The largest French telephone and internet services company, Orange, recently announced a major data breach, where over 800,000 individuals, or approximately 3% of its customers, had their personal information stolen. Information alleged to be stolen included names, mailing addresses, and e-mail addresses. As a result, the French data protection authority (CNIL), convened a meeting of all large telecommunications operators in order to explain their obligations under both French and European Union laws and encourage the companies’ compliance under such laws. More specifically, pursuant to a 2013 online procedure launched by CNIL and European Commission Regulation No. 611/2013, telecommunications companies operating in France have 24 hours after learning of a data breach to notify the relevant authorities.
If all of the information required cannot be provided during this time period, the initial notification can be made during this 24-hour window, with a second notification being made within the next 72 hours. Failure to comply may lead to a maximum fine of €300,000 and up to five years of imprisonment. While at this point in time it is not certain what kind of consequences the data breach will have for Orange and what additional steps CNIL will take, the case demonstrates that CNIL takes such breaches seriously as well as proper notifications to relevant authorities.
Tip: CNIL has used this incident as a vehicle to remind companies that if you are an internet supplier or mobile operator operating in France, you should be aware of the newest breach notification laws and the short timing for involving CNIL.
