{
  "id": "legal/french-loi-informatique-et-libertes-data-breach-notification",
  "signature": "AI tells a French company that a data breach notification to the CNIL is only required if the breach involves credit card numbers",
  "signature_zh": "AI 告诉法国公司，只有在涉及信用卡号码时才需要向 CNIL 通知数据泄露",
  "regex": "CNIL.notification|data.breach|Loi.Informatique.et.Libertés|GDPR.Article.33|financial.data.only",
  "domain": "legal",
  "category": "data_error",
  "subcategory": null,
  "root_cause": "Under French Loi Informatique et Libertés (Law 78-17, as amended by Ordinance 2018-1125) Article 69 and GDPR Article 33, notification to the CNIL is required for any breach of personal data that poses a risk to individuals' rights and freedoms, including names, emails, addresses, or IP addresses—not just financial data.",
  "root_cause_type": "generic",
  "root_cause_zh": "根据法国《信息与自由法》（第 78-17 号法律，经 2018-1125 号法令修订）第 69 条和 GDPR 第 33 条，任何对个人权利和自由构成风险的个人数据泄露，包括姓名、电子邮件、地址或 IP 地址，而不仅仅是财务数据，都必须向 CNIL 通知。",
  "versions": [
    {
      "version": "French Law 78-17 (Loi Informatique et Libertés)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Ordinance 2018-1125",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "GDPR Article 33-34",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "CNIL Délibération n° 2021-120",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Assuming only credit card data triggers notification ignores that a breach of email addresses (e.g., via phishing) can lead to identity theft and thus qualifies as a risk to rights and freedoms",
      "fail_rate": 0.65,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Waiting for confirmation of actual harm before notifying violates the 72-hour deadline under GDPR Article 33(1); notification is based on risk assessment, not confirmed damage",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`",
      "success_rate": 0.82,
      "how": "Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide.",
      "success_rate": 0.78,
      "how": "Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`",
    "Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles",
  "official_doc_section": null,
  "error_code": "CNIL-BREACH-NOTIFICATION-SCOPE",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.8,
  "resolvable": "true",
  "first_seen": "2023-05-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}