Cloud Compliance Center

France

Select a Topic
Quick Links
Start Comparison

FRANCE

This content was last reviewed around January 2022.

Cloud Neutral

1. Are financial institutions legally permitted to use cloud services?
Yes, provided that the entity meets all applicable legal requirements for the use of those services.

 

2. Are there any rules which apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes. In France, the French banking supervisor (Autorité de Contrôle Prudentiel et de Résolution ("ACPR")) makes and supervises the rules on outsourcing that apply to credit institutions, payment services providers and investment services providers. The rules are found in the Order of 3 November 2014 on internal control measures (Articles 231-240). However, these provisions do not apply to branches of foreign institutions that must comply with the provisions of their home state regulator. That being said, if they are EU member states, the European Banking Authority ("EBA") guidelines on outsourcing arrangements dated 25 February 2019 will still apply (see below).

There are further rules on outsourcing relevant to alternative investment funds (Article 318-58 to Article 318-61) and UCITS (Article 321-93 to Article 321-96) fund managers in the rulebook of the French financial markets supervisor (Autorité des Marchés Financiers).

There are rules on outsourcing for insurers in Articles L. 354-3 and R. 354-7 of the Insurance Code, complemented by Article 274 of the Delegated Regulation No. 2015/35 and an instruction of the ACPR No. 2019-I-06 of 15 March 2019.

Reference should also be made generally to the EBA guidelines on outsourcing arrangements and applicable from 30 September 2019 to credit institutions, payment services providers (payment institutions and e-money providers), as well as to financial services providers subject to the EU Capital Requirements Directive.

With the exception of the EBA guidelines, these rules are mandatory in nature; in practice, however, the EBA guidelines are also regarded as binding. In this regard, the French supervisor has notified the EBA of its intention to respect the guidelines.  

Critical and important functions

Even though the rules on outsourcing are scattered in different legal texts and depend on the nature of the obliged entity and the competent regulator, they all have one point in common: a distinction needs to be made between the outsourcing of critical and important functions and other types of outsourcing. If an institution outsources critical or important functions, the requirements are stricter compared to the outsourcing of non-important or nonessential functions. Critical or essential functions are defined differently depending on the applicable text. In summary, any function that is the essence of the regulated service to be delivered and those that would have a serious impact on the business if their performance were to cease are deemed critical or important functions.

Any service that covers critical or important functions can only be outsourced to an entity that is authorized to carry on such services according to its national law.

Obliged entities that outsource critical or important functions remain liable toward the regulator. It is not acceptable for outsourcing to transform an obliged entity into a letterbox. In particular, obliged entities must ensure the following:

  • Outsourcing does not entail any delegation of responsibility of the directors
  • Outsourcing does not change the relationship between the obliged entity and its customers or the obligations of the entity toward the customers
  • Outsourcing should not alter the conditions of the license of the obliged entity
  • The obliged entity must be able to control and manage the risks related to the outsourced activity

Any outsourced function must be covered by internal control measures (permanent, periodic, etc.) of the obliged entity. The obliged entity must take into account the measures put in place by the cloud service provider, which must be chosen with care. The obliged entity must ensure that confidential information is treated as such by the cloud service provider.

The obliged entity must put in place an outsourcing policy. It must ensure that the cloud service provider is able to fulfill its duties and comply with all relevant laws and regulations. The obliged entity must be prepared to act in cases where the cloud service provider is not able to fulfill its duties any longer so that any interruption does not have an adverse effect on services to clients. The obliged entity must ensure that contingency planning is in place. 

The cloud service provider may not unilaterally change the service. It must comply with the obliged entity's procedures and must enable the obliged entity to access information. The cloud service provider must inform the obliged entity of any relevant information, particularly information that might affect its ability to continue providing the services. It must further provide the supervisory authority or any foreign competent supervisory authority with access to information and documents and accept on-site inspections.

The EBA guidelines specifically address IT and cloud outsourcing at page 37 and onwards. They require that the cloud service provider be able to appropriately protect the confidentiality, integrity and availability of data. Sub-outsourcing is also addressed whereby the conditions for subcontracting should be clear. Finally, it is provided that the obliged entity must be able to terminate the agreement if any adverse matters are identified as part of a risk assessment. In case of the sub-outsourcing of important or critical functions, the obliged entity must be notified beforehand of any termination.

