By akademiotoelektronik, 05/04/2022

The CNIL advises against using Teams or Zoom in higher education

The Commission Informatique et Libertés considers that the American collaborative applications Zoom and other Microsoft Teams pose problems in the hosting of personal data. And calls for the use of alternative solutions.

As we know, the covid crisis has led to an explosion of collaborative software such as Zoom or even Microsoft Teams, massive recourse to teleworking obliges.

But should these American applications that dominate this market be used in all sectors? The Conference of Grandes Ecoles (CGE) and the Conference of University Presidents (CPU) have thus questioned the CNIL on the use in higher education and research of these tools.

And for the National Commission for IT and Freedoms, the answer is quite clear: we must do without these tools in this area. Why? They pose "increasingly significant issues relating to the control of data flows at the international level, to access to data by the authorities of third countries, but also to the autonomy and digital sovereignty of the European Union" .

Cloud Act

Indeed, let us recall that the Cloud Act allows the American authorities to obtain from telecom operators and American service providers based on the cloud (such as collaborative applications) information stored on their servers whether they are located in the United States United or apart.

The Cnil explains that "the documents transmitted by the CPU and the CGE show, in certain cases, transfers of personal data to the United States in the context of the use of collaborative suites for education. In establishments that use these tools, the data processed potentially concerns a large number of users (students, researchers, teachers, administrative staff), and these tools may lead to the processing of a considerable amount of data, some of which is sensitive (for example health in certain cases) or have particular characteristics (data from research or relating to minors)".

“There is therefore a risk of access by the American authorities to the data stored. Such access, if not based on an international agreement, would constitute an unauthorized disclosure by Union law, in violation of the Article 48 of the GDPR", underlines the regulator.

Alternatives

The Commission therefore considers that it is necessary to put in place additional measures or to justify the transfer of data with regard to the derogations authorized by Article 49 of the GDPR. Problem, "the European Data Protection Committee (the European authority which oversees the Cnil of each pat, editor's note) has not, to date, identified additional measures likely to ensure an adequate level of protection when a transfer is made to a cloud computing service provider".

It is therefore "necessary that the risk of illegal access by the American authorities to this data be eliminated", underlines the Cnil. In the meantime, higher education should therefore do without these applications and use alternative solutions, according to the Commission, which promises to help these organizations identify these European or even French alternatives which do indeed exist.

Olivier Chicheportiche Journalist BFM Business