On 26 August, the French government published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC.
Bird & Bird Associate Gabriel Voisin tells the Daily Dashboard that “Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government.”
The legislation “introduces a requirement for consent to be obtained before cookies are placed” and that browser settings or another application can be used to signify consent.
“Unlike the UK,” Voisin writes, “consent given through browser settings is valid even if the subscriber does not amend or set the controls.”
Voisin adds that the legislation also introduces a data breach notification requirement for electronic communication providers. “From now on, those providers are required to notify the French Data Protection Authority (the CNIL) without delay.”
Those affected by the breach must also be notified unless appropriate security measures have been taken to protect the data and make it unusable, according to Voisin.
“Providers are also required to maintain a registry relating to their data breaches. This document can be requested by the CNIL at any time. Failure to meet the above data breach requirements is a criminal offence punishable by up to five years of imprisonment and/or €300 000 in fines."
Read CNIL's public statement on the legislation. (Statement in French.)