Privacy & Security Law Report
 

CNIL's New Breach Notice Guidelines Pose Challenges, Practitioners Say

By Rick Mitchell

PARIS--The French data protection regulator (CNIL) May 28 published new guidance that spells out data breach notification requirements, which were appended by the government to the country's 1978 data protection act in 2011 but did not take effect until April 1.

Attorneys told BNA May 31 that France's new rules suggest legal challenges that EU-based companies are likely to face when data breaches involve users in different countries, due to EU member states' divergent implementation of the directive.

The guidance defines personal data breaches and sets out practical measures for how electronic telecommunication companies must notify the CNIL of such breaches and when they must also notify affected subscribers or users. It identifies technical protection measures that could exempt companies from the requirement to notify subscribers.

The 2011 ordinance updated France's framework Law on Information Technology and Liberties (78-17 of 1978). Among other things, it amended Article 34 to transpose into French law the 2009 amended EU e-Privacy Directive (2009/136/EC) requirement that electronic communications firms, including internet service providers, notify individuals if their personal data are breached.

The ordinance also transposed EU cookie requirements into French law.

France's Ministry of Economy March 31 published application decree No. 2012-436 of March 30, which, among other things, detailed conditions set by the 2011 ordinance for data breach notification requirements, and clarified the April 1 enactment date.

The ordinance set a €300,000 ($373,000) fine and up to five years imprisonment for noncompliance.

Inspections Planned

Also in April, the CNIL announced that its 2012 audit program includes inspections for compliance with the breach notification requirement. “Now that the implementation decree has entered into force and with the publication of this guidance, I think telecom companies can expect the CNIL to begin enforcing [the rules],” Olivier Proust, Brussels-based attorney for Morrison & Foerster LLP, told BNA May 31.

Gabriel Voisin, a London-based attorney for Bird & Bird, told BNA that the CNIL has said that to date it has received only a very small number of data breach notifications, which he called “surprising.”

By contrast, Voisin said, “the U.K. authority has received hundreds [of notifications]. I think the small number explains why the CNIL has put data breach notification high on its inspections agenda for 2012-2013. They want to know more about what companies are doing to comply,” he said.

'Personal Data Breach' Defined

The guidance defines a breach as the accidental or illicit destruction, loss, alteration, disclosure or unauthorized access to personal data of a subscriber or individual that could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.

“Malicious intent is one of the conditions, but not the only one,” the CNIL said. The authority's text sets out three cumulative conditions for the notification requirement:

  • It applies only to e-communications service providers registered with the French Authority for Regulation of Electronic Communic ations and Posts, which include mobile telephone operators and internet service providers. “Information society” companies, including online banks, e-commerce sites, or government online services, are not subject to the requirement.

  • The breach must involve a company's processing of personal data in the context of providing an electronic communications service. This could be an intrusion into an ISP's customer database containing email addresses or billing information, the authority said.

  • Other examples include a glitch in a mobile operator's online store that allows someone to obtain credit card numbers of new subscribers that have ordered telephones with their subscriptions, or when an ISP's confidential email, intended for a customer, is sent by mistake to other people.

    • The guidelines said the breach notice requirements do not cover a personal computer virus not linked to an ISP's processing of customer personal data. The theft of an ISP's human resources database is also not covered, because it doesn't involve services an e-communication operator provides to the public.

    No Threshold for Reporting to CNIL ..

    Proust said that when the e-Privacy Directive was amended to introduce the data breach notification requirement, one question was whether there should be a particular threshold of breach seriousness that would trigger a company's notification requirement to the CNIL.

    But the CNIL guidelines state that, whatever the seriousness of the breach, the company must notify the authority systematically and immediately by registered letter, describing the nature and consequences of the breach, measures already taken or proposed to remedy the situation, identifying contacts for further information, and, if possible, providing an estimate of the number of people affected. The company also has to maintain an inventory of the breaches.

    “This [lack of a threshold] means operators need internal processes in order to be able to notify the CNIL without delay,” Proust said. It also raises the question of whether the CNIL will be able to handle the flow of notifications it could get, he said.

    ... Different Standard for Notice to Individuals

    The CNIL at least partly leaves to companies the decision of whether a data breach poses a serious enough risk to subscribers' personal data or privacy to warrant notification of subscribers or users. However, it reserves the right to require companies to notify users or subscribers if it disagrees with their assessment.

    In the case of a breach, companies don't have to notify users if they have applied “adequate” corrective technological protection measures. “The concept of protection measures was a little blurred in the law and the decree, and the CNIL's guidance, brings a little clarity on what that means,” Proust said.

