As mentioned in the article “Legislating by ordinance to transpose the Telecoms Reform Package in time”, a law “transposing a number of harmonising provisions from EU legislation on matters of health, employment and electronic communications” was published on 23 March 2011
Amongst other things it enables the French government to legislate by ordinance in order to implement the Telecoms Reform Package Directives into French law. Once this law is in force, the government will have eight months within which to pass the transposing legislation, although the deadline for Member States is 25 May 2011.
Amongst other things, the Telecoms Reform Package, dated November 2009, contains significant amendments to the EC Directive 2002/58/EC (the “e-Privacy Directive”). Particular attention should be given to the following issues:
Firstly, the introduction of the “data breach notification” requirement. This requirement, which already exists under national law in a number of countries, can have a serious reputational impact on companies, and also imposes a significant burden in terms of internal administration and cost.
For now this requirement only applies to companies within the communications sector, but legislators, both in the EU and in France, have expressed their intention to extend the notification requirement so that it covers all sectors.
It will be interesting to see whether the French regulations will follow the German or English model, rather than the draft French Bill on “safeguarding personal data in the digital age” presented by the Senate to the Assemblée nationale on 24 March 2010.
The regulations should cover topics such as: the definition of the “breach” which will trigger the notification requirement; whether or not there will be a risk assessment involved in the decision to notify; the content of the notification to be given to the CNIL (French data protection authority) and/or to the data subject; the sanctions; and the role of the CNIL as well as the so-called “CIL” (the data protection “correspondant”/officer). The ordinance is very likely to contain only basic principles, with more detail being included in implementing decrees, which will delay its actual implementation.
In any event, companies should prepare themselves well in advance as the legislation will require internal systems to be put in place to detect and identify “breaches” and to quickly resolve crises as they arise.
The second point concerns internet users’ consent to “cookies”. This subject has already been a topic of passionate debate in relation more generally to “behavioural advertising”.
The issue is what form the required consent should take, and whether or not it implies a systematic “opt-in”. Debates on the above-mentioned French Bill have taken a pragmatic rather than dogmatic approach in order to favour a user-friendly approach that will not impact the ease with which you can navigate. The emphasis is above all on transparency (users being provided with clear and comprehensive information on the purpose of the processing, the nature of the information collected and the recipients, all set out in a specific and permanent “rubric”, as well as being clear and accessible).
France is not by any means the only EU Member State which will need to double its efforts in dealing with this sensitive issue in the coming months.