The CNIL has published an explanation of the new rules relating to data breaches.
Only providers notified to ARCEP, the regulatory authority in charge of e-communications—in other words, ISP and telecom providers—are subject to the obligation to notify data breaches. E-commerce sites providing online services are not yet impacted.
There is a data breach, for instance, when a provider loses a client contract or discloses a correspondence with a customer. Another example would be if the operator's customer database is under attack or if there is a security breach in its online service that enables access to customer credit card numbers used to purchase telecom services and products.
Any breach—loss, destruction, disclosure, distortion, unauthorized access—must be notified to the CNIL, without exception, whatever the severity level, without delay.
Individuals whose data have been impacted must be informed as well if there is a particular risk for the data or for their privacy, which must be assessed by the provider on a case-by-case basis. There could indeed be instances of Identity theft or other problems that could arise as a result of the publication of information that individuals intended to keep confidential. Notification is due to individuals only if the provider has not made the data unintelligible by technical measures such as encryption, provided that these measures have been recognized by the CNIL as appropriate following a procedure that can last two months. The CNIL points out that if the encryption key has been kept in an unsecured way and compromised, then the measures will not pass muster.
If, at the end of the two-month period, the CNIL has still not rendered an opinion, then the provider will be deemed to have to notify the concerned individuals.
Noncompliance with the notification obligations could result in criminal sanctions of a maximum of five years of imprisonment and a fine of €300,000 and CNIL administrative sanctions of a maximum of €150,000.