Notifications data security breaches - France

06 February 2007

Nathalie Lambert


The Data Protection Directive is implemented in France by Law n° 2004-801 of 6 August 2004, which amended Law n° 78-17 of 6 January 1978 (“the DP Act”).

Under article 34 of the DP Act, data controllers shall take all appropriate precautions to preserve the security of personal data. In particular precautions should be taken to prevent damage or alteration of the data or access by unauthorised third parties. The data controller should also have regard to the nature of the data and the risks of the processing. Article 34 also states that Decrees issued on the advice of the French Data Protection Authority (the CNIL) may specify the specific technical requirements needed for certain types of processing depending on the nature of the data. For example there are particular standards of processing necessary for the protection of human life where it is impossible to obtain consent and also standards for the processing necessary when dealing with medicine and administration of care.

The E-Communication Directive is implemented in France by the Law for the Confidence in the Digital Economy dated 6 June 2004 (the “CDE regulations”) and Decree n°2005-862 dated 26 July 2005 relating to the conditions of establishing and exploiting networks and the provision of electronic communications, which addresses data security issues. The provisions of the CDE regulations and the Decree are incorporated in the French Postal and Electronic Communications Code (“CPCE”).

What is the technological standard for electronic communications networks in France?

Article D 98-5 of the French CPCE states that operators must take necessary measures to protect the security of communications on their networks. In this respect, operators must comply with any technical requirements that the French Authority for Electronic Communications (ARCEP) may prescribe in relation to security. In this context, the ARCEP have the right to require operators to provide them with the measures implemented by operators in order to ensure the security of the network.

Pursuant to this Article, operators must also take appropriate measures to ensure the protection, the integrity and the confidentiality of personal data they process.

Who must disclose security risks in France?

The obligation to disclose applies to operators, which are defined as either providers of a public communications network (such as voice telephony telecom operators) or as public electronic communications service providers (such as ISPs).

What must they disclose and when?

Article 98-5 of the French CPCE states that where “there is a particular risk of breach of the security of the public communications network”, operators shall inform the subscribers of the following:
  • the risk;

  • any appropriate measures that the subscriber may take to protect itself against that risk; and

  • the likely costs involved in the taking of such measures.

To whom must they disclose the information?

The French CPCE states that the risk of breach must be disclosed to “the subscribers” without specifying whether this means only those subscribers concerned or all users of the service. At present the ISP has no obligation to disclose the breach to the French Data Protection Authority or to the French Regulator for Electronic Communications.

France’s response to the Commission’s proposal

On 17 October 2006 the French authorities submitted their response to the commission’s proposal.

The French authorities have welcomed the Commission's comments regarding the increasing vulnerability of users in respect of communications systems and networks, and the shortcomings of the solutions proposed up until now by the market.

The French authorities approve of the clarification, and to a lesser extent the harmonisation, of technical and organisational protective measures. However, they believe that the proposal that the Commission or the national regulatory authorities define all these measures themselves is very dangerous. France believes that it is appropriate that a common baseline standard is adopted at a European level, and implemented under the supervision of Member States. However, it considers that it is essential for appropriate national authorities to be able to decide additional measures, particularly on the basis of the level of risk. Likewise, France believes that liability in the event of an infringement of security obligations should remain a national law issue.

The French authorities agree with the principle of notifying any significant breach / breakdown to the administrative authorities within a deadline enabling an appropriate and efficient answer. Particularly in respect of loss of personal data, France’s view is that this obligation should apply to telecommunications operators as well as ISPs. However, it believes that this point should be determined by Member States depending on the structure of their national organisation, and therefore the national regulatory authority shouldn’t necessarily be the one informed, or making the decision.

Likely impact of the Commission’s proposal in France

The change proposed by the Commission, placing an obligation to inform customers and national regulatory authorities of breaches of security, goes further than French legislation. Although the current French legislation states that subscribers should be informed of risks to security, they do not have to be informed of breaches and there is no obligation to inform the relevant national authorities. Therefore a positive obligation to disclose breaches to subscribers and national authorities will certainly change ISP and network operators’ approaches and culture regarding security.