France’s “Sovereignty Requirements” for Cybersecurity Services Violate WTO Trade Law and Undermine Transatlantic Digital Trade and Cybersecurity Cooperation

On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC).

SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA).

SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful.

GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services

France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes).

France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services.

The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)).

There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries.

Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments.

France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade.

France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception.

WTO: GATS Article XIV bis Security Exceptions

Nothing in this Agreement shall be construed:

(a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or

(b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests

(i) relating to fissionable materials or the materials from which they are derived;

(ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment;

(iii) taken in time of war or other emergency in international relations; or

(c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security.

Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions.

The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case

The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials.

Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism.

Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In

After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs).

It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms.

The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that:

• We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act.
• The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects.
• The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme.
• Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented.
• Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries.
• In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act.
• The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum.

Where to From Here?

The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements.

The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services.

The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services.

Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course.

Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.