Digital Safes in France: Better Safe Than Sorry!
As the world is more and more going paperless, we have a growing need to protect our electronic documents. In the wake of the WannaCry cyberattack that recently hit computers around the worldand as everybody is preparing for the application of the General Data Protection Regulation (“GDPR”) that will bolster EU citizens’ data protection on 25 May 2018, digital safes — also known as digital vaults — may be a good way to ensure that your electronic treasures are safe and sound. In France, the Digital Republic Act recently clarified the rules on digital safes, following recommendations from the CNIL.
We are familiar with the physical safe, for example the one we have at the bank or that we hide at home behind a painting or in our cellar. Today, you can also have a safe in the digital world to protect your electronic treasures. This digital safe service, offered by many providers for some time, is now regulated by French law. The digital safe can also be associated with different types of trust services, such as electronic signature (1), thus contributing to the efficiency of public and private electronic services as well as to economic activity and e-commerce.
As the world is more and more going paperless, we have a growing need to protect our electronic documents, for various reasons, whether to preserve their legal value (bank statements, invoices, contracts, etc.), keep scanned copies of key documents (identity card, passport, driving license, diplomas, loan agreement, social security certificate, etc.) or simply retain or exchange items having an economic or sentimental value (e.g., photos, video, mp3.). On the one hand, services offering the online storage and exchange of your items are very practical, especially if you are not at home or abroad or if you have lost the original and you want to share them with your family or business partners. On the other hand, they may be risky (2): your data may be hacked or stolen, the service may be unavailable, the files may be altered....
In November 2013, the French data protection authority, the CNIL, anticipated the difficulties that individuals and consumers might encounter when transferring multiple documents, most of which are scanned, to “private” spaces in the cloud. That is why it made a distinction between ‘storage space’ and ‘digital safe’ (3) and recommended that digital safe meets a series of security requirements:
“A digital storage space is a service intended to keep paperless documents on an computer medium” whereas “a digital safe, or electronic safe, must be reserved for a specific form of electronic storage, whose access is restricted solely to its user and to natural persons specifically designated by the latter”. It must ensure the integrity, availability and confidentiality of the data stored and implement the security measures outlined in the CNIL recommendation.
Building on the CNIL’s position, Article 87 of the Digital Republic Act recently brought the digital safe into French law through Article 137 of the Posts and Electronic to Code.
The definition of an electronic safe can be deduced from new Article 137 , which lists legally features it must meet:
a probative value with guarantees of integrity, accuracy, traceability, availability and identification of the user;
a guarantee of an exclusive access for the user and the designated third parties: the user can decide who can access his or her stored files;
a right to retrieve documents and data in an open standard easily reusable and exploitable.
The safe may also provide for the provision of trusted services (4) within the meaning of the eIDAS European regulation such as electronic signature, electronic seal, electronic time stamp, electronic registered delivery or electronic document management.
The primary purpose of the text is to enhance user confidence in this type of cloud service. In this respect, the Digital Republic Act provides for two new elements serving as the basis of the status of electronic safe providers:
a sanction, intended for ensure consumer protection: where the digital safe service provider does not comply with the legal requirements, it is liable to the penalties provided for in Articles L. 132-2 and L. 132-3 of the French Consumer Code, namely a €15,000 fine;
an optional certification: the specifications on the basis of which the certification can be obtained will be drawn up by ANSSI (French Network and Information Security Agency) (5) after consultation with the CNIL and a Council of State decree taken after advice from the CNIL; they will specify the terms for the implementation and certification of digital safe services.
In this context, many new uses for the digital safe can be anticipated: electronic payrolls, electronic employee records, various e-government documents exchanged between citizens and public authorities, transmission of pre-contractual and contractual information on a durable medium, to name a few.
(1) Digital Republic Act 2016-1321 of 7-10-2016 Article 87: “The digital safe service may also offer trust services within the meaning of Regulation (EU) No 910/2014 (...)”.
(2) According to Acsel’s Barometer on the French confidence in digital technology, only 37% of the people surveyed said they trusted digital technology (http://www.acsel.asso.fr/presentati...)
(3) Cnil, Deliberation 2013-270 of 19-9-2013 containign recommendations on « digital safe » services known for individuals https://www.legifrance.gouv.fr/affi...
(4) “‘trust service’ means an electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certificates related to those services”, eiDas Reg., Art. 3(16). » Reg. eIDas 910/2014, art. 3(16).
(5) Agence nationale de sécurité des systèmes d’information, www.ssi.gouv.fr/