On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers.
French legislator recently amended Article 34 of the Data Protection Act to reflect the EU e-Privacy Directive’s breach notification requirement. According to Article 34 of the French data protection law (as revised), the notification obligations are applicable if:
· Personal data is processed;
· By an electronic communications service provider;
· During the course of its business of providing electronic communications services (e.g. telephone service or internet access)
What constitutes a data breach?
A “personal data breach” means “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed in connection with the provision of a publicly available electronic communications service.”
Under this definition, only activity related to the provision of public electronic communication services on networks open to the public qualify. Therefore, if the human resources database of the electronic communication service provider is hacked, it would not constitute a “personal data breach” that would trigger Article 34’s breach notification obligations.
What are the notification obligations?
In France, all data breaches that affect electronic communication service providers need to be reported, regardless of the severity. Once there is a data breach, service providers must immediately send written notification to CNIL, stating the following:
· the nature and consequences of the violation,
· the measures already implemented or proposed to remedy to the breach,
· the names of the individuals who can provide additional information, and
· if possible, an estimate of the number of individuals potentially affected by the breach.
However, the individuals whose data is affected do not necessarily have to be notified of the breach. It is only in the case of risk of damage to personal data or privacy that such information should be disclosed to the individuals. The CNIL itself may decide that individuals need to be informed by the electronic communications service provider. In this case, notification should occur during the period designated by the CNIL, a timeframe not exceeding one month.
To comply with its obligation to report the breach to individuals, the telecom service provider must provide notification of the breach by any means. Such notification should state the following:
· the nature of the breach,
· the name of the individuals who can provide additional information, and
· the measures recommended by the telecom service provider to mitigate the negative impact of the breach.
If the telecom service provider decides not to notify affected individuals of the breach, it needs to inform the CNIL that appropriate measures of protection have been implemented with respect to the data affected by the breach (e.g., technical measures such as encryption to prevent hackers from accessing data).
Should the telecom service provider not provide notification when it is necessary, it faces a five year imprisonment and a fine of €300,000 (Article 226.17.1 of the French criminal code).
The obligation to report data breaches in France is limited to a specific industry and to specific cases. However, given the on-going discussions relating to European Directive 95/46/EC (covering personal data), there is a strong likelihood that such an obligation could be extended to all sectors.