theregister.com - Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin
Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.
The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.
Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians.
Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded."
"We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded."
He said that Microsoft asks the US administration to redirect it to the client.
"When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined."
Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."
The Irish Data Privacy Commission announced that TikTok is facing a new European Union privacy investigation into user data sent to China.
TikTok is facing a fresh European Union privacy investigation into user data sent to China, regulators said Thursday.
The Data Protection Commission opened the inquiry as a follow up to a previous investigation that ended earlier this year with a 530 million euro ($620 million) fine after it found the video sharing app put users at risk of spying by allowing remote access their data from China.
The Irish national watchdog serves as TikTok’s lead data privacy regulator in the 27-nation EU because the company’s European headquarters is based in Dublin.
During an earlier investigation, TikTok initially told the regulator it didn’t store European user data in China, and that data was only accessed remotely by staff in China. However, it later backtracked and said that some data had in fact been stored on Chinese servers. The watchdog responded at the time by saying it would consider further regulatory action.
“As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok,” the watchdog said.
“The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers,” the regulator said, referring to the European Union’s strict privacy rules, known as the General Data Protection Regulation.
TikTok, which is owned by China’s ByteDance, has been under scrutiny in Europe over how it handles personal user information amid concerns from Western officials that it poses a security risk.
TikTok noted that it was one that notified the Data Protection Commission, after it embarked on a data localization project called Project Clover that involved building three data centers in Europe to ease security concerns.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” the company said in a statement. “We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”
Under GDPR, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. Only 15 countries or territories are deemed to have the same data privacy standard as the EU, but China is not one of them.
Dans un contexte général où de nombreuses institutions font l’objet d’attaques informatiques, Sorbonne Université a été victime d’une cyberattaque. Son système d’information connaît de fortes perturbations en raison de la détection d’un incident de sécurité qui a endommagé différents outils numériques sans pour autant empêcher la continuité de service. Pour faire face à cette situation, des mesures correctives ont été mises en place pour renforcer les dispositifs de sécurité.
Les derniers résultats des investigations effectuées par les équipes de Sorbonne Université, en lien avec des experts en cybersécurité, ont mis en évidence la compromission de plusieurs catégories de données sensibles. Parmi ces données figurent des adresses e-mail professionnelles, des coordonnées bancaires, des numéros de sécurité sociale et les éléments relatifs à la rémunération des personnels.
Conformément au Règlement général sur la protection des données (RGPD), Sorbonne Université a immédiatement procédé à une déclaration auprès de la Commission nationale de l’informatique et des libertés (CNIL), de l’Agence nationale de la sécurité des systèmes d'information (ANSSI), et a déposé plainte au nom de l’établissement.
Les équipes de Sorbonne Université se mobilisent sans relâche pour gérer cette cyberattaque et rétablir au plus vite l’ensemble des services dans les meilleures conditions possibles. Ainsi, tous les services numériques essentiels au travail des personnels de l’université fonctionnent aux heures ouvrables de travail.
Un numéro vert dédié sera mis à disposition du personnel en début de semaine prochaine ainsi qu’une foire aux questions afin de répondre à leurs interrogations.
Google Analytics est une fonctionnalité qui peut être intégrée par les gestionnaires de sites web tels que des sites de vente en ligne afin d’en mesurer la fréquentation par les internautes. Dans ce cadre, un identifiant unique est attribué à chaque visiteur. Cet identifiant (qui constitue une donnée personnelle) et les données qui lui sont associées sont transférés par Google aux États-Unis.
