1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
Yes. The French national cybersecurity agency (Agence nationale pour la sécurité des systèmes d'information, or ANSSI) defines these terms as follows:
- ‘Cybersecurity': The state of an information system that enables it to withstand events in cyberspace that are likely to compromise the availability, integrity or confidentiality of the data stored, processed or transmitted, and of the related services that these systems offer or make available. Cybersecurity involves information systems security techniques and is based on the fight against cybercrime and the development of cyber defence.
- ‘Cybercrime': A violation of international treaties or national laws using networks or information systems as a means to carry out a crime or offence, or the targeting of information systems. Cybercrime is mainly punishable under the Godfrain Act (88-19) of 5 January 1988 relating to IT fraud, which introduced specific offences regarding the violation of automated data processing systems into the Criminal Code (Sections 323-1 et seq).
- Data protection: This encompasses the protection of the privacy of individuals and the protection of personal data (ie, information that allows for the direct or indirect identification of a natural person) established by the Data Protection Act (78-17) of 6 January 1978.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
The cybersecurity regime dates back to the 1978 Data Protection Act.
The 1988 Godfrain Act on IT fraud is another pioneering IT law that followed the Data Protection Act and was the first act on computer crime and hacking. It introduced the notion of an automated data processing system and sets out data controllers' security obligations.
The Trust in the Digital Economy Act (2004-575) of 21 June 2004 (also known as the "LCEN") transposed the EU E-commerce Directive of June 8 2000 and the Directive on Privacy and Electronic Communications of 12 July 2002 into national law. It introduced liability mechanisms for hosts and publishers, and added Section 323-3-1 to the Criminal Code, relating to the possession and provision of equipment designed to commit acts of intrusion into a system or to hinder the operation of a system.
The General Security Referential established by the ANSSI is aimed at all service providers that assist the administrative authorities in securing the electronic exchanges they implement. It is designed as a guide of best practice in line with the state of the art to secure exchanges and transactions between users and the administrative authorities.
Section 34 of the Act on Military Programming 2019-2025 (2018-607) of 13 July 2018 contains provisions aimed at strengthening the capacity to detect computer attacks, in order to enhance national security.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
The Act on Military Programming 2014-2019 (2013-1168) of 18 December 2013 reinforced the IT security of ‘operators of vital importance' (OIVs) – that is, operators of systems for which a breach of safety or operation could significantly reduce France's military or economic potential, safety or survivability. Relevant sectors include civil, military and judicial activities, health and energy.
The Act on the Security of Networks and Information Systems (2018-133) of 26 February 2018 made it possible to extend obligations to categories of operators other than OIVs, and created two new categories of actors: ‘essential service operators' (OSEs) and ‘digital service providers' (FSNs).
OSEs are providers of services that are essential for the maintenance of critical societal and/or economic activities which depend on networks and information systems, and which would be likely to be seriously affected in the event of a network security incident. They are designated in various sectors, such as transport, banking, health and digital infrastructure. They must take technical measures to manage risks that threaten network security upstream and ensure that the ANSSI is notified of incidents that may have a significant impact on network security.
FSNs are providers of online search engines, online marketplaces and cloud computing services. FSNs with at least 50 employees and an annual turnover of more than €10 million must ensure that the security of their information systems remains at a satisfactory level by identifying risks in order to avoid incidents and implementing preventive measures, and are also subject to notification obligations to the ANSSI.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The personal data protection framework is set out in the Data Protection Act.
Health data: The act defines ‘health data' as ‘sensitive data' and provides for higher standards of protection for this type of data (eg, a prohibition on collection except in restricted cases; specific approved hosts).
Section L1111-8 of the Public Health Code, modified by Act 2016-41 of 26 January 2016, provides that health data must be hosted in accordance with security conditions that are tailored to its criticality. In particular, health data hosted on digital media (apart from electronic archiving services) must be certified.
