France - Data Breach Guide

France

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Yes, there is a legal obligation under certain conditions (see below) to notify the French data protection authority ("CNIL") and the affected individuals of a data breach.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

The European regulation no. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority, and for more serious breaches to also be notified to affected data subjects.

In addition, the sector-specific French provisions resulting from the implementation of the Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy Directive) which provides for a similar requirement for public electronic communications services may also be applicable.

Under the GDPR

A data breach is defined as a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4 (12) of GDPR).

In the case of a personal data breach, it is necessary to establish the likelihood and severity of the resulting risk to people’s rights and freedoms:

• If there is no risk: the data controller does not have to notify it to the French data protection authority (CNIL) (Article 33 (1) of GDPR). However, if the data controller decides not to report the breach, he needs to be able to justify this decision, so he should document it (Article 33 (5) of GDPR).
• If there is a risk: the data controller has to notify it to the CNIL as soon as possible and within 72 hours maximum (Article 33 (1) of GDPR). He has to document it (Article 33 (5) of GDPR).
• If there is a high risk: the data controller has to notify it to the CNIL as soon as possible and within 72 hours maximum (Article 33 (1) of GDPR). He has to document it (Article 33 (5) of GDPR). And he has to inform those concerned directly and without undue delay (Article 34 (1) of GDPR).

However, Article 34 (3) of the GDPR states three conditions that, if met, do not require notification to individuals in the event of a breach. These are: personal data affected by the personal data breach are protected by appropriate technical and organizational protection measures, and are unintelligible to any person who is not authorized to access it (such as encryption); or the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Also, French law lists the following situations that do not require notification to individuals (Article 58, II of the French Data Protection Act or FDPA, and Article 85 of Decree no. 2019-536 dated May 29, 2019): processing including personal data allowing to identify, directly or indirectly, individuals whose identity is protected under Article 39 sexies of the French law on the freedom of the press; and processing of administrative, financial and operational data, as well as processing of health data for which the notification of an unauthorized disclosure or access is likely to result in a risk for the national security, defense or public, due to the volume of data affected by the breach and the private information it contains (such as the family address or composition).

When assessing risk, consideration should be given to:

• The type of breach,
• The nature, sensitivity, and volume of personal data,
• Ease of identification of individuals,
• Severity of consequences for individuals,
• Special characteristics of the individual,
• Characteristics of the data controller,
• The number of affected individuals.

Any entity, private or public, regardless of the size, acting as a data controller is subject to this obligation.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach (Article 33 (2) of GDPR).

Under sector-specific legislation (e-Privacy)

These provisions are applicable to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

A data breach is defined as "any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorized access to personal data that is being processed in connection with the provision of publicly available electronic communications services" (Article 83, I of the FDPA).

In the case of a personal data breach, the electronic communications service provider must notify the CNIL without undue delay (Article 83, II of the FDPA).

If the personal data breach is likely to adversely affect the personal data or privacy of the individual, he must also notify the individual of the breach without delay. However, notification to the individual is not necessary if the CNIL has decided that appropriate measures of protection have been implemented to render the data unintelligible to any person who is not authorized to access it (e.g., technical measures such as encryption to prevent hackers from accessing data), and that those measures were applied to the data concerned by the security breach (Articles 119 to 122 of Decree no. 2019-536).

The electronic communications service provider shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority (Article 83, III of the FDPA).

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

Under the GDPR

(a) The content of the notice to the CNIL includes at least (Article 33 (3) of GDPR):

• the nature of the personal data breach,
• the categories and approximate number of data subjects concerned,
• the categories and approximate number of personal data records concerned,
• the likely consequences of the personal data breach,
• the name and contact details of the data protection officer or other contact point where more information can be obtained,
• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If notification to the individuals is made, it shall include at least (Article 34 (2) of GDPR):

• the nature of the personal data breach,
• the likely consequences of the personal data breach,
• the name and contact details of the data protection officer or other contact point where more information can be obtained,
• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If necessary, it shall also include recommendations for the individuals to mitigate the potential negative consequences of the breach and take precautions (i.e. change of password, back up, etc.).

(b) Notification to the CNIL must be made without undue delay and, where feasible, not later than 72 hours after having become aware of it (Article 33 (1) of GDPR). If it is not possible to provide all information required within this time frame (e.g., further investigation is required), information may be given in phases: (1) notification within 72 hours of the breach; and (2) additional information as soon as it is available (Article 33 (4) of GDPR). Notification to the individuals must be made without undue delay.

(c) It is possible to report a data breach online on the CNIL’ website.

Under sector-specific legislation (e-Privacy)

(a) The content of the notice to the CNIL includes (Article 118 of Decree no. 2019-536):

• the nature and consequences of the personal data breach,
• the measures taken or proposed to be taken by the service provider to address the personal data breach,
• the identity and contact details of the individuals who can provide additional information,
• when possible, an estimate of the number of individuals who may be impacted by the data breach.

If notification to the individuals is made, it shall include (Article 119 of Decree no. 2019-536):

• the nature of the personal data breach,
• the identity and contact details of the individuals who can provide additional information,
• the recommendations to mitigate the negative consequences of the breach.

(b) Notification to the CNIL and the individuals must be made without undue delay (Article 83, II, of the FDPA).

(c) It is possible to report a data breach to the CNIL either by registered letter or by electronic means (Article 118 of Decree no. 2019-536). It is possible to inform the individuals by any means with proof of delivery (Article 119 of Decree no. 2019-536).

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

Infringements of the obligations of the data controller and the data processor in relation to the notification of a personal data breach to the supervisory authority and/or communication of a personal data breach to the data subject is subject to administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (4) lit. (a) of the GDPR and Article 20 of the FDPA).

Administrative fines may, depending on the circumstances of each individual case, be imposed in addition to, or instead of, the additional measures including, but not limited to, to order the controller to communicate a personal data breach to the data subject (Article 83 (2) and Article 58 (2) lit. a) to h) and j) of the GDPR and Articles 20 and 21 of the FDPA).

Failure for the data controller to notify in accordance with the abovementioned Articles 33 and 34 of the GDPR or Article 83 of the FDPA, or for the data processor to inform the data controller in accordance with the abovementioned Article 33 of the GDPR or Article 102 of the FDPA, is also a criminal offence, punishable by up to five years of imprisonment and a EUR 300,000 fine (Article Art. 226-17-1 of the French criminal code).

Any person who has suffered material or non-material damage as a result of an infringement of the abovementioned provisions has the right to receive compensation from the controller or processor for the damage suffered (Article 82 of the GDPR or French civil code).

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

In the event that the legal obligation to notify is not applicable, and depending on the circumstances, the CNIL advises notification of individuals so as to mitigate the consequences of the breach.

1.6 What are the applicable data protection laws or guidelines within your country?

The applicable laws consist mainly in the European regulation no. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), the French Data Protection Act No 78-17 of 6 January 1978 (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés), Decree no. 2019-536 dated May 29, 2019, and the WP29 Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01).

1.7 Contact information for Data Protection Authority:

For more information, contact: