“The military programming law risks colliding with the doctrine of the ‘cloud of trust'”

La military programming law (LPM), currently under discussion in Parliament, includes a cybersecurity component. Her article 35 [page 38]more specifically, grants the National Information Systems Security Authority (Anssi) increased surveillance powers.

These would include the possibility of placing in telecommunications networks, at hosting providers and in data centers, “technical markers” (i.e. probes) and “data collection devices”. As it stands, the definition of ” data “ by the bill does not provide more details, which leads to believe that personal data would be included.

There is no need to emphasize here how much the very principle of the LPM, which consists in taking note of the return of the threats that the war in Ukraine dramatically illustrates and to give itself the capacity to act in a multi-annual perspective, is relevant.

On the other hand, the provisions envisaged raise two important series of questions, if they are placed in a European perspective.

A blow to user confidence

First, the adoption of these measures risks impacting the development of what France has called the “trust cloud” doctrine. Faced with European delays in the development of the cloud, the French authorities, in full compliance with the European approach to the Internet placed under the seal of “values” and illustrated in particular by the General Data Protection Regulation (GDPR) [en anglais General Data Protection Regulation, GDPR]pleaded and convinced their European partners to adopt a largely qualitative approach to the cloud.

At the heart of this approach, a simple idea: the European cloud will be all the more attractive if it can take advantage of the world’s highest bidder in terms of respect for privacy, an essential subject that does not only concern Europeans.

There is therefore a great risk of undermining this approach. The American example is there to attest to this. Revelations about data collection devices by US internal and external security authorities have not failed to deal a blow to user confidence. It is indeed this type of risk that we would be exposing ourselves to here. But the effect would undoubtedly be greater. Indeed, it would hit European players whose commercial position is much less established than that of their American competitors.

You have 44.71% of this article left to read. The following is for subscribers only.