# AI tells a French company that a data breach notification to the CNIL is only required if the breach involves credit card numbers

- **ID:** `legal/french-loi-informatique-et-libertes-data-breach-notification`
- **Domain:** legal
- **Category:** data_error
- **Error Code:** `CNIL-BREACH-NOTIFICATION-SCOPE`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

Under French Loi Informatique et Libertés (Law 78-17, as amended by Ordinance 2018-1125) Article 69 and GDPR Article 33, notification to the CNIL is required for any breach of personal data that poses a risk to individuals' rights and freedoms, including names, emails, addresses, or IP addresses—not just financial data.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| French Law 78-17 (Loi Informatique et Libertés) | active | — | — |
| Ordinance 2018-1125 | active | — | — |
| GDPR Article 33-34 | active | — | — |
| CNIL Délibération n° 2021-120 | active | — | — |

## Workarounds

1. **Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`** (82% success)
   ```
   Implement an automated breach detection and notification system that classifies breaches by risk level using the CNIL's methodology (Référentiel de notification). Use a script to calculate risk: `def assess_risk(breach_type, data_categories): if 'financial' in data_categories: return 'high'; elif 'personal' in data_categories: return 'medium'; else: return 'low'`
   ```
2. **Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide.** (78% success)
   ```
   Establish a 24/7 incident response team that can triage breaches within 24 hours and file the CNIL notification via the dedicated tele-service (téléservice CNIL) within 72 hours, using a pre-approved template from the CNIL guide.
   ```

## Dead Ends

- **** — Assuming only credit card data triggers notification ignores that a breach of email addresses (e.g., via phishing) can lead to identity theft and thus qualifies as a risk to rights and freedoms (65% fail)
- **** — Waiting for confirmation of actual harm before notifying violates the 72-hour deadline under GDPR Article 33(1); notification is based on risk assessment, not confirmed damage (70% fail)