google Workspace.
The reasons behind the Ministry's position are twofold. First, the Ministry is concerned about the confidentiality and lawfulness of data transfers. Second, reliance on European providers is coherent with the government's "cloud at the center" policy. Let's unpack all of this.
Note: Some of the links below are in French, as the news didn't get much international media coverage
The privacy issues
The privacy concerns raised by the use of Google Workspace are nothing new. As we explained here, personal data of foreign citizens can be subject to invasive State surveillance when transferred to the US. These privacy concerns led the EU Court of Justice to invalidate two frameworks for EU-US data transfers in the landmark Schrems I and II decisions. It is worth noting that the Minister explicitly mentioned Schrems II in his response.
The Schrems II ruling has far-reaching implications for European companies. In principle, data can still be transferred to the US without a data transfer framework. However, the CJEU clarified that European companies must ensure the confidentiality of data transfers by implementing adequate safeguards against State surveillance. In practical terms, this is hard to do and entirely impossible for certain cloud-based services (we wrote about this here).
In the aftermath of Schrems II, four European DPAs (the Austrian DSB, the French CNIL, the Italian GPDP, and, more recently, the Finnish Data Protection Ombudsman) ruled against the use of Google Analytics. The tool requires data transfers between Google Ireland Ltd. and Google LLC. In line with the Schrems II ruling, the DPAs found these data transfers to be unlawful because they lacked effective safeguards against US surveillance. DPAs coordinated their approach to data transfer complaints at a European level, so other DPAs are likely to follow suit. But the problem is more extensive than Google Analytics: other US services may come under fire next.
(Update: in fact, Meta Ireland was fined for a record €1.2 billion over illegal data transfers, was ordered to suspend US data transfers for Facebook, and is currently facing the risk of an EU-wide Facebook blackout. We discussed this important case https://www.simpleanalytics.com/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us)
The CNIL is one of the DPAs that ruled against Google Analytics. By taking a strong stance on the use of Microsoft 365 and Google Workspace, the French government embraced the CNIL's position on data transfers. But this is not just about privacy.
Since last year, the French government has been pushing the "cloud at the center" doctrine: a long-term plan for developing digital infrastructure in the pursuit of digital sovereignty.
Last year, a circular from the Inter-departmental Directorate of Digital Affairs (DINUM) urged public administration to ditch Microsoft 365 and use the on-premise Office suite instead. Privacy concerns played a role, but the government also aims to limit France's reliance on US providers in the long run. The Ministry's position on Microsoft 365 and Google Workspace falls squarely within this digital strategy.
It should be noted that Microsoft 365 does not require any data transfers outside the EU, as Microsoft processes all European data in European data centers. In the view of the Directorate, this is not enough to keep the data confidential. In fact, the Directorate urged administrations to only rely on certified, EU-based cloud providers that are guaranteed to be immune from the application of non-EU law (such as the US' controversial Cloud Act).
France is not alone in pushing toward digital sovereignty: the EU digital strategy acknowledges digital sovereignty as a key goal. And to lessen reliance on US-based service providers, the European Commission started Gaia-X. This project brings together software and physical infrastructure providers to create a secure data-sharing environment under interoperable technical standards. Gaia-x aims to foster the growth of the digital economy across the Union, facilitate the sharing of data, and further the goal of digital sovereignty.
The potential implications of a data sovereignty policy should not be overlooked. Providing companies with competitive EU-based alternatives to US providers can help keep more data within the Union, where data protection rights can be enforced more easily. And lessening the dependency on US-based services would allow the EU better leverage when negotiating international data transfer frameworks.
The EU Digital Strategy and Gaia-X are a step in the right direction, but the Union still has a long way to go. At the present moment, some US providers are practically irreplaceable.
Fortunately, Google Analytics is replacable. Unlike Google, Simple Analytics believes in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to check us out.