Confidential information: The Act on Business Secrecy Protection (2018-670) of 30 July 2018 transposed the EU Trade Secrets Directive of 8 June 2016 into national law. It introduced a new general regime for the protection of trade secrets to the Commercial Code (Sections L151-1 to L154-1). The holders of trade secrets are accountable for the measures they take to protect their secrecy and the timeframe within which they respond to an infringement of such secrets. The act sets out the information that may be protected, what constitutes illicit conduct in this regard and the preventive measures that may be requested in court.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
The General Data Protection Regulation (2016/679) of the European Parliament and of the Council of 27 April 2016 (GDPR) applies in France and sets out data security rules, particularly in Articles 32 et seq.
The GDPR has extra-territorial scope since, under Article 3, it applies to:
(…) the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
France is a party to numerous European, transnational and bilateral agreements relating to mutual assistance in criminal matters and extradition.
France signed the Budapest Convention on Cybercrime on 23 November 2001, which came into force on 1 May 2006.
France is part of the ITU-IMPACT coalition and a member of many European organisations, such as EUROJUST, EUROPOL and the EU Agency for Cybersecurity (ENISA).
The recent EU Regulation of 17 April 2019 on ENISA and on information and communications technology cybersecurity certification (the ‘Cybersecurity Act') is another directly binding legal act of general application. It must be enforced in France as defined by the regulation and companies have two years to comply with its provisions.
The regulation deals with two separate but complementary subjects:
- ENISA is granted a permanent mandate to enhance and develop its role as a facilitator of exchanges between EU member states; and
- An EU framework for cybersecurity certification is established. The evaluation methods and different levels of certification will thus be harmonised at the European level and issued certificates will be mutually recognised within the European Union.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The Criminal Code deals with several offences relating to cybercrime, as follows.
The infringement of an automated data processing system is punishable by two years' imprisonment and a €60,000 fine, incurred for fraudulently accessing or remaining in all or part of a system (Sections 323-1 to 323-8).
If the operation of the automated data processing system is altered, the penalty is increased to three years' imprisonment and a €100,000 fine.
The same applies in case of alteration or deletion of any data in the system.
As regards offences relating to the processing of personal data, Sections 226-16 and following of the Criminal Code deal with "Violations of personal rights resulting from computer files or processing".
For example, the collection of personal data by fraudulent, unfair or unlawful means is punishable by five years' imprisonment and a €300,000 fine (Section 226-18).
Cybercrimes may also constitute common law offences, such as fraud or attempted fraud (Sections 313-1 and following of the Criminal Code) and identity theft (Section 226-4-1).
Finally, the Business Secrecy Act (2018-670) of 30 July 2018, which transposed EU Directive 2016/943 into national law, punishes the violation of business secrecy based on civil liability (as opposed to criminal liability). Actions relating to a violation of business secrecy are time barred once five years have elapsed since the facts that caused it arose (Sections L152-1 and L152-2 of the Commercial Code).
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The French national cybersecurity agency (ANSSI) was created in 2009 to defend and protect information systems and digital users against cyberattacks. Among other things, it:
- assists operators of vital importance (see question 1.3);
- recommends the use of qualified products and trusted service providers;
- carries out audits in order to check the robustness of security measures;
- makes recommendations; and
- is responsible for issuing labels and qualifications and setting standards (eg, General Security Referential).
According to the Act on Military Programming (2013-1168) of 18 December 2013, the ANSSI acts on behalf of the prime minister, who defines national policy and coordinates government action in terms of security and defence of information systems.
The Autorité de régulation des communications électroniques et des postes (ARCEP) is an independent regulatory administrative authority in charge of electronic and postal communications. It oversees compliance with the legal framework within which the ANSSI's missions are carried out.
The data protection supervisory authority (CNIL) was established under the Data Protection Act. It ensures compliance with the General Data Protection Regulation. Its remit is closely linked to the issue of information system security, as it supports professionals in their efforts to achieve compliance and helps individuals to control their personal data and exercise their rights. It analyses the impact of technological innovations and their emerging uses on privacy. It can control and sanction entities (eg, formal notice, fines, publication of sanctions); but it is not competent to act extraterritorially.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Private parties may act against cyber-malevolence. They can lodge criminal complaints regarding acts such as fraud and theft of personal data or identity.