More generally, the EBA guidelines require that an outsourcing entity do the following:

  • Put sound governance arrangements in place.
  • Appropriately manage third-party risk.
  • Put in place an outsourcing policy.
  • Manage conflicts of interest related to outsourcing.
  • Put in place a business continuity plan.
  • Ensure that the internal audit function covers the outsourcing arrangements.
  • Ensure the outsourcing arrangements are documented.

 

3. Are there any specific contractual requirements for cloud outsourcing?

Outsourcing must be covered by a written agreement laying down the duties of the parties. The European Banking Authority guidelines on outsourcing arrangements dated 25 February 2019 refer to the matters that should be covered (i.e., the rights and obligations of the parties should be clearly allocated and set out). An outsourcing agreement for critical or important functions should set out, for example, the following:
  • A clear description of the outsourced function to be provided
  • The start date and end date, where applicable, of the agreement and the notice periods for the cloud service provider and the institution or payment institution
  • The governing law of the agreement
  • The parties' financial obligations
  • The locations where the critical or important function will be provided and/or where relevant data will be kept and processed
  • Where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data

 

4. When does cloud outsourcing fall within the scope of the rules?

Using cloud services to store data (personal and nonpersonal) will be deemed outsourcing and will therefore be captured by French and European provisions on outsourcing.

 

5. Does the outsourcing need to be notified to the regulator?

In the case of outsourcing critical or important insurance functions (excepting branches of foreign institutions), the Autorité de Contrôle Prudentiel et de Résolution("ACPR") must be informed beforehand. An "instruction" details the procedure to be followed.

The obliged entity must do the following:

  • Describe the scope of the outsourced activities or functions.
  • Explain the reasons that led to the outsourcing.
  • Indicate the name of the cloud service provider and, where the outsourcing involves a key function, the name of the person responsible for the delivery of the service.

Further, the obliged entity must do the following:

  • Demonstrate that outsourcing is not likely to seriously compromise the quality of the governance system, unduly increase operational risk or adversely affect the continued provision of a satisfactory level of service to policyholders.
  • Specify the provisions in the outsourcing agreement that ensure the cloud service provider cooperates with the ACPR and provides the ACPR with the necessary access.

The ACPR must be informed six weeks before the outsourcing arrangement enters into force.

The same applies for payment services providers and e-money institutions that intend to outsource operational functions of payment services or of issuing and managing electronic money. They must inform the ACPR before outsourcing such functions.

 

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Enforcement action is regularly brought over failures in outsourcing situations. 

There have been sanctions against investment companies by the Autorité des Marchés Financiers ("AMF"), among others, where there were outsourcing arrangements at stake. Most of the time, outsourcing compliance failures are not the only wrongdoing. The AMF has also found that the internal control measures are not adequate.

In recent years, the AMF has imposed fines ranging from EUR 200,000 to EUR 300,000 on financial institutions. Separately, the data protection authorities also now bring their own proceedings. 

 

7. Are there any data privacy and/or data security laws that would apply?

Yes. The General Data Protection Regulation 2016/679 of 27 April 2016 and French Law No. 78-17 of 6 January 1978 as amended govern data protection in France.

With regard to cloud outsourcing, the data controller must conclude a data processing agreement with the cloud service provider (as data processor). The contract should stipulate, in particular, that the processor should do the following:

  1. Only process the personal data upon the instructions of the controller, including any transfers of personal data to a third country or an international organization, absent any other legal requirement.
  2. Ensure that the persons authorized to process the personal data have agreed to hold it confidentially or that they are under an appropriate statutory obligation of confidentiality.
  3. Take all technical and organizational measures to ensure a level of data security appropriate for the level of risk presented by processing personal data as required by Article 32 of the GDPR.
  4. Respect the conditions referred to in Article 28 (2) and (4) of the GDPR for engaging another processor (i.e., the authorization and application of the same data protection obligations).
  5. While taking into account the nature of the processing, assist the controller by taking all appropriate technical and organizational measures, insofar as this is possible, in fulfilling the controller's obligation to respond to data subjects' access requests under Article 12-23 of the GDPR.
  6. Assist the controller in ensuring compliance with the obligations pursuant to Article 32-36 of the GDPR, taking into account the nature of processing and the information available to the processor.
  7. Upon the controller's instructions, delete or return all personal data to the controller at the conclusion of the provision of services relating to the processing, and delete the existing copies unless EU or EU member state law requires the storage of the personal data.
  8. Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and permit and contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller.

