The French Data Protection Act (Article 34 bis) was modified by the ordinance of 24 August 2011 n°2011-1012 relating to electronic communications and decree n° 2005-1309 of 20 October 2005 (Article 91-1 et seq.) modified by decree n°2012-436 of 30 March 2012
The French Data Protection Authority (the ‘CNIL’) has issued some guidelines called “Notification of Personal Data Breaches” which aim to clarify the application of Article 34bis of Law 78-17 6 January 1978. The article (in French) can be found at the following address: http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/la-notification-des-violations-de-donnees-a-caractere-personnel/
The requirement to notify only applies to e-communications service providers registered with the French Authority for Regulation of Electronic Communications and Posts (defined in Article L-33(1) of the Code of Post and Electronic Communications). This includes mobile phone operators and internet providers.
Only breaches involving personal data must be notified. The breach must involve personal data. This includes, for example, breaches into an Internet Service Provider’s customer database containing customers’ email addresses or billing information. Breaches in a mobile operator’s online store to obtain customers’ credit card numbers must also be reported. Other examples include the situation where an ISP intends to send an email containing confidential information to a customer, but sends it to the wrong person.
Unlike other EU countries such as the UK, there is no notification requirement for general data breaches under this law.
Definition of ‘data breach’
A breach of personal data can be defined as the accidental or illicit destruction, loss, alteration, disclosure or unauthorised access to personal data of a subscriber or individual that could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Breaches involving personal data must be notified to the CNIL, whatever the seriousness of the breach. Unlike other EU countries, there is no distinction between a “serious” breach and a “minor” breach.
Who should be notified
- E-communications service providers must notify personal data breaches to the CNIL.
- The company will only have to notify consumers/data subjects if the data breach poses a serious enough risk to their personal data or privacy. If the company does not want to notify consumers, it will have to demonstrate that effective measures had been put in place to make the data unusable. The company will need to inform the CNIL of those security measures it has taken. The CNIL will then determine whether the measures adopted are sufficiently efficient. If they are, there is no need to notify consumers. However, if the CNIL decides that the measures are not adequate, the company will need to notify its consumers. Note that if the CNIL has not replied within two months, the measures are deemed not to have been sufficient, and the company will need to notify its consumers.
Time period for notifying
The CNIL guidelines state that the company must notify the authority systematically and immediately.
Type and content of a notice
- The company must notify the breach to the CNIL by registered letter, describing the nature and the consequences of the breach, as well as the measures already taken or proposed to remedy the situation. The letter must also identify contacts for further information and, if possible, provide an estimate of the number of people affected. mCompanies arguing that security measures adopted are sufficiently efficient for not having to notify the individuals must provide the following additional information: details of the existing security measures and explanation regarding their effectiveness, details of any relevant CNIL notifications/authorisations (if any), information as to whether people affected have been informed and if not why.
- The company can use any verifiable method for notifying its consumers. It will need to inform the data subjects about the nature of the breach, contact details for further information, and recommended measures to reduce the negative consequences of the breach.
Data breach registry
Companies are also required to maintain a registry relating to their data breaches. This document can be requested by the CNIL at any time.
Penalties for non-compliance
Non-compliance would result in the following criminal sanctions: five years’ imprisonment and a €300,000 fine. Furthermore, any breach to the 1978 Data Protection Act can result in administrative sanctions resulting in a penalty of up to €300,000. There is also a significant risk of adverse publicity.