CNIL Releases FAQs on Data Breaches
PRIVACY LAW—FRANCEJune 1, 2012
The French data protection authority (CNIL) has published an explanation of the new data breach notification rules, writes Pascale Gelly, CIPP/E, for The Privacy Advisor. Internet service and telecom providers are the only entities currently subject to the breach notification obligation. "Any breach--loss, destruction, disclosure, distortion, unauthorized access--must be notified to the CNIL, without exception, whatever the severity level, without delay," writes Gelly, adding that if there is a particular risk to the data or individuals' privacy, individuals must be notified as well. Noncompliance could result in criminal sanctions of a maximum of five years of imprisonment, a fine of 300,000 euros and CNIL administrative sanctions up to 150,000 euros.