Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Article L111-1 of the Code of Homeland Security provides that the state shall maintain security, which extends to cyberspace. It is in this regard that France has enacted not one specific law but several acts and regulations promoting cybersecurity. They are as follows.
- The Military Programming Act No. 2013-1168 of 18 December 2013 for 2014 to 2019. Pursuant to this act, the state has a duty and responsibility to take appropriate measures to protect essential sectors that are deemed ‘of utmost importance for State survival’, such as banks, hospitals and nuclear power plants. A whole chapter is dedicated to cyber defence in the new Military Programming Act for 2019 to 2024, not yet into force (it is currently being drafted in Parliament).
- Decrees Nos. 2015-350 and 2015-351 of 27 March 2015, which enact the Military Programming Act of 2013. These decrees state that essential sectors that are deemed ‘of utmost importance for state survival’ are bound to:
- adopt detection tools in their networks and information technology (IT) infrastructures so as to prevent any cyberattack;
- notify immediately any cybersecurity breach to the relevant authorities;
- regularly audit their IT infrastructures; and
- adopt specific measures requested by relevant authorities. The law further provides that non-compliance may lead to a fine of up to €150,000.
- The ANSSI, also designated by the Military Programming Act of 2013, is a governmental agency operating under the authority of the General Secretary for Defence and National Security to ensure the good application of the law and, more precisely, the security of the network and information systems.
- Even before the EU General Data Protection Regulation entry into force, articles 34 and 34-bis of the Data Protection Act of 1978 (modified by Law No. 2018-493 of 20 June 2018) took into consideration cybersecurity, ensuring that when dealing with personal data, technical and organisational measures shall be implemented by data controllers and processors, either private or public, to ensure a level of security appropriate to the risk when processing personal data. These include the protection from unauthorised access, alteration or theft. Additionally, internet service providers (ISPs) processing personal data are obliged to inform the French Data Protection Authority (CNIL) immediately in case of a breach. These ISPs are even compelled to keep records of cyber-attacks. Under the EU General Data Protection Regulation, applicable since 25 May 2018, these obligations have been extended to all data controllers and processors, private and public. Failure by private and public data controllers and processors to take adequate security measures could have led to an administrative fine of up to €3 million according to the Data Protection Act of 1978. From now on, and since the entry into force of the EU General Data Protection Regulation, data controllers and processors may face an administrative fine of up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million, whichever is higher, in case of failure to report and adopt appropriate security measures. By Act No. 2018-493 of 21 June 2018, France formally implemented the EU General Data Protection Regulation legal provisions.
Reference can be finally made to the Directive on Security of Network and Information (the NIS Directive) adopted by the European Union on 6 July 2016. Though members had until 9 May 2018 to transpose this Directive in their legislation, France had already implemented the core recommendations of the NIS Directive through the Military Programming Act of 2013 and its decrees. If the core recommendations of the NIS Directive were implemented through the Military Programming Act of 2013 and its decrees, on 27 February 2018 France passed a proper transposition Act No. 2018-133, detailed by Decree No. 2018-384 published on 23 May.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Pursuant to the Military Programming Act of 2013 and the NIS Directive, the sectors that are most concerned by these laws form part of the ‘sectors of utmost and essential importance’ and are, among others, the energy, transport, water, banking, financial market and healthcare industries. An exhaustive list of those sectors is provided in Decree No. 2018-384. In September 2018, prime ministerial services published a new order providing 23 binding security rules to those sectors of utmost and essential importance.
Given that the Military Programming Act of 2013 and the NIS Directive are relatively new, Ministerial Orders, Ordinances and Decrees were only published around 2016, to such an extent that it is too early to analyse the progress made towards promoting cybersecurity. However, the government has a clear line about cybersecurity: it must be seriously addressed. According to the to-be-voted-on Military Programming Act of 2019 to 2024, that government line on cybersecurity is about to be extended and emphasised.
On a more general aspect, every data controller and processor, private and public, is also bound by the French Data Protection Act of 1978 and the EU General Data Protection Regulation to provide adequate security measures when collecting, processing, transferring and storing data. In this regard, so as to meet this obligation and to be compliant with article 32 of the EU General Data Protection Regulation, they must adopt cybersecurity measures.
Has your jurisdiction adopted any international standards related to cybersecurity?
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Pursuant to article 32 of the EU General Data Protection Regulation, data controllers and processors processing personal data shall implement adequate technical and organisational measures to ensure a level of security appropriate to the risk. These include the protection from unauthorised access, alteration or theft. ISPs (extended to all data controllers and processors under the EU General Data Protection Regulation) processing personal data are also bound to inform the CNIL immediately in case of a breach. They are also compelled to keep records of cyberattacks.