In case of online credit card fraud, they can request a refund from the payment service. Section L133-24 of the Financial and Monetary Code provides for the reimbursement of an unauthorised or incorrectly executed payment for a period of 13 months after the date of debit.
However, the courts require web users to be particularly vigilant with regard to their data. They must take all reasonable measures to preserve the confidentiality of their personalised security features. Thus, a phishing attack victim will be unable to obtain compensation in case of ‘gross negligence', such as communicating his or her login or password details in response to a suspicious email.
Victims can also report fraud in a simplified manner through a specific online platform (https://signal.conso.gouv.fr/) and in certain cases can benefit from the intervention of the fraud enforcement authorities (DGCCRF).
Another platform (https://www.cybermalveillance.gouv.fr/) also makes it possible to put victims of cyberattacks – whether individuals, businesses or local authorities – in touch with service providers that might be able to assist them with their claims.
2.3 What defences are available to companies in response to governmental or private enforcement?
Companies may be sanctioned in the context of cybercrime by either the CNIL or ANSSI.
The CNIL and ANSSI are two independent administrative authorities.
Companies can appeal the decisions of these bodies directly to the French highest administrative court (Conseil d'Etat).
Where a court issues a criminal or a civil penalty, the right to appeal is before the court of appeal, as in any other dispute between private parties.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
The data protection supervisory authority (CNIL) fined SERGIC €400,000 for not having sufficiently protected the data of its website users and not implementing appropriate data storage methods. No user authentication process had been established by the real estate company in order to ensure that the persons accessing the documents were those who had downloaded them, although this was a basic measure. This failure to comply was aggravated by:
- the nature of the data made available; and
- the company's lack of due diligence in remedying the vulnerability (ie, delay in remedying and failure to take measures to limit its impact) (see CNIL Decision SAN-2019-005 of 28 May 2019).
The CNIL also found that Uber France had not ensured personal data security after it had been attacked. More particularly, Uber:
- should have planned for its engineers to log in to the Github collaborative development platform using a strong authentication measure; and
- should not have stored unencrypted credentials to access the server in the Github source code.
Uber was fined €400,000 (the General Data Protection Regulation was not yet applicable) (see CNIL Decision SAN-2018-011 of 19 December 2018).
However, the courts require web users to be particularly vigilant with regard to their data. They must take all reasonable measures to preserve the confidentiality of their personalised security features. Thus, a phishing attack victim will be unable to obtain compensation in case of ‘gross negligence', such as communicating his or her login or password details in response to a suspicious email (see Cour de cassation Decision of 28 March 2018).
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Through the 2008 Defence and National Security White Paper, France took a decisive step forward in addressing cyber threats. Among other things, it:
- established the national cybersecurity agency (ANSSI);
- identified the risk of cyberattacks against national infrastructure as one of the most likely major threats for the next 15 years; and
- highlighted the potentially very severe impact of such attacks on French life.
Accordingly, it called on the state to increase its capacity to prevent and respond to cyberattacks.
The 2015 National Strategy for Digital Security is intended to support digital transition and respond to the new challenges arising from digital use changes and related threats. Its objectives are as follows:
- to ensure national sovereignty;
- to provide for a strong response against malicious cyber acts;
- to inform the general public;
- to make digital security a competitive advantage for French companies; and
- to strengthen France's voice internationally.
The 2013 Defence and National Security White Paper included provisions on vital operators. For the most critical of these operators, these provisions require:
- compliance with information security standards;
- the implementation of appropriate attack detection systems;
- an obligation to report significant incidents; and
- the possibility for the state to verify the security level of their information systems through audits and, in the event of a crisis, to impose the necessary measures.
The 2013 Military Planning Act follows these guidelines, enabling critical operators to better protect themselves and the ANSSI to better support them in the event of a cyberattack.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
In mid-October 2019, Paris hosted the biannual meeting of the SC27, an international forum at which professionals develop voluntary standards for information security, cybersecurity and privacy.
