While organizations in the EU will have to get used to the possibility of receiving fines of up to 4% of total worldwide annual turnover when the General Data Protection Regulation (GDPR) comes into force in roughly 2 years’ time, organizations in France should prepare for higher sanctions sooner.
A bill, passed by the French National Assembly on 26th January 2016, and now before the French Senate, would amend Article 47 of the French Data Protection Act to give the French Data Protection Authority (the CNIL) the power to impose penalties for breaches of data protection law of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover (the Digital Republic Bill). Up until now, the CNIL could only issue penalties of up to 150 000 euros.
Additionally, and most importantly in this bill, the National Assembly is taking measures to anticipate the future GDPR.
The CNIL has complained for years that the sanctioning powers available to it were too limited and has argued that a 150 000 euros maximum was insufficient to act as a deterrent to multinational companies. Having reviewed a draft of the Digital Republic bill, the CNIL issued an opinion on 17th December 2015 regretting that certain of their key recommendations concerning the strengthening of sanctions had not been adopted by the French Government. Indeed, the Government initially opposed taking steps to prepare for the GDPR in this bill; in the first version of the bill introduced into the National Assembly on 19th January this year, there was no mention of the CNIL’s increased sanctioning power.
In view of the CNIL’s concerns, several members of Parliament decided to present amendments to increase the CNIL’s sanctioning regime. The parliamentary debate that followed showed that there was consensus across the political spectrum about the need to strengthen the CNIL’s sanctioning powers. The government - through Axelle Lemaire, Secretary of State in charge of the digital economy - opposed the amendments at first. She considered that the text submitted by the deputies was too different from the GDPR. Eventually, she agreed that it was necessary to strengthen the CNIL’s sanctioning powers.
In order for the bill to conform to the new GDPR, Secretary Lemaire presented a sub-amendment. This sub-amendment provides for a new penalty threshold. As in the GDPR, the first level of sanctions enables the CNIL to impose penalties of up to 10 million euros, or up to 2% of the total worldwide annual turnover, for infringements that are considered less severe, such as a breach of data security. The second level of sanctions allows the CNIL to impose penalties of up to 20 million euros, or up to 4% of total worldwide annual turnover, for the most serious infringements, such as a violation of the individual’s rights to the processing of their personal data.
The bill is now on its way to the Senate. If the bill passes with this provision left intact, France will have