According to the EU General Data Protection Regulation article 83, non-compliant personnel and directors may be fined up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million by the CNIL. Additionally, pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and be fined up to €300,000. This amount is multiplied by five for organisations, pursuant to article 131-38 of the Criminal Code.
See question 1 regarding organisations of essential importance under the Military Programming Act of 2013.
A relatively important Act was adopted on 27 March 2017, namely Act No. 2017-399. This Act requires that firms with more than 5,000 workers in France undertake a mapping of the potential risks that may negatively affect public liberties, fundamental rights and health and security, and take appropriate measures to mitigate its effects. This mapping must identify the risks, categorise their level of importance and analyse their potential consequences.
How does your jurisdiction define cybersecurity and cybercrime?
Neither cybersecurity nor cybercrime have universal and precise definitions. However, according to the ANSSI, cybersecurity can be defined as an information system that is sufficiently resilient to sustain and mitigate the impact of a cyberattack. The ANSSI further adds that cybersecurity is achieved by applying appropriate technical security measures to the information system, fighting cybercriminal acts and adopting cyber defence strategies.
Cybercrime is defined as the act of using an information system or a network to commit a misdemeanour or a crime that is punishable by domestic law and international treaties.
A distinction shall be made between cybersecurity and data privacy, as cybersecurity is considered as a component of data privacy under French and EU law. As such, to have data privacy, cybersecurity measures would have to be implemented. Additionally, to this distinction, France’s cybersecurity and cybercrime policies are increasingly seen as sections of the cyber defence policy.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
In September 2017, the ANSSI published 42 measures to protect data and IT systems from cyberthreats. According to these, cybersecurity shall be seriously addressed and, therefore, it generally recommends to firms and organisations that they, among others:
- raise awareness;
- regularly update their IT systems;
- restrict access and encourage the use of strong authentication;
- conduct an audit;
- encrypt highly sensitive data and information when they are transferred; and
- decentralise the network.
The same measures have been recommended by the CNIL to personal data controllers and processors, either private or public.
Regarding essential sectors, several ministerial orders were adopted in 2016 and 2017. These orders provide for compulsory security measures, such as adopting detection tools, defensive tools, strong authentication and restricted access protocols that shall be taken by entities mainly operating in the electricity, maritime, finance, ISPs, space, gas, media, nuclear and arms industries.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
Naturally, any cybercriminal offence committed that has been catered for in the Criminal Code shall apply to intellectual property (see question 10). Similarly, any violation of intellectual property that has been catered for in the Intellectual Property Code shall apply to cyber acts or acts committed within the cyberspace. However, and on a more specific note, the law better protects against copyright breach and counterfeiting of trademarks and patents on the internet. Counterfeiters may face a fine of up to €500,000 (multiplied by five for organisations) and up to five years of imprisonment.
Cybersquatting is amenable to a €15,000 fine (multiplied by five for organisations) and up to one year of imprisonment. Providing software for the purpose of encouraging copyright breach may lead to a fine of up to €300,000 (multiplied by five for organisations).
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
As explained above, pursuant to the Military Programming Act of 2013 for 2014 to 2019, the state has a duty and responsibility to take appropriate measures to protect essential sectors that are deemed ‘of utmost importance for the State survival’.
See question 1 regarding organisations of essential importance under the Military Programming Act of 2013.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
France does not have any cybersecurity laws or regulations that specifically restrict the sharing of cyberthreat information. Such approach will not be coherent and will surely hinder the proactive approach adopted to tackle cybercrime and cyberattacks. Article L2321-4 of the Defence Code even provides for the sole purpose of protecting an information system, namely that someone acting on good faith may inform the ANSSI about a cyberthreat. The whistle-blower’s identity is also protected. Moreover, dedicated websites have been set up so as to disclose cyberthreats and vulnerabilities (see question 17).
Additionally, if every individual has a right to privacy, which entails the right to private communication, this right may be levied, and even metadata can be accessed by government in cases of terrorism and organised crime.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
France has enacted laws regarding a wide range of cybercrime-related offences since 1988. In this regard, the following cyberactivies are criminalised.
- Any cyberattack to an information system (article 323-1 of the Criminal Code) through unauthorised access or maintenance is criminalised, and cybercriminals may face a fine of up to €60,000 and up to two years of imprisonment (this fine is multiplied by five for organisations, thus up to €300,000).