The SC27 is an extension of the International Organization for Standardization and the International Electrotechnical Commission, its alter-ego for electro-technologies. It notably created the ISO/IEC 27001 standard on information security management, which has been adopted by many companies and is now a prerequisite for access to certain markets.
The French standard certification association (AFNOR) has also published a guide to good practices to prevent, detect and treat emerging cyber threats (AC Z90-002 as of January 2018).
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
CNIL voluntary standards: The data protection supervisory authority (CNIL) is provided with more extensive powers than those under the General Data Protection Regulation (GDPR) with regard to certification (eg, the data protection officer's skills certification reference system). It can either directly certify bodies and approve certifying bodies or choose to collaborate with the French accreditation comity (COFRAC).
ANSSI security visas: The Security Visas issued by the French national cybersecurity agency (ANSSI) allow for reliable cybersecurity solutions to be easily identified and recognised as such, thanks to qualifications and certifications delivered following a robustness evaluation carried out by approved laboratories according to a rigorous and proven methodology.
CNIL and ANSSI guides to good practices, toolkits and certifications: ANSSI sets out detailed rules on the security of information systems in small and medium-sized enterprises in its Guide to Good IT Practices (Guide des bonnes pratiques de l'informatique).
So-called ‘hygiene' measures form the basis for protecting most systems. The CNIL and ANSSI provide catalogues to help implement these.
On the entry into force of the GDPR, the ANSSI provided all public and private entities affected with a data security toolkit.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
There are no specific obligations aimed directly at executives or directors with regard to proactive cyber compliance.
However, in criminal matters, corporate officers and directors may be personally held liable in the event of non-compliance with the obligations referred to above (eg, processing personal data or having such data processed without implementing the prescribed security measures) (Section 226-17 of the Criminal Code).
Moreover, in civil matters, they may be held liable if, through a serious breach (eg, the lack of back-up), the company suffers a loss of data that is very damaging to it (Sections 1240 and 1241 of the Civil Code).
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
There are no specific regulations for public or exchange-listed entities, except for ‘essential operators' (see question 1.3(a)).
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
To the best of our knowledge, there are no restrictions that prevent companies from sharing details of actual or potential cybersecurity threats.
Companies must notify the ANSSI of any security incidents that affect their information systems (see question 5.1).
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
No rules are imposed on publishers in terms of communicating software vulnerabilities. Systems manufacturers and application editors adopt different strategies concerning security vulnerabilities.
However, the following incidents must be reported.
Health information security incidents: Health centres must report to the regional health agencies serious security incidents that affect their information systems – that is, events that generate exceptional situations, and in particular incidents:
- with potential or proven consequences for the safety of healthcare;
- with consequences for health data confidentiality or integrity; or
- that affect the normal functioning of the institution, organisation or service concerned.
Personal data breaches to the data protection supervisory authority (CNIL): Under the General Data Protection Regulation, the data controller must notify a breach to the CNIL if it entails a risk to the rights and freedoms of the data subjects, and also to the data subjects in case of high risk. Data processors must notify data controllers of any personal data breach as soon as possible after becoming aware of it.
Security incidents to the national cybersecurity agency (ANSSI): Operators of vital importance, essential service operators and certain digital service providers must inform either the prime minister or the national cybersecurity agency (ANSSI) of incidents that affect the operation or security of their information systems (see question 1.3).
Incidents to the Banque de France/Prudential Supervision and Resolution Authority (ACPR): Payment service providers must inform the financial authorities of any major operational incident arising from inadequate or failed processes, persons and systems or force majeure events that affect the integrity, availability, confidentiality, authenticity and/or continuity of payment services.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Health information security incidents: Serious security incidents must be reported to the regional health agencies without delay by completing the dedicated form online.
Personal data breaches to the CNIL: Personal data breaches must be notified to CNIL by teleservice by filling in a standard form within 72 hours of the data controller becoming aware of the breach. Justification is required where notification does not take place within 72 hours.
