We have identified a more suitable language of this document. To change language to please click here or close
We have identified a more suitable language of this document. To change language to please click here or close
For storing your preferred CMS location, analysing referrals from LinkedIn and embedding third party content we need your consent (which you can withdraw any time).
This website uses cookies so that we can provide you with the best user experience possible. Our Cookie Notice is part of our Privacy Policy and explains in detail how and why we use cookies. To take full advantage of our website, we recommend that you click on “Accept All”. You can change these settings at any time via the button “Update Cookie Preferences” in our Cookie Notice.
Technical cookies (required)
Technical cookies are required for the site to function properly, to be legally compliant and secure. Session cookies only last for the duration of your visit and are deleted from your device when you close your internet browser. Persistent cookies, however, remain and continue functioning on repeat visits.
Analytics
CMS does not use any cookie based Analytics or tracking on our websites; see details here.
Personalisation cookies
Personalisation cookies collect information about your website browsing habits and offer you a personalised user experience based on past visits, your location or browser settings. They also allow you to log in to personalised areas and to access third party tools that may be embedded in our website. Some functionality will not work if you don’t accept these cookies.
Social media cookies
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.
DPA enforcement in relation to publicly announced focus topics.
GDPR fines by DPA comparatively high.
Limited transparency regarding the publication of fines (however, there is an annual report with aggregated figures).
Fines > Damages: Focus on fines, limited litigation.
Fining practice in France
Trend: to date, have the national data protection authorities in France focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?
The French data protection authority (the “Commission nationale de l’informatique et des libertés” or the “CNIL”) does not make statements on the types of non-compliance they investigate. It could be said that, until now, the CNIL has focused its investigations on essential obligations, such as the legal bases for data processing (Art. 5, 6 GDPR) or security requirements (Art. 32 GDPR). Since 2017, 40% of the sanctions have been based on the violation of security obligations.
As part of one of its priority themes for 2021, the CNIL has carried out a series of online and documentary checks on cybersecurity (i.e., on the basis of documents submitted) on 21 websites of French public sector organizations (municipalities, university hospitals, ministries, etc.) and private sector organizations (e-commerce platforms, IT solution providers, etc.).
3
https://www.cnil.fr/fr/cybersecurite-15-mises-en-demeure-lencontre-de-sites-web-insuffisamment-securises
promoting control and respect for individual’s rights;
promoting the GDPR as an asset of trust for organisations;
prioritising targeted regulatory actions on subjects with high privacy stakes.
In 2022,
21 sanctions were imposed by the CNIL, for a total of EUR 101,277,900. 13 sanctions were disclosed to the public. Among the most frequent breaches were failure to inform individuals, failure to respect their rights and failure to cooperate with the CNIL. Among these 21 sanctions: - one third involved a breach of security of personal data; - 4 sanctions concerned breach of cookies management and other tracking devices; and - 3 concerned breaches relating to direct marketing.
147 formal notices have been issued by the CNIL. 22 decisions against municipalities that have not appointed a DPO have been made public. These formal notices also concerned direct marketing and the transmission of data to commercial partners, the transfer of data to the United States (via the Google Analytics tool) and website security measures. More generally, in terms of data security, a significant proportion of the decisions taken include at least one breach on this subject.
5
https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-la-cnil-presente-le-bilan-2022-de-son-action-repressive
Overall, what was the most significant fine in France to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?
The highest GDPR fine in France to date was imposed on GOOGLE LLC and GOOGLE IRELAND LIMITED on 31 December 2021 for a total amount of EUR 150 million (90 million on GOOGLE LLC and 60 million on GOOGLE IRELAND LIMITED).
The CNIL considered that the sites “google.fr” and “youtube.com” did not allow cookies to be rejected as easily as they could be accepted. According to the CNIL, an internet user was required to click on “Manage data settings” to reject cookies, thus biasing user consent.
Organisation of authorities, procedure and publicising of fine proceedings in France
How is the data protection authority organised in France? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
The CNIL is an independent administrative authority; it does not report to the Government nor to a specific ministry. It is composed of a College of 18 members and 245 staff members. The college of 18 members is composed of:
4 members of Parliament (2 deputies, 2 senators);
2 members of the Economic, Social and Environmental Council;
6 representatives of the highest courts (2 Counsels from the Conseil d’Etat, 2 Counsels from the Cour de Cassation, 2 Counsels from the Cour des Comptes);
5 qualified persons appointed by the President of the National Assembly (1 person), the President of the Senate (1 person), by the Council of Ministers (3 persons);
The President of the CADA (Commission for Access to Administrative Documents).
How does a fine procedure work in France? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
Fines may be directly imposed by the CNIL as part of administrative proceedings.
Following inspections or complaints, in the event of non-compliance with the provisions of the GDPR or the French data protection Act, the CNIL may impose sanctions on companies which do not comply with these legal provisions.
The CNIL may impose a fine without providing a prior notice on compliance.
If the CNIL decides to initiate fine proceedings following audits or inspections, the company shall be notified to this effect. A report proposing the imposing of an enforcement measure shall be sent to the company and the latter may submit its observations to the CNIL.
The fines may be made public or not.
Companies are able to appeal decisions with the Council of State (Conseil d’Etat) within two months following the notification date for the decision made by the CNIL.
As of 2022, a major reform of the CNIL’s corrective measures has been carried out, leading to the adoption of the first sanctions under simplified sanction proceedings for cases of lower complexity.
The fines imposed to date range between EUR 5,000 and EUR 15,000, half of which were imposed for injunctions under penalty (i.e., financial penalties for late compliance). They target various actors (for example, a university and doctors). They also deal with a variety of issues and concern the use of administrative files for political communication purposes, video surveillance of employees, disregard of people's rights or failure to cooperate with the CNIL.
7
https://www.cnil.fr/procedure-de-sanction-simplifiee-la-cnil-presente-son-premier-bilan-2022
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
The CNIL does not collect the fines; these are paid directly into the State treasury.
Is there a common, official calculation methodology for fines in France (such as the fining models in the Netherlands or Germany)?
There is no common, official calculation methodology for fines. Fines are calculated in light of the criteria mentioned in Article 83(5) and (6) of the GDPR.
Can public authorities be fined in France? If they can: Where does this money go?
Enforcement action may be taken against public authorities, but no administrative fines may be imposed for the processing of personal data carried out by the State.
In France, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
The CNIL does not publish all imposed fines pending proceedings or investigations. The CNIL decides, taking into consideration the facts and violations, whether or not to publish its decisions or enforcement actions.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?
Each year, the CNIL publishes an activity report in which it details all key numbers.
The CNIL restricted committee issued 8 penalties including 7 fines totalling EUR 51,370,000 and 5 injunctions.
The CNIL issued 42 orders to comply, including 2 public notices.
The CNIL issued 2 reminders and 2 warnings.
The CNIL also provides aggregate sets of data (open data) on its activity including fines from earlier periods.
Other legal consequences of non-compliance in France
Does France have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
Yes, several data subjects placed in similar situations and affected by damages resulting from a breach of data protection laws may file a complaint against the same data controller or data processor, a class action (“action de groupe”) may be filed before civil or administrative courts (article 37 II of the French Data protection Act).
A class action can only be filed by: - associations with activities in the field of privacy and data protection for at least five years, - accredited consumer associations that are representative at the national level; - trade unions.
There have been very few class actions to date, most of these being against major tech companies.
What is more relevant in France: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
To date, fines from data protection authorities are much more prevalent than claims for damages or injunctions, which are very rare in practice.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.