France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.
Adoption of the ordinance implementing the “Telecoms Package”
An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal.
The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.
Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:
Creation of a data breach notification requirement
The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.