The Data Protection Act more burdensome for the actors in the net

France has transposed by order dated August 24, 2011, the EU directive, called Telecoms Package, which modifies substantially the Data Protection Act. Two important points have changed, that will change the lives of the users and operators, service providers and websites.
The first concerns the obligation to notify in case of violation of personal data made ​​possible by security flaws. "The security breaches that result in a accidental or unlawful loss, alteration and unauthorized access to personal data should be systematically reported by operators to the CNIL," it says on the site of the Commission. Only suppliers of electronic communications services open to the public, that is to say, in essence, the operators declared to Arcep, shall be bound by this obligation. However, this raises the question of exactly to whom they apply, because the notion of operator of electronic communications services is relatively vague ....
Specifically, the operator must make available to the CNIL an inventory of the violations found, which "must include the terms and effects caused by the breach and the measures taken to address them," said Hervé Gadabou, partner at Courtois Lebel . The notification is not required if the CNIL found that appropriate security measures (encryption ...) were applied by the supplier, he says.
No tacit acceptance tolerated

The second change made by the order of 24 August relating to the acceptance of the Internet, microfile of cookies (cookies) downloaded to the terminal by websites on which he sails. It must be prior, which would substantially change the practices of targeted marketing on the Internet.
The consent of the Internet and will be associated with information that would clarify, in particular, the mechanisms allowing, if necessary, to return later on his decision and express refusal. According to the Commission, a browser settings to accept all cookies without distinguishing their purpose can not be considered an agreement validly expressed.
The technical means to meet these obligations to be determined. Indeed, the text states only that the consent of the Internet "can result from appropriate parameters of its connection device or other device placed under his control." According to Hervé Gadabou would mean that "the operator must in any event, modify the conditions of use of its site to fulfill its duty of information, incorporating the new rules imposed by the order." Of work ahead for