GDPR – The French Data Protection Authority imposes a €250,000 fine for a data security breach
In a decision published today, the French Data Protection Authority (CNIL) imposed a hefty fine on OPTICAL CENTER, a French eyeglasses and contact lenses retailer.
OPTICAL CENTER failed to put in place “elementary security measures” when implementing new features on its website. This security breach allowed online visitors to access other customers’ personal data such as their identity, contact details, birth date, national identification number, and even more sensitive health data.
Although the facts of this decision predate the entry into application of the General Data Protection Regulation on 25 May 2018, the decision is very relevant to understand how the GDPR will be enforced by the national data protection authorities.
First it should be noted that the CNIL stepped in only after a complaint initiated by a third party. In general, we don’t expect the national data protection authorities to take the initiative of a widespread enforcement of the GDPR. The authorities simply don’t have enough resources. It is much more likely that they will target specific industries, based on their risk profile in terms of data protection. And something else is for certain: the authorities must and will take action when a breach is reported by a third party. The third party might be an unhappy customer, a disgruntled employee, an abused supplier or an aggressive competitor. This is the major risk that non-compliant businesses will face.
The CNIL’s decision also highlights that OPTICAL CENTER should have taken security measures before implementing the new features on its website. This is a clear reference to the new principles of “Privacy by Design” and “Privacy by Default” introduced by the GDPR. The GDPR extends the requirement to implement appropriate technical and organisational measures to ensure that the protection of data is no longer an after-thought but is considered from the start!
OPTICAL CENTER argued that there was no harm done to the individuals whose personal data had been breached. The CNIL didn’t accept this and stated that “the disclosure of data related to the identity of individuals exposes them to multiple risks, including the risk of phishing”.
Finally, the CNIL indicated that OPTICAL CENTER had been previously sentenced for another infringement of the privacy legislation and took this into account when setting the (exceptionally high) amount of the fine.
Granted, the GDPR is a piece of legislation that may be difficult to understand. But, contrary to all the hype, we at CALYSTA strongly believe that it is easy to implement in practice, by using the appropriate tools and plain common sense. Feel free to get in touch with us so we can show you how straightforward the implementation can be