- Should this access or maintenance lead to the alteration or deletion of data contained in the system or alter the good running of the system, this will be constitutive of an additional offence amenable of a fine of up to €100,000 (multiplied by five for organisations) and imprisonment of up to three years.
- Attacking state-operated information systems may lead to five years of imprisonment and a fine of up to €150,000 (multiplied by five for organisations).
- Any cyberattack that disrupts or distorts the good running of an information system is sanctioned by up to five years of imprisonment and a fine of up to €150,000 (multiplied by five for organisations). Disrupting or distorting state-operated information systems is sanctioned by seven years of imprisonment and a fine of up to €300,000 (multiplied by five for organisations).
- Introducing, extracting, cloning, transferring, modifying or deleting data of an information system is sanctioned by a fine of up to €150,000 (multiplied by five for organisations) and up to five years of imprisonment. Should the above-mentioned acts be committed to a state-operated information system, contraveners will face a fine of up to €300,000 (multiplied by five for organisations) and up to seven years of imprisonment.
- Importing, proposing or possessing any equipment, software or other tool developed to commit cybercriminal activities is amenable to the same sentence as the act itself or whichever sentence is higher.
- The organised commission of cybercriminal activities is amenable to the same sentence as the act itself or whichever sentence is higher. However, the organised commission of cybercriminal activities against information systems operated by the state is amenable to 10 years of imprisonment and a fine of up to €300,000. (Attempts are sanctioned in the same manner as the act itself.)
- Any unlawful collection, use, storage, transfer and processing of personal data, and failure to meet the security obligations and respect the right to object are also criminal offences amenable up to a fine of up t0 €300,000 (multiplied by five for organisations) and up to five years of imprisonment.
- Impersonation or identity theft is amenable to one year of imprisonment and a fine of up to €15,000 (multiplied by five for organisations).
- Credit or debit card fraud is amenable to seven years of imprisonment and a fine of up to €750,000 (multiplied by five for organisations). Importing, proposing or possessing any equipment, software or any other tool developed to commit credit or debit card fraud is amenable to the same sentence as the act itself or whichever sentence is higher.
- Cyber scams, such as phishing, are punishable by five years of imprisonment and a fine of up to €375,000 (multiplied by five for organisations).
- A breach of trust committed by means of accessing an information system is amenable to three years of imprisonment and a fine of up to €375,000 (multiplied by five for organisations).
The legislator has enhanced the investigatory powers of the police and established specialised cybercrime courts to deal in an efficient manner with cybercrime and attacks.
Additionally, dedicated institutional internet websites aiming to fight against unlawful cyber acts have been set up and allow the public to denounce such acts (eg, Pharos).
How has your jurisdiction addressed information security challenges associated with cloud computing?
This issue has been addressed since 2011. In December 2016, the ANSSI published its binding guidelines on the minimum cybersecurity standards and requirements that are to be maintained by software as a service, platform as a service and infrastructure as a service businesses. As such, it provides for the basic security measures (physical, environmental and operational), update policy, internal risk management (before and after cyberattacks), database and network management and information security policies, among others.
Additionally, the CNIL has also published its recommendations for businesses storing personal data on cloud service providers in 2012. The CNIL is very clear about the matter: cloud computing firms shall guarantee their compliance with French and EU legislation on data protection laws. Security measures is a core subject in this recommendation. It has provided for a template that consists of the essential clauses and aspects that must be covered in a cloud computing contract.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Data controllers and processors are bound by the obligation to secure the processing of personal data. In this regard, article 34 of the present Data Protection Act of 1978 and article 32 of the EU General Data Protection Regulation requires that foreign organisations operating in France or offering goods or services (irrespective of whether a payment of the data subject is required) to such data subjects in France are bound by cybersecurity measures. The monitoring of their behaviour (as far as their behaviour takes place) within France is also bound by these measures.
Notwithstanding this particular case, and, on a broader perspective, as from the moment where a cybercriminal offence is committed in French territory, French law and the French jurisdiction will be competent, pursuant to article 113-2 of the Criminal Code. In this regard, should foreign organisations be either the victims or the cybercriminals, they will be bound by the Criminal Code should the offence be committed in France.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The ANSSI and the CNIL recommend additional cybersecurity protections beyond those that are mandated by law. As such, 42 measures to protect data and IT systems from cyberthreats have been published. See question 6.
How does the government incentivise organisations to improve their cybersecurity?
