The French data protection authority (CNIL) has published an explanation of the new data breach notification rules, writes Pascale Gelly, CIPP/E, for The Privacy Advisor. Internet service and telecom providers are the only entities currently subject to the breach notification obligation. "Any breach--loss, destruction, disclosure, distortion, unauthorized access--must be notified to the CNIL, without exception, whatever the severity level, without delay," writes Gelly, adding that if there is a particular risk to the data or individuals' privacy, individuals must be notified as well. Noncompliance could result in criminal sanctions of a maximum of five years of imprisonment, a fine of 300,000 euros and CNIL administrative sanctions up to 150,000 euros.
If you want to comment on this post, you need to login.