Extract from the CNIL website:
On May 27, the CNIL called for changes in the use of US collaborative tools for higher education and research.
Following the Schrems II judgment, the CNIL was approached by the Conference of University Presidents and the Conference of Leading Schools on the use of “collaborative suites for education” proposed by American companies, more particularly with regard to the issue of international transfers of personal data. Given the risk of illegal access to data, the CNIL calls for changes in the use of these tools and will support the organizations concerned to identify possible alternatives.
THE CNIL'S POSITION ON US TOOLS FOR HIGHER EDUCATION AND RESEARCH
The documents transmitted by the CPU and the CGE show, in some cases, transfers of personal data to the United States as part of the use of "collaborative suites for education". In institutions that use these tools, the processed data potentially concerns a large number of users (students, researchers, teachers, administrative staff), and these tools can lead to the processing of a considerable amount of data, some of which is sensitive (for example: health data in certain cases) or have particular characteristics (research data or data relating to minors).
The CNIL is particularly keen to support the development of solutions that respect the protection of personal data in the sphere of higher education and research. CNIL considers that :
- it is necessary to take some additional measures or to justify the transfer of data with regard to the exemptions authorized by article 49 of the GDPR, following the invalidation of the adequacy decision which made it possible to regulate these transfers. Be careful though :
- So far the European Data Protection Committee (EDPS) has not identified any additional measures that could ensure an adequate level of protection when a transfer is made to a cloud-based service provider or to '' other subcontractors who, as part of their services, need to access unencrypted data or have encryption keys, and that are subject to US law,
- exceptional transfers cannot become the rule and must remain the exception. These exemptions are subject to special conditions, of strict interpretation, detailed in Article 49 of the GDPR;
- regardless of the existence of transfers, US laws apply to data stored by US companies outside that territory. There is therefore a risk of access by the US authorities to the stored data. This access, if not based on an international agreement, would constitute a disclosure unauthorized by EU law, in violation of Article 48 of the GDPR.
In this context, regardless of other characteristics of this processing which could also require compliance, the CNIL considers that it is necessary to eliminate the risk of illegal access by the US authorities to this data.