The approach taken towards cybersecurity is clear in France: it must be taken seriously and appropriate measures must be set up. As such, the ANSSI and CNIL regularly publish guidelines and recommendations of good practice.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
The 42 measures to protect data and IT systems from cyberthreats (which are very broad) can be accessed via the following: https://www.ssi.gouv.fr/guide/guide-dhygiene-informatique/.
Recently, a dedicated website has been set up to help small and medium-sized enterprises, which can be accessed via the following: www.cybermalveillance.gouv.fr.
The CNIL has also elaborated a detail guideline and checklist regarding the good safekeeping of personal data, available via:
- www.cnil.fr/fr/principes-cles/guide-de-la-securite-des-donnees-personnelles; and
Are there generally recommended best practices and procedures for responding to breaches?
France has adopted best practices and procedures. As such, the ANSSI and the CNIL recommend that the first step is to have recourse to a host-based intrusion detection system and a network-based intrusion detection system to identify in real time and certify the extent of the intrusion (compulsory for organisations identified as of essential importance).
Should a breach be identified, it is recommended that the organisation should:
- disconnect the affected IT system from the network;
- inform the local Computer Emergency Response Team;
- make a clone copy of the hard disk drive;
- gather evidence and search for a digital footprint; and
- file a complaint to the police.
For organisations of essential importance, notification shall be made to the ANSSI. For private and public data controllers and processors, notification shall be made to the CNIL.
After the attack, it is recommended that, to analyse the intrusion, organisations should:
- search for any modifications made to the operating system and operating system files;
- analyse if there has been any alteration or modification of data;
- search for any data or tool that may have been introduced by the hacker;
- analyse the logs;
- look for any sniffer on the network; and
- analyse the other devices and hardware connected to the affected network.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Article L2321-4 of the Defence Code provides that, for the sole purpose of protecting an information system, someone acting on good faith may inform the ANSSI about a cyberthreat. Further, the whistle-blower’s identity is protected and several websites have been set up to encourage the sharing of information.
In this regard:
- illegal internet content may be declared via: www.internet-signalement.gouv.fr/PortailWeb/planets/SignalerEtapeAccepter!load.action;
- vulnerabilities may be declared via: www.ssi.gouv.fr/en-cas-dincident/vous-souhaitez-declarer-une-faille-de-securite-ou-une-vulnerabilite; and
- cyberthreats and vulnerabilities are made available via: www.cert.ssi.gouv.fr.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The government and the private sector cooperate through non-profit organisations. As such, the ANSSI (acting on behalf of the government), Thales Communications and Security SAS or Électricité de France (EDF) form part of the European Cyber Security Organisation (ESCO). The ESCO regroups public and private entities and aims to develop, promote and encourage European cybersecurity. Additionally, a public-private partnership on cybersecurity was signed on 5 July 2016 to better equip the Euroepan Union against cyberattacks and to strengthen the competitiveness of its cybersecurity sector. Naturally, these include, and will benefit, French industries and the government.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Europe represents 10 per cent of the cyber risk insurance market and it is a fast-emerging market in France, as it is shown looking at the increasing count of institutional reports (for instance, OECD’s or Club des Juristes). Insurers are proposing such services, and given the rise in awareness about the matter, the demand for such services will constantly grow. However, as cyberattacks are not easily predictable (regarding nature and consequence), these types of insurance may be expensive.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The Military Programming Act of 2013 defines the ANSSI as the primary authority for enforcing cybersecurity rules when dealing with organisations of essential importance.
When dealing with personal data, it will be the CNIL that will be responsible for enforcing cybersecurity rules as well as prosecuting administratively, pursuant to the Data Protection Act of 1978 and the EU General Data Protection Regulation.
Both entities do not have the power to criminally prosecute, since it will be the sole jurisdiction of the public prosecutor.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
For the enforcement of security measures provided in the Data Protection Act of 1978 and the EU General Data Protection Regulation, compliance, monitoring, investigations and administrative prosecution will be conducted by the CNIL. As such, for monitoring and conducting investigations, the CNIL can go on site, search and seize any relevant documents and information. When an offence has been proved, they have the power to prosecute administratively, but most importantly, the power to impose fines, issue injunctions, remove authorisation for data processing, impose warnings and publish its decisions.
The ANSSI will be responsible for carrying out compliance monitoring and investigations for sectors of essential importance and any information system that is operated by the state.
