Article 34 prime of the 1978
French Act on personal data protection implements the obligation to notify the
breach of personal data provided by the directive 2002/58/EC ("Telecom
pack"). The Decree 2012-436 of 30 March 2012 specifies the application
measures.
In a note dated 28 May 2012,
the French data protection authority CNIL explains how this new obligation is
to be understood and applied (CNIL's note).
The service providers
concerned by this obligation are the providers of electronic communication
services to the public, which have to be declared to the French
Telecommunications and Post Regulator ARCEP (article L33-1 paragraph 1 of the
French Postal and Electronic Communications Code).
A breach of personal data has
to be notified when personal data is destroyed, lost, altered, disclosed or
accessed without authorisation. Such a breach can be either accidental or
unlawful.
The CNIL gives a few examples
of what would constitute a breach of personal data:
- intrusion into the customer
database of an Internet service or access provider (ISP),
- intrusion into the online
shop of a mobile operator, resulting in the disclosure of the credit card
numbers of clients who ordered a new phone as part of their subscription,
- a confidential e-mail sent
to the client of an ISP, and forwarded to other persons by mistake.
The following breaches would
not constitute a breach under article 34 prime of the 1978 Act:
- a breach that does not
concern the personal data processed by the ISP such as a virus attacking the
PCs of the ISP clients in order to collect personal data,
- a breach that does not
concern the provision of electronic communication services, such as a breach of
the ISP's human resources data.
In the event of a breach of
personal data, the CNIL has to be notified systematically forthwith. The
notification has to (1) describe the nature and consequences of the breach, (2)
the measures that have been taken in order to remedy the breach, (3) the persons
that can be contacted in order to obtain additional information, and (4), if
possible, an estimation of the number of people likely to be concerned by the
breach.
Whenever the violation is
likely to breach personal data security or the privacy of a subscriber, the ISP
also has to notify the party affected. Such notification will however not be
necessary if the CNIL considers that the service provider has implemented
appropriate protection measures to ensure that the personal data is
undecipherable by unauthorised individuals.
In case of violation, the
service provider will have to draw up and keep an inventory that will contain,
in particular: what has happened, the consequences of what has happened, and
the measures implemented in order to remedy the breaches.
Read the CNIL's note: CNIL's note
