On May 28, 2012, the French data protection regulator (CNIL) released new guidance on breach notification laws. The guidance regards a 2011 ordinance that recently came into force on April 1. Among other things, the ordinance amends existing French data protection law (Law on Information Technology and Liberties (78-17 of 1978)) to reflect the EU e-Privacy Directive’s (2009/136/EC) breach notification requirement for ISPs and others.
The Guidance provides that the ordinance applies to e-communication service providers, including ISPs and mobile phone operators, that are registered with the French Authority for Regulation of Electronic Communications and Posts (ARCEP). It does not yet apply to online banks, e-commerce sites or other “information society” services.
It defines a violation under the ordinance, and in doing so states that that malicious intent is but one possible scenario where the violation may occur. It also sets out a few examples of where a violation may occur: an intrusion into the customer database of an ISP, a confidential e-mail sent in error, and a mobile phone operator’s system making available to others the credit card information of subscribers that have ordered phones. However, according to the guidance, a computer virus on the personal computer of a user and not linked to the ISP would not constitute a violation. Neither would the theft of a human resources database as it does not relate to the providing of the e-communication service to the public.
The guidance sets out a layered process for notification. First, where a violation occurs, regardless of its severity, CNIL must be notified without delay by letter setting out certain details of the breach. As far as notifying individuals, the company must assess the potential damage from the breach (considering, for example, theft or identify fraud or significant humiliation or damage to reputation) and whether it has applied the technological protection measures required, such as effective encryption, to determine whether to notify individuals in the first instance. Companies do not have to notify individuals where “adequate” measures have been taken. However, the guidance notes that encryption is not effective where the key is stolen or otherwise compromised.
Second, CNIL will evaluate the breach and measures. If the breach is serious, CNIL can order a company to notify users and will do so within a month. However, CNIL has two months to evaluate the corrective measures taken by a company. If CNIL does not respond, the company must immediately notify its subscribers regarding the breach. The guidance sets out the details that must be included in the notification to subscribers: the nature of the breach, contact details from whom to obtain additional information regarding the breach, and recommended measures to reduce the negative consequences of the breach. CNIL leaves the method of notification to individuals to the company so long as it can be verified.
Non-compliance with the ordinance can lead to fines of € 300,000 and up to five years imprisonment, as well as CNIL sanctions. In April, CNIL announced that inspections for compliance with the ordinance are planned for 2012. Therefore, enforcement of the breach notification rules may follow the publication of this guidance.
One concern that has been raised regarding the ordinance regards the fact that some countries have not yet implemented the breach notification requirements from the 2009 changes to the e-Privacy Directive and others have done so in ways that do not precisely align with the French ordinance. This will create risk and challenges for mobile phone operators and ISPs where their services run across national borders to individuals in other jurisdictions.