Data Protection Enforcement in France

Administrative Remedies

The Data Protection Authority (“CNIL”) has the power to investigate (on-site or on-line) complaints made by individuals and to investigate any company based on the CNIL’s annual investigation program, any complaint by an individual, or any public information (e.g. press release concerning a data breach). The CNIL may decide to: order that the company complies with French data privacy law and/or files the appropriate formalities; order the suspension of any processing and/or transfer of data, as well as the destruction of data and other similar actions. Any decision of the CNIL may be appealed to the courts. Breaches of data privacy laws are as follows: Regulator/administrative fine from the CNIL: €150,000 and €300,000 in case of relapse.

Civil Remedies

Potentially limitless. This concerns any civil action brought as a result of damages due to a breach of French privacy law by the controller and/or processor.

Criminal Remedies

Criminal sanctions of up to €300,000 for an individual and €1,500,000 for an entity; and up to 5 years imprisonment; the sentence is published in the national press.

Other Remedies

There are also reputational consequences to consider, because the CNIL has the authority to advertise any decision or sanction taken against a company.

Selected Enforcement Actions / General Comments

Some examples of recent enforcement action in France include:

  • On December 11, 2007, Service Innovation Groupe France (SIG) was fined €40,000 for inappropriate comments contained in the employee management file.
  • On April 16, 2006, Jean Marc Philippe company was fined €10,000 for installing a CCTV system that permanently monitored its employees. In addition, the General Manager was fined €5,000 by a criminal court for objecting to the CNIL’s investigation.
  • On June 28, 2006, Crédit Lyonnais was fined €45,000 for failing to respond to the CNIL’s requests regarding the abusive registration of multiple clients in a central file of persons that had payment difficulties (FICP) that is managed by the Banque de France.
  • On November 23, 2006, Crédit Agricole France (Bank) was fined €20,000 for having processed personal data within the National Register on Household Credit Repayment Incidents (FICP) with no valid justification and insufficient guarantees in respect of technical and organizational security measures.
  • On December 14, 2006, Tyco Healthcare France was fined €30,000 for having improperly transferred its employees’ personal data to its headquarters in the US and failing to answer the CNIL’s requests on the purposes of the processing, location of servers and systems, recipients of the data and safety measures applied to such data.
  • On April 22, 2010, the CNIL sanctioned Acadomia company with a public warning for the collection of excessive comments regarding their clients, unlimited data retention periods and non-compliance with prior data processing formal requirements. Several newspapers published articles in May 2010 after CNIL’s investigation e.g. in Figaro: “Scandal surrounding Acadomia’s files,” in Le Monde “CNIL severely collar Acadomia,” Les Echos “the bad behavior of Acadomia.”
  • On March 17, 2011, an internet search engine company was fined €100,000 for committing the following breaches: I Absence of notification of latitude application despite the notice sent by the CNIL;
  • Absence of proper information on the processing of Wi-Fi data collected by the internet search engine company car; I Incomplete information on the source code of the software capturing the payload data.
  • On February 26, 2009, Directannonces, a company specialised in compiling real-estate offers from individuals found on the Internet and selling these information to real-estate professionals, was fined €40, 000 because such practice was considered as an unfair collection of personal data, and Directannonces had not collected the data subjects’ prior consent resulting in the impossibility to object to such processing.
  • On January 12, 2012, GROUPE DSE France was fined €20,000 for having solicited individuals by telephone who did not consent to telephonic prospecting. GROUPE DSE France had purchased their contacts from partnering vendors.
  • On June 22, 2012, Equipement Nord-Picardie was fined €15,000 for failing to ensure for one of its employees the right of access to his personal data and failing to answer the CNIL’s requests on the procedure set up to handle employees access requests to their personal data.
  • On May 30, 2013, PS CONSULTING was fined €10,000 for having implemented a CCTV system that permanently monitored its employees with no valid justification by regards to the purposes for which these data are collected or are further processed. In addition, the employees were not informed of such a monitoring framework. Finally, PS CONSULTING was not able to provide an adequate security to the personal data it had collected.
  • On October 24, 2013, AOCT was fined €10,000 for having not carried out the formalities that must be satisfied before the implementation of a CCTV system. Furthermore, the employees were not informed of the existence of such a system. Moreover, the CNIL noticed an absence of responses despite the requests sent by the CNIL.
  • On 3 January 2014, the CNIL’s Sanctions Committee issued a 150 000 € monetary penalty to an internet search engine company upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act.
  • On January 29, 2014, the association JURICOM & ASSOCIES was fined €10,000 for not having guaranteed the right of its members to object to the processing of their personal data.
  • On August 7, 2014, the CNIL sanctioned Orange with a public warning. The company didn’t audit its service provider’s security measures before using their services. Besides Orange transferred its client’s personal data to the service provider without any security or confidentiality clauses having been decided.
  •  On June 6, 2015, Prisma Media was fined €15,000 for having prospecting individuals by mail. Consent was given for the receiving of an informational newsletter but not explicitly for prospection.