Internet service providers or telcos operating in France that suffer a data breach must notify the country’s data protection authority and any customers who may be affected, following an amendment to France’s Data Protection Act.
A data breach is defined in the ordnance, announced last week, as "any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorised access to personal data".
French ISPs must inform customers of a breach if it is likely to impact their privacy or data protection. However, if the regulator – the Commission nationale de l’informatique et des libertés (CNIL) – believes adequate measures are in place to prevent this from happening, they will not have to inform customers.
Providers that fail to comply with the new rules face up to five years in prison and a €300,000 fine.
France’s introduction of a data breach notification law for the telecommunications industry follows the recommendations of the European Union’s ePrivacy Directive of 2002, which stipulated that "in case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk".
Both Germany and Spain have already introduced data breach notification laws for ISPs and telcos, and earlier this year the UK’s Information Commissioner was granted the authority to fine such organisations if they fail to inform it of significant data breaches. However, the fixed penalty for failure to comply is just £1,000 – around 0.4% of France’s maximum penalty.
A study by the European Network and Information Security Agency (ENISA) published this year found that ISPs and telcos in the region had a number of concerns about data breach notification laws.
Specifically, they wanted reassurances that such notifications would not affect their brands. "It is important for operators to maintain control of communications with relevant data subjects, as much as possible, to ensure that operators can effectively manage any impact on brand perception brought about by the data breach and subsequent notification", the report found.
They also wanted the rules to take the seriousness of the breach into account, for fear that they would be obliged to report minor incidents continually.
There is no sign that these concerns have been accomodated in France’s new rules.
Speaking earlier this, EU justice commissioner Viviane Reding said she plans to extend the data breach notification laws to cover organisations in all sectors.
Meanwhile, in the US, a number of recent bills have proposed a federal data breach notification law (such laws are currently introduced on a state-by-state basis). However, according to a report from Dominic Paluzzi of law firm McDonald Hopkins, "previous attempts to pass federal data security and breach notification legislation have consistently failed."