The above-mentioned entities do not have the power to prosecute criminally and request criminal sanctions provided in the Criminal Code, as this power is only vested to the public prosecution.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Concealment of data breaches is an important issue, since organisations fear the negative impact that will follow. However, if this approach is not recommended, and given the particular consequences of cyberattacks (on the economy when speaking of sectors of essential importance or on personal data regarding the right to privacy), the legislator has imposed heavy fines for non-compliance to encourage enforcement. Additionally, the legislator has also encouraged whistle-blowers to inform the ANSSI, but this information must be communicated in good faith. Dedicated websites have even been set up to facilitate notification to respective authorities on cyberattacks, data breaches and incidents.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Since 25 May 2018, the EU General Data Protection Regulation provides that non-compliance with personal data security measures may be subject to an administrative fine by the CNIL of up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million. Additionally, pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and face a fine of up to €300,000 (multiplied by five for organisations). Organisations of essential importance may be subject to criminal fines of up to €150,000 in cases of contravention of cybersecurity laws, pursuant to article 22 of the Military Programming Act of 2013.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Pursuant to the EU General Data Protection Regulation article 83, personal data controllers and processors who fail to comply with the rules on reporting breaches (provided at article 33) may face an administrative fine by the CNIL of up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million. Organisations of essential importance may be subject to a €150,000 fine in the case of contravention of cybersecurity laws. Additionally, and pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and be fined up to €300,000 (multiplied by five for organisations).
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Parties can seek private redress for any unauthorised cyberactivity or failure to adequately protect systems and data under article 1240 of the Civil Code. As such and under the cause of action of negligence, parties may seek damages as a result of the damage suffered.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
It depends on whether the organisation is defined as an organisation of essential importance or whether the organisation is considered as a data controller or processor.
For organisations of essential importance, rules and procedures are imposed on them by either decree, ordinance or ministerial orders. As such, since 2016, entities operating in the electricity, maritime, finance, ISPs, space, gas, media, nuclear and arms industries shall adopt compulsory security measures, such as detection tools, defensive tools, strong authentication and restricted access protocols.
The same cybersecurity measures have been recommended by the CNIL regarding personal data on data controllers and processors, private or public. The EU General Data Protection Regulation has even provided, under article 32, security requirements that may be expected from data controllers and processors, respectively:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
France has rules requiring organisations to keep records of cyberattacks. As such, pursuant to article 34-bis of the Data Protection Act 1978 (which extends to all data controllers and processors under the EU General Data Protection Regulation) and organisations of essential importance, in accordance with article 22 of the Military Programming Act 2013, ISPs are required to keep records of cyberattacks. Such records are collected by way of audit and must specify how the attack happened, its consequences and the measures taken. The law does not specify for how long these records must be kept.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Pursuant to article 34-bis of the Data Protection Act of 1978, ISPs must report, without any delay, data breaches to the CNIL. Under the new EU General Data Protection Regulation, this obligation is now borne by every data controller and processor, private or public. According to article 29 Data Protection Working Party Opinion 03/2014 on breach notification, three types of incidents must be reported:
- ‘confidentiality breach’ - where there is an unauthorised or accidental disclosure of, or access to, personal data;
- ‘availability breach’ - where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
- ‘integrity breach’ - where there is an unauthorised or accidental alteration of personal data.
To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, this form can be submitted online.
Regarding organisations of essential importance and in accordance with article 22 of the Military Programming Act 2013, they must report any cybersecurity breach or incident to the ANSSI.
Notification of violation and breach is followed by a report. Information required in reports of cyberthreat depends on the business sector of the organisation considered of essential importance. Regarding personal data, the EU General Data Protection Regulation is more precise on the matter: data controllers and processors must provide precise information on the time of the attack, its nature, personal data affected, remedies applied and the potential consequences of the breach, among others.
What is the timeline for reporting to the authorities?
Entities must report without any delay to the CNIL when they concern personal data, and to the ANSSI if the entities affected are qualified as of essential importance. The EU General Data Protection Regulation provides more precision about the timeline, namely that the incident must not be reported later than 72 hours (where feasible) after the entity has become aware of the breach.
To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, this form can be submitted online.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
According to article 34-bis of the Data Protection Act of 1978 and in the case of a personal data beach, ISPs are compelled to report, without any delay, to customers aggrieved by such breach. This obligation has been extended to all data controllers and processors under the EU General Data Protection Regulation. Such notification may be levied if the CNIL certifies that appropriate measures have been taken to make direct or indirect identification impossible. According to article 29 Data Protection Working Party, in its Guidelines on personal data breach notification for the new regulation, dedicated messages should be used when communicating a breach. These include, among others:
- direct messaging (eg, email, SMS and direct message);
- prominent website banners or notification;
- postal communications; and
- prominent advertisements in print media.