This entry was drafted by Winston Maxwell and Lionel de Souza.
On August 26th, France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.
Data Security Breaches. All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) of any data security breach. A data security breach is defined as “any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services.” The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request.
Notification to data subjects: if the data breach “can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party.” However, this notification requirement can be waived if the CNIL finds that “appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach.” The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, “after examining the seriousness of the breach, order the provider also to inform the interested party.” This provision suggests that there may in fact be a “seriousness” threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL’s and will certainly depend on the reactivity and containment measures demonstrated by the service provider.
Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).
Security Audits. The Ordonnance empowers the French government to order security audits of any operator’s networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator’s “documents relating to its security policy.” A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.
As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.