Alain Bensoussan

France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.

Adoption of the ordinance implementing the “Telecoms Package”

An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal. 

The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.

Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:

Creation of a data breach notification requirement 

The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.

“Personal data breach” means “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed in connection with the provision of a publicly available electronic communications service”.

When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without delay. However, informing the subscribers or individuals of the breach is not required if the CNIL (i) gives its green light on the technological protection measures implemented by the provider to cure the breach and (ii) acknowledges that said measures are actually applied to the data concerned.

Furthermore, each electronic communications service provider shall maintain an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken. Providers shall keep the inventory available for the CNIL.

Lastly, Article 226-17-1 is created in the French Penal Code to punish the non-compliance with this new data breach notification requirement: “The failure by any electronic communications service provider to notify personal data breaches to the CNIL, in violation of Article 34 bis (II) of the Data Protection Act No. 78-17 of January 6, 1978, shall be punished by five years’ imprisonment and a fine of €300,000”.

Enhanced regulation of cookies

The ordinance amends Article 32(II) of the French Data Protection Act by introducing new wording. Software that allows the tracking of Internet users (e.g., cookies) may not be installed without having first given Internet users clear and comprehensive information about the purpose of the cookies or similar devices and about the opportunity to object to the use of such devices. Users must give their consent to the use of cookies. However, the ordinance provides that user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

Further protection against spam

The ordinance also amends Article L121-15-1 of the French Consumer Code to strengthen the protection against spam and other unsolicited communications. Advertising communication (including promotions, prizes and gifts) by e-mails shall now indicate a valid address to which the recipient may send a request that such communications cease.