French Data Protection Authority CNIL Announces New Online Notification Procedure for Reporting Data Breaches
France’s data protection authority, the Commission Nationale De L’informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation).
Any data breach must be reported to CNIL via a new standardized online notification form in accordance with Article 2(4) of the Regulation. The notification must include all details set out in Annex I of the Regulation and be made no later than 24 hours after the detection of the breach. Where full details cannot be provided, organisations must make an initial notification with additional information provided no later than 3 days after the date of the breach. Such additional notification must also be provided to the individual whose data was adversely affected by the breach.
Individuals need not be notified if the Provider can demonstrate that it has implemented security measures rendering that data unintelligible. The CNIL has two months to check the adequacy of any security measures, which may include encryption or data hashing/masking. Under existing French Law, Providers must maintain a registry of data breaches which CNIL is entitled to audit. The CNIL may issue penalties of up to 300,000 euros and there is the potential for up to five years imprisonment for failing to comply with the data breach notification requirement.