Shostack + Friends Blog Archive


Breach Notification in France

Over at the Proskauer blog, Cecile Martin writes “Is data breach notification compulsory under French law?

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers.

In France, all data breaches that affect electronic communication service providers need to be reported [to CNIL], regardless of the severity. Once there is a data breach, service providers must immediately send written notification to CNIL, stating the following…

This creates a fascinating data set at CNIL. I hope that they’ll operate with a spirit of transparency, and produce in depth analysis of the causes of breaches and the efficacy of the defensive measures that companies employ.