 

8. Are there any restrictions under local data protection laws which would impact the overseas hosting of data?

Yes. If data contains personal data, any transfer to a third country outside the European Economic Area that is not deemed to provide an adequate level of data protection by the European Commission generally requires that the data exporter ensure an adequate level of data protection consistent with Article 44 of the EU General Data Protection Regulation ("GDPR") on transfers.

Jurisdictions that are subject to an adequacy decision from the European Commission and deemed to provide an adequate level of protection are currently: Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, Japan, New Zealand, the republic of Korea, the United Kingdom and Uruguay.

If the transfer of personal data from the EU is to a jurisdiction which is not deemed to be “adequate” for the purposes of the GDPR, additional steps may be required such as entering into EU Standard Contractual Clauses, and conducting an assessment of the laws and practices of that third jurisdiction in relation to whether those laws/practices would impinge on the effectiveness of the Standard Contractual Clauses. There are also other alternative transfer tools under the GDPR such as Binding Corporate Rules.

Besides the restrictions described above on the flow of personal data outside the EU, there are no other rules obliging an entity to localize data inside of France.

The French Treasury published a report in February 2020 advocating the localization of critical payment data in Europe. If such an initiative were to succeed, data would still flow freely within EU territory. Currently, this initiative remains only a proposal.

 

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?
No. 

 

10. Are express consents from customers or other data subjects required before moving data to the cloud?

Whether express consents are needed depends on the circumstances. The legal grounds for processing are dependent on the reason why the controller processes data.

Where a financial institution relies on consent, it needs to be specific, clear, freely given, etc. Consent as a legal ground for processing is fragile because it can be revoked at any time, although there are workarounds. A distinction needs to be made between the processing of existing data and the processing of new data. For existing agreements, it is arguable that the mere transfer of data into a cloud (the mere hosting of data) is not new processing in itself, but is an extension of the initial processing. Alternatively, arguably, it is in the financial institution's legitimate interest to transfer data into the cloud. The data subject might object to such processing but the right to object is not an absolute one.

For new contracts, a financial institution can inform its customers beforehand of the existence of the cloud outsourcing arrangement. The outsourcing arrangement would be part of the initial processing covered by the contract.

Data protection must be complied with if the data outsourced is personal.

As for bank secrecy requirements, express consent is needed from the customer in the absence of other legal grounds to share information with a third party. The law provides for certain cases where information can be shared without consent (provided that the information is necessary for the performance of a contract). Such cases include sharing information with contractual parties in the case of contracts for the provision of services entrusting a third party with important operational functions. In all other cases, express consent from the customer is needed.

 

11. Are there any local laws which require a cloud service provider to be able to access the data it hosts?
There are no laws requiring a cloud service provider to have access to the data it hosts. For example, such data could be hosted in an encrypted form. 

 

12. Are there any local laws which would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes, depending on the factual circumstances. On the one hand, a cloud service provider is bound by professional secrecy/bank secrecy with its customer. Violating this obligation is a criminal offense. On the other hand, the cloud service provider must comply with any request by the regulator to disclose data and must allow the regulator access for on-site inspections.

Moreover, depending on the circumstances, if the cloud service provider were served with a court order to disclose data and could not rely on professional secrecy, it would have to comply with its terms.

However, a cloud service provider has no obligation to be able to access the data it stores. Hence, if the data stored is encrypted and the provider has no access, it cannot be forced to disclose the data it has no access to.

Besides these two considerations, there is no specific law obliging pure cloud service providers to disclose data or laws that give national authorities access to data stored in the cloud. Moreover, France has adopted a blocking statute that forbids French entities from disclosing documents and information to foreign authorities. 
Quick Links
{{ $store.state.loadingScreen.message }} ...