This post was written by Daniel Kadar.
On 28 May, the French CNIL released new practical guidance related to data violation. A new Article 34 bis has been added to the French Data Protection Act as part of implementing the Telecom Package obliging Electronic Communications Providers (ECPs) to notify “without delay” the French CNIL of any data breach.
Such ECPs are all telecommunication operators registered with the French telecommunications authority (ARCEP), therefore also include all international/foreign Electronic Communications Providers operating in France.
1. The CNIL has set out detailed topical situations in which such immediate notification is required, including:
- Intrusion into the client database of the ECP
- Security breach in an online ECP-boutique allowing access to the credit card number of customers
- Distribution of a confidential customer email to non-related third parties
- Loss of hard copy contractual documents by an agent of a telecom provider in a boutique
The guidance also mentions situations in which such notification is not required:
- Intrusion into the ECP’s own HR database
- Any breach related to activities non-related to providing electronic communication services to the public
2. The guidance outlines the procedure to be followed in the event of a data breach: the notification to the CNIL has to provide full information concerning the nature and the consequences of the data breach; detail measures that have been implemented and/or are planned in response to the breach; identify the persons to be contacted who are in charge internally of resolving the issue; and estimate the number of data owners concerned by the breach.
3. Another key issue is public and/or customer information. The guidance indicates that the CNIL has two months to react to the ECP’s notification and to provide guidance on whether affected customers should be informed.
Should the breach be massive and regarded as important by the CNIL, then immediate information to affected customers could be required by the French Data Protection Agency.
Should such immediate information not be required by the CNIL, customer information could be required after the CNIL has reviewed the ECP’s notification. The ECP would only be exempted from informing customers if the French Data Protection Agency considers the measures taken to resolve the data breach as sufficient. Nonetheless, in the absence of a response from the CNIL within the two-month timeframe, information to customers would be required.
4. This new addition to the French Data Protection Act has a broad reach: It applies to all ECPs operating in France and could be considered enforceable as soon as one customer located in France is affected by the data breach.
This could force ECPs to proactively notify to the French regulator in any case, in addition to other regulators. The CNIL has reiterated that sanctions for non-notification of data breach violations include fines of up to €300,000 and up to five years’ imprisonment, whilst non-compliance with the French regulation itself can be sanctioned by fines of up to €300,000.