    If the company immediately takes “effective” measures to make the data unreadable or undecipherable, then it doesn't have to notify users or subscribers, according to the guidelines, which offer the example of using an encryption method. But the CNIL went on to warn that if the encryption key is also stolen, the security becomes ineffective.

    Silence = ‘No.’

    The guidelines state that a company must notify the CNIL of corrective security measures it has taken; provide the name, address, and telephone number of the data processing manager; and describe the measures and additional efforts it has made to ensure the measures work. It also must provide identifying numbers of required reports or forms filed to the CNIL, indicate whether data subjects have been formally notified of the breach, and if not, why.

    This information should typically be provided when initially notifying the CNIL of the breach, the authority said.

    Two Month Delay Built Into Notification Process

    Once the information is sent, the CNIL has two months to evaluate the measures. If it sends official notification that the measures satisfy requirements, the company does not have to notify subscribers or users. But if the CNIL does not respond during those two months, that means the measures are insufficient and the company is legally bound to immediately notify its subscribers of the breach, Proust and Voisin noted.

    Voisin called this a “a weird approach… . Two months is quite a long delay. I think this misses the whole point of having such legislation. I would have thought that companies should be more reactive. He said he expects the authority to publish additional text in the early fall, providing more detail on what it considers effective technical measures that exempts companies.”

    Proust said companies should establish practical internal processes to break down the various steps to comply with the law, in particular, the two-month period that starts when they notify the CNIL of the breach and protection measures.

    How to Notify Affected Users

    In the case of a serious breach, the CNIL can directly order a company to notify users, and in those cases, the authority must provide a deadline no later than one month after the date it received notification, the guidelines said.

    The company can use any formally verifiable method for notifying users, and the notification must include the nature of the breach, contact details for further information, and recommended measures to reduce the negative consequences of the breach, the authority said. The company also must maintain a paper or digital inventory of breaches, a description of how they happened, their consequences, and corrective measures taken.

    Adequate Resources?

    For now, France's data breach requirements apply only to the telecom sector, but the European Commission's draft regulation to revise the Data Privacy Directive proposes to expand these requirements to all data controllers, such as online banks, insurance companies, and other online companies processing personal data.

    “One of the questions we have is what would happen if these provisions apply to all data controllers. The CNIL could be overwhelmed, and this question applies to all the regulators in Europe,” Proust said.

    Voisin noted that some countries already have breach notification laws that apply to all kinds of online companies. But for most member countries, data breach notification requirements for ISPs and other e-communication companies are implemented through the e-Privacy Directive.

    Assuming the draft regulation is eventually implemented, “The Commission or EU Parliament will have to clarify how we are going to articulate the two kinds of data breach measures,” one through the directive and one through the new regulation, Voisin said.

    The Rest of Europe

    Voisin and Proust said that some EU countries, in particular Germany, have yet to implement the directive's breach notification requirement, and there are many discrepancies in the requirements of EU states that have implemented it.

    Voisin said Spain has implemented breach notification rules, while Italy and Poland have draft legislation but no requirements implemented so far. “Sweden took the unusual view that there is no need to notify the Post and Telecom authority [the competent authority] for breaches involving what the company determines to be a small number of subscribers or individuals. The authority's justification was that [breaches involving few users] are unlikely to cause adverse effects … . I doubt many DPAs in Europe will follow that approach,” he said.

    He said the Netherlands published a notification requirement set to take effect in June. “The Dutch DPA has created a very business friendly website for companies to file data breach notifications,” Voisin said. He said most countries with the rules follow the usual fine threshold of €300,000, while some countries, among them France, include imprisonment.

    Serious Implications

    The attorneys said these differences could have serious implications for telecoms companies, because breaches often involve individuals located in multiple countries. Voisin said companies will have to seek local advice or contact local authorities in each market to make sure they comply with local requirements in addition to “the [EU] big umbrella, the e-Privacy Directive.”

    “It will certainly be a challenge for companies to implement adequate processes or internal procedures that will enable them to address these provisions and to comply with the different national laws,” Proust said.

    “When addressing data breaches in Europe, companies will also have to make a risk assessment and determine the jurisdictions where enforcement is likely to be more severe and therefore where they need to focus their attention. They may need to prioritize where they need to implement protective measures, to react first and quickly, depending on how the law was implemented in each jurisdiction and how those laws are enforced by regulators,” Proust said.

    The European Commission's proposed draft privacy regulation includes the notion of a European body that would supervise local DPAs. “This body might have, as one of its tasks, supervising data breaches across member states to have a more consistent approach and one point of entry,” Voisin suggested.

    (June 4, 2012)

    		 

    Home | Resume | Articles | Links | Contact
    Last updated: October 22, 2012
    Copyright © 2000-2012 [Rick Mitchell]. All rights reserved.