A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s appeal, the French Highest administrative Court (“Council of State”), confirmed the sanction but reassessed the amount of the penalty to 200,000 euros in a recent decision dated 17 April 2019.

Contrary to the U.S in particular, the sanctions pronounced for data breaches remain in France in the hands of the regulator, the CNIL. Given that the sanctions pronounced took place before the entering into force of the GDPR, the CNIL was limited in its sanction powers, which, compared to applicable standards at that time, can be seen as severe. Another factor played a role: Optical Center had already been imposed a 50,000 euros penalty for a similar data breach on 5 November 2015, which was confirmed on 19 June 2017 by the Council of State.

In that respect, the slight reduction of the fine by the Council of State shows a pragmatic, more tolerant approach on the part of the Highest administrative Court. This reduction can be explained by the Council of State taking into account the behavior of the data controller, highlighting the level of cooperation and reactivity of the company, whereas the CNIL decided to take only the reoffend into account.

Although the reduction of the amount of the fine by the Council of State does not seem significant, the possibility to file an appeal following a decision rendered by the French data protection authority may be considered as a real strategic option for companies. Further decisions of the Council of State may show whether the Council of State will follow a constant trend to revisit and reduce the amount of fines imposed by the CNIL.

However, data controllers should stay on guard, as the tide is turning. Over the last months, a radical increase of rigor was observed on the CNIL’s decisions rendered under French pre-GDPR data protection laws, and after. Indeed, a few months after the decision rendered by the CNIL against Optical Center, but still before the entry into force of the GDPR, the CNIL sentenced Uber to a 400,000 euros fine following alleged security breaches for failure to implement strong authentication measures on the “Github” collaborative platform. The 50 million fine sanction decision rendered by the CNIL under the GDPR on 21 January 2019 against Google shows the CNIL’s willingness to implement a far reaching control over major digital companies.