CNIL Issues New Online Notification Procedure for Reporting Data Breaches

The French regulatory body that oversees data protection (the Commission nationale de l'informatique et des libertés or CNIL) recently issued a new mandatory online notification procedure for data breach incidents. This procedure was enacted in order to provide French electronic communications services providers (e.g. internet suppliers, mobile / telephone operators) the ability to rapidly report data breaches to the CNIL, and as such comply with new EC Regulation No; 611/2013 concerning the measures applicable to the notification of personal data breaches. Data breaches must be reported to the CNIL via the online notification form, in accordance with Article 2(4) of the Regulation, and be made not later than 24 hours after the breach is detected. If all of the information required cannot be provided during this time period, the initial notification can be made during this 24-hour window, with a second notification being made within the next 72 hours. Additional notification must also be provided to the individual whose data was breached. Pursuant to the current notification requirements, the CNIL may issue penalties of up to €300,000 (and up to five years of imprisonment) for failure to comply.

TIP: If operating in France and you have been subject to a breach, remember to use the new mandatory online notification procedure to report data breaches if you are governed by the EC Regulation (i.e., you are an internet supplier, mobile operator, etc.). When in doubt, or when you are lacking certain pertinent information to include in your report, you can always contact your counsel or CNIL.