In their rush to vote down burdensome amendments on a bill regulating consulting companies, Renaissance MPs also voted down amendments that support its own cloud security strategy – casting doubt as to its consistency in pushing the scheme forward.
In the wake of 2021’s ‘McKinseygate’ controversy, which spotlighted the extensive use of private consultancy firms under French President Emmanuel Macron’s mandate, French lawmakers in June 2022 tabled a bill to regulate the sector’s involvement in public policymaking and protect sensitive public data.
Macron’s government has since been trying to dilute the bill – yet it might have gone against its own interests during Thursday’s vote (1 January).
“This is a missed opportunity which reveals inconsistency. [These votes] concern me regarding the implementation of the government’s policy ‘cloud to the centre’,” Anne Le Hénanff (Horizons, Renew), who tabled the amendments, told Euractiv.
Protect sensitive public data
The bill regulates how private consulting companies and public administrations, including the state, can interact – encompassing IT consulting services.
Since 2021, the government has been working on its ‘cloud to the centre’ policy, which obliges public administrations to store all their sensitive data on sovereign clouds. French sovereign clouds are defined as per the SecNumCloud certification, delivered by cybersecurity agency ANSSI.
Considering that sensitive public data transferred to IT consulting companies performing services on behalf of public administrations should be stored with the same level of security, Le Hénanff tabled several amendments “to fill in the gaps”.
She suggested compelling public administrations to check what sensitive data they would handle to the private sector before engaging in a binding contract and to force consulting companies to detail technical specifications of the cloud they use internally.
Additionally, Le Hénanff suggested aligning cloud security requirements of sensitive data handling between consulting companies and public administration.
Renaissance MPs unanimously voted against these three amendments, leading to their rejection.
These votes were an about-turn from their previous position, as Renaissance (Renew Europe) MPs have been steadfastly supporting the government digital bill aiming to “secure and regulate” the digital sphere at the end of 2023, including many provisions on cloud sovereignty.
Renaissance is moreover part of the ruling majority with Horizons at the National Assembly, and both parties are part of the same EU party Renew Europe.
No further administrative burden
The government considers this consulting bill as an attempt by the opposition, led by communist MPs and Senators to curtail its freedom of action.
Marie Lebec, delegated minister in charge of relations with the parliament, defended the government’s position at the National Assembly, saying that creating extra burdens on “civil servants’s workload in order to discourage them to use external services cannot be a satisfactory solution”.
Following this reasoning, Lebec gave unfavourable opinions on a large number of amendments, including Le Hénanff cloud amendments.
Renaissance MPs followed Lebec’s position and rejected them by a public vote.
According to the Economy Ministry, which prepared the government position, Le Hénanff amendments would have forced consulting companies to apply the same requirements as those designed for cloud service providers, concluding that this was irrelevant and burdensome.
A spokesperson of the Economy Ministry specifically told Euractiv that it did not wish to “compel consulting companies digital services and infrastructure choices based on criteria of the administration”.
Additional cloud security requirements
Two other amendments were also voted down after receiving negative opinions from Lebec.
Socialist MP Cécile Untermaier suggested empowering data privacy authority CNIL to check if consulting companies enforced the obligation to delete public administration authority data a month after they concluded their IT services.
According to the Economy Ministry the CNIL already has competency.
Additionally, far-right National Rally MPs Aurélien Lopez-Liguori and Timothée Houssin tabled amendments to force consulting companies to store all administrations data on SecNumCloud-certified clouds.
The Economy Ministry justified this decision recalling that SecNumCloud certification has been designed to guarantee a high level of security for sensitive data. It therefore considered these amendments disproportionate.
EU cloud security negotiations
These votes come at a time when the French position during negotiations on an EU cloud security certification scheme is losing momentum.
The Netherlands have indeed been leading the charge against what they consider to be a protectionist move towards its national cloud industry.
Next steps
MP and member of the CNIL Philippe Latombe (MoDem, Renew Europe) commented on the situation on X, saying that he would be wary of any similar development on the French bill to secure and regulate the digital space, saying he would pay particular attention to health data.
[Edited by Nathalie Weatherald]