Monday, 11 June 2012

The Obligation to Notify the Breach of Personal Data

Article 34 prime of the 1978 French Act on personal data protection implements the obligation to notify the breach of personal data provided by the directive 2002/58/EC ("Telecom pack"). The Decree 2012-436 of 30 March 2012 specifies the application measures.

In a note dated 28 May 2012, the French data protection authority CNIL explains how this new obligation is to be understood and applied (CNIL's note).

The service providers concerned by this obligation are the providers of electronic communication services to the public, which have to be declared to the French Telecommunications and Post Regulator ARCEP (article L33-1 paragraph 1 of the French Postal and Electronic Communications Code).

A breach of personal data has to be notified when personal data is destroyed, lost, altered, disclosed or accessed without authorisation. Such a breach can be either accidental or unlawful.

The CNIL gives a few examples of what would constitute a breach of personal data:
- intrusion into the customer database of an Internet service or access provider (ISP),
- intrusion into the online shop of a mobile operator, resulting in the disclosure of the credit card numbers of clients who ordered a new phone as part of their subscription,
- a confidential e-mail sent to the client of an ISP, and forwarded to other persons by mistake.

The following breaches would not constitute a breach under article 34 prime of the 1978 Act:
- a breach that does not concern the personal data processed by the ISP such as a virus attacking the PCs of the ISP clients in order to collect personal data,
- a breach that does not concern the provision of electronic communication services, such as a breach of the ISP's human resources data.

In the event of a breach of personal data, the CNIL has to be notified systematically forthwith. The notification has to (1) describe the nature and consequences of the breach, (2) the measures that have been taken in order to remedy the breach, (3) the persons that can be contacted in order to obtain additional information, and (4), if possible, an estimation of the number of people likely to be concerned by the breach.

Whenever the violation is likely to breach personal data security or the privacy of a subscriber, the ISP also has to notify the party affected. Such notification will however not be necessary if the CNIL considers that the service provider has implemented appropriate protection measures to ensure that the personal data is undecipherable by unauthorised individuals.

In case of violation, the service provider will have to draw up and keep an inventory that will contain, in particular: what has happened, the consequences of what has happened, and the measures implemented in order to remedy the breaches.

Read the CNIL's note: CNIL's note