![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
As were all EU Member states, France was bound to implement the so-called “Telecom Package,” including the Directive 2009/136/EC relating to the protection of personal data in the e-communications sector, before May 25.
To this effect, the government requested that parliament delegate the power to legislate by way of ordinance (
ordonnance
), which was obtained on March 22. Since then, the government has produced two sets of documents, including rules to modify the current legislation (laws) and other rules to modify existing regulations (decrees).
The draft law imposes on providers of electronic communications services open to the public a security breach notification at two levels:
- Notification to the CNIL, for “violation of personal data” defined as (i) any security violation leading accidentally or unlawfully to the destruction, loss, distortion or disclosure of personal data transmitted, stored or otherwise processed in relation with the provision to the public of electronic communication services or (ii) unauthorised access to personal data.
- Notification to the individuals, if the violation may adversely impact the personal data or their privacy. It must include the measures recommended by the supplier for the individual to minimize the consequences of the breach.
Both notifications must be done promptly. The draft decree provides the content of the notification and the means by which to convey it. In particular, the notification to the CNIL must specify the measures taken or contemplated to cure the breach.
The CNIL may exempt the service supplier from its duty to notify individuals if it has put in place technological measures to cure the breach. Such measures are defined in the draft decree as effective measures making the data unreadable by any person who may access it. To obtain the validation of the CNIL on these measures, the supplier must provide a file demonstrating its efficiency.
Noncompliance with the notification obligation will be a criminal offence.
The government has launched a public consultation, which is now closed on the legislative part of the implementation of the Telecom Package, but which is open until July 11 for the regulatory part. It has until September 21, to finalize the text of the ordinance.
