France: Cyber Security
In recent years cyber-attacks around the world have been on the rise in number and sophistication and constitute a real threat to security of state bodies, businesses and individuals. Cyber security has generally been related to governmental bodies and military organisations but has now become an important issue for businesses and private entities to tackle.
The Act on Information Technology, Data files and civil liberties of 6 January 1978 (loi “informatique et libertés)
Exposures in cyber activity mainly relate to the loss, deterioration or breach of personal data.
The main French data protection legislation is the law 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (the “Act”) an the Decree No. 2005-1309 of 20 October 2005. The Act also implements the provisions of EU Directive 95/96/EEC of 24 October 1995. The Act sets out the basis of data protection in France and its scope is extremely wide.
According to the Act, personal data means any information relating to an identified or identifiable i.e. one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them.
Persons or organisations who collect data identified as “data controllers” have to take all useful precautions, in respect of the nature of the data and the risks of the processing, to preserve their security and, in particular, prevent alteration, damage, or access by non-authorised third parties.
Compliance with the Act is ensured by the French data protection authority (Comission Nationale de lnformatique et des Libertés “CNIL”) which also has a regulatory and advisory role in drafting recommendations on data protection issues. The CNIL may carry out investigations to ensure compliance with the Act. In case of breach, the CNIL may render various types of sanctions which can include public warnings, injunctions, withdrawal of prior consents and monetary sanctions of up to €150,000 and up to €300,000 for repetitive violations,.
The Act generally applies where the data controller is established in France or where not located in France, or in any other member state of the EU, uses a means of processing data located on French territory.
Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation “GDPR”)
The GDPR is destined to harmonize the legislations of the different member states which have up to 25 May 2018 to implement the provisions in national legislation.
The GDPR will significantly change the current French data protection legislation to :
- increase of the maximum penalties for breach to the legislation of up to 4% of global revenue or €20 million whichever the greatest;
- replace the preliminary declaration obligations to the CNIL by a privacy by design and accountability system whereby the data processors will have to anticipate the issues relating to data protection to ensure compliance with the GDPR and be in a position to account of such compliance;
- allow for a right to be forgotten whereby individuals may request search engines to delete their personal data;
- reinforce the right to be informed of data breaches;
- apply to data processed from a country outside the EU as long as they offer products or services to citizens of the EU;
- extend the definition of personal data to include IP addresses, online ID, etc
The law No. 2013-1168 of 18 December 2013 for military programming
At French governmental level, the Military Programming law No. 2013-1168 of 18 December 2013 provides for a coordination of governmental action in the field of cybersecurity and cyberdefence. Pursuant to this legislation, the French state not only provides for its own cybersecurity, but also for that of private operators of vital importance for the nation. The French National Cybersecurity Agency (“ANSSI”) has a reinforced role to support operators to prevent cyber-attacks.
The European Network and Information System Security (NIS) Directive of 6 July 2016
The aim of the Directive is to bring cybersecurity capabilities at the same level of development in all the EU Member States and to ensure that exchanges of information and cooperation is efficient. The Member states have up to 21 months to transpose the Directive into their national law.