In July 2017, the CNIL took action following two data breaches in relation to online platforms. Given the number of security breaches, it decided to act more severely and impose financial sanctions.
In the first case, a service provider made information of more than 35,000 customers of a car rental company available online (the information included identity, address, email address and driver’s license number). The CNIL considered that the company had failed to properly monitor its service provider and therefore imposed a €40,000 fine on the company. The CNIL, however, took into account the fact that the breach was corrected as soon as the company became aware of it and that it had conducted security audits.
In the second case, detailed information about subscribers of a platform for car rental between individuals was accessible for three years (the information included the full name, address, telephone number, date of birth, driver’s license number and location data of the vehicle offered for rental). The CNIL found that the incident was related to a basic safety fault, which the company had since rectified. The CNIL made a public warning against the company because the facts occurred before a change in law which only now authorises the CNIL to immediately fine companies without having to issue a prior notice to remedy the breach. However, the CNIL stated that it intends to impose financial sanctions for similar incidents in the future.
Both incidents have been reported to the CNIL by a website that claims to act as whistleblower system open to the public.