Moreover, where a personal data breach will likely present a high risk to the rights and freedoms of data subjects, the data controller must also notify the data subjects as soon as possible, except where:
- personal data is protected by appropriate technical and organisational measures and will thus be incomprehensible to anyone who is not authorised to access it;
- the controller has taken further measures to ensure that the high risk is no longer likely to materialise; and
- communication of the breach to the data subjects would require disproportionate efforts.
Security incidents to ANSSI: These must be reported via a form accessible on the ANSSI's website and sent via a medium adapted to the sensitivity of the reported information, without undue delay.
Incidents to the Banque de France/ACPR: These must be reported based on a notification model for payment service providers in accordance with Annex 1 of the EBA/GL/2017/10 guidelines. This document must be submitted within four hours of the incident through a dedicated website that connects to the Banque de France.
5.3 What steps are companies legally required to take in response to cyber incidents?
Only notifications to the various authorities listed in question 5.2 are mandatory in the event of a security incident. Although poor management of a security incident can constitute grounds for liability on the part of the company or its officers, no specific steps are required other than these various notifications.
However, the notification deadlines are sometimes very short; it is therefore necessary to establish internal procedures that make it possible to comply with them, while at the same time providing for measures to safeguard the interests of the company and the data subjects.
This type of procedure generally involves the following steps:
- incident reporting;
- establishment of a dedicated team and a crisis unit;
- analysis of the incident and implementation of urgent measures;
- qualification of the incident and notification of the competent authorities and, where appropriate, insurers;
- legal and technical precautionary measures;
- initiation of litigation or pre-litigation actions;
- implementation of appropriate corrective technical solutions; and
- documentation of the incident.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Corporate officers and directors have no direct legal duties; but as representatives of the company, they must comply with the requirements as set out in question 5.3.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
In 2019 the financial French regulator (Autorité des marchés financiers) conducted short thematic controls entitled "SPOT" (Supervision of Operational and Thematic Practices).
Four of the six asset management companies which were subject to the controls had specific insurance against cyber risks, taken out by the group to which they belonged.
However, the ceiling on guarantees was not proportionate to the amounts of assets under management, which varied from €10 million to €400 million.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
One major trend concerns authentication, as confidentiality and password protection have become major security issues. As passwords are one of the main points of attack for hacking, companies are gradually implementing new authentication methods. Password-free authentication tools may include hardware tokens or one-time password generators, biometric authentication and knowledge-based authentication.
In terms of proposed legislative reforms, the European E-privacy Regulation would amend the E-privacy Directive of 12 July 2002, which governs the collection of user consent to cookies.
The major novelty of this proposal is the creation of a framework for metadata resulting from electronic communications. This includes "the numbers called, the websites visited, the place, date, time and duration of calls made by an individual, etc., which make it possible to draw precise conclusions about the private life of people involved in electronic communication, such as their social relationships, their daily habits and activities, their interests, their tastes, etc". Use of such data will be subject to strict conditions.
Unlike the General Data Protection Regulation, which deals with data subjects, this regulation will apply to legal entities (eg, companies and associations).
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
- Staff training/awareness: The main vulnerability of a company is the human factor. Many cyberattacks have succeeded by phishing an employee of the target company. Thus, security awareness remains essential for all users that connect to the corporate network, as phishing and ransomware attacks are becoming more sophisticated.
- Service providers and subcontractors: In 2018, there was a dramatic increase in the number of indirect cyberattacks. In such attacks, hackers first penetrate the service providers or suppliers of large groups, where security measures are weaker, and then reach the targeted company through those. Although the liability of data processors has been reinforced by amendments to the Data Protection Act, companies must remain vigilant with regard to the security measures that their data processors have put in place. Data processing agreements with partners must ensure that data processors provide a sufficient level of security.
- Authentication processes are evolving towards biometric data. On the one hand, companies will face a security challenge regarding the storage and use of biometric data, which is considered sensitive data under the General Data Protection Regulation. On the other, biometric data detection tools will need to be perfected, as these can be easily circumvented or subject to failure (eg, where a photograph is shown for facial recognition or where the tool does not recognise a burnt fingerprint).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.