Privacy & Information Security Law Blog

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach. 

These new provisions apply only to companies that process personal data as part of electronic communication services they provide through a public network (e.g., ISPs or telecom operators).  A data security breach is defined as any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorized access to personal data that is being processed in the context of electronic communication services that are provided to the public.

If such a security breach occurs, the electronic communication service provider must inform without delay the French Data Protection Authority (the “CNIL”).  If the breach is likely to impact subscribers’ (or any other individual’s) right to the protection of personal data or right to privacy, the service provider also must inform the potentially affected individuals without delay.  The service provider is not required to inform affected individuals if the CNIL determines that appropriate protective measures have been implemented to render the data in question inaccessible or indecipherable by unauthorized individuals.  However, in the absence of such protective measures, and after investigating the seriousness of the breach, the CNIL may send a legal notice to the service provider requesting that it inform the affected individuals.

Companies in the telecom industry also are required to maintain (and make available to the CNIL at all times) an inventory of all data security breaches they have experienced, including a description of each breach, its impact, and the measures the company implemented to remediate the situation.  Non-compliance with these provisions is punishable by up to five years of imprisonment and a €300,000 fine.