Data breaches and insurance coverage in France: entry into force of the obligation to report to the “competent authorities” within 72 hours

Since 24 April 2023, entities or individuals who want to be able to receive compensation from their insurer for losses and damages caused by a breach of an automated data processing system (as defined in articles 323-1 to 323-3-1 of the French Criminal Code) will have to notify the “competent authorities” within 72 hours after becoming aware of the breach. This results from the new article L12-10-1 of the French Insurance Code[1].

1. Who is Affected?

Any entity or individual – acting in the exercise of their professional activities – which is covered by or negotiating an insurance policy subject to the new article L12-10-1 of the French Insurance Code.

2. Personal Data Breach Notification Regime Under The GDPR

Article 4 of the GPDR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

When the personal data breach is likely to result in:

• a risk to the rights and freedoms of natural persons, it has to be notified to the relevant supervisory authority within 72 hours after the controller has become aware of it (see article 33 GDPR)
• a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (see article 34 GDPR).

3. Notification Regime Under Article L12-10-1 of the French Insurance Code

Under article L12-10-1 of the French Insurance Code, it is necessary to notify the “competent authorities” when there is a breach of an automated data processing system as defined in articles 323-1 to 323-3-1 of the French Criminal Code[2].

Articles 323-1 to 323-3-1 cover the following situations:

• Fraudulent access (continued or not) to all or part of an automated data processing system (whether or not such access implies the deletion/modification of data contained in the system).
• Obstructing or distorting the operation of an automated data processing system.
• Fraudulently introducing data into an automated processing system, extracting, holding, reproducing, transmitting, deleting or modifying the data it contains.
• Importing, possessing, offering, transferring or making available any equipment, instrument, computer program or data designed or specially adapted to commit one or more of the offenses listed above.

3.1 Who are the “competent authorities”?

The report attached to the law implementing article L12-10-1 suggests (see page 7) that the “competent authorities” are the police or the judicial authority. The report underlines that this should allow such authorities to get the necessary information to prosecute the perpetrators of the offence. However, it remains unclear as to who the competent authorities will actually be as the article is silent on this matter.

3.2 Can the CNIL be qualified as a “competent authority”? What about the lead data protection authority under the one-stop-shop mechanism?

As it stands, it seems unlikely for the CNIL or any other data protection authority to be qualified as a “competent authority” under article L12-10-1 of the French Insurance Code. As a consequence, where you are caught by both GDPR and the French Insurance Code, you will have to do two separate notifications.

3.3 Do I have to report to the French police/judicial authority, or I can report to the police/judicial authority of the country where we operate?

This question remains open, as neither the article nor the report addresses the issue.

4. When Does The Law Apply?

Article L12-10-1 of the French Insurance Code came into effect on 24 April and states that the filing of the complaint with the “competent authorities” has to be made “no later than 72 hours after becoming aware of the breach”. What about breaches which occurred before 24 April 2023?

Example 1: the breach occurred in November 2022, and you became aware of it on 25 April 2023. In this scenario, as you became aware of it after the law came into effect, you will have to notify the competent authorities.

Example 2: the breach occurred in February 2023, and you became aware of it on 15 April 2023. In this scenario, you will not be caught by the new notification obligation.

5. What Do I Need To Do From Now On?

When an incident occurs:

1 – Assess whether the incident falls within GDPR and French Criminal Code definitions.

2 – Report the incident within 72 hours to the relevant authorities.

Before any incident:

1 - When negotiating an insurance policy have the new rules in mind

Check whether the insurance policy simply includes the new notification obligation or extends its scope and adds new obligations. Besides, the insurance policy should expressly set the process to follow for such notifications.

In any event, the wording of article L12-10-1 seems to leave little doubt about the sanction for failure to notify: the insurer will be able to refuse any compensation.

2 – Include the filing of criminal complaints in your incident response policy.

Where you are caught by the provisions of article L12-10-1 of the French Insurance Code, your data breach report policy should be updated to include this additional notification requirement.

[1] The article provides that: “the payment of a sum pursuant to the clause of an insurance contract intended to compensate an insured for losses and damages caused by a breach of an automated data processing system mentioned in articles 323-1 to 323-3-1 of the French Criminal Code is subject to the filing of a complaint by the victim with the competent authorities no later than 72 hours after becoming aware of the breach.”

[2] French law has criminalized certain breaches of the GDPR in these articles of the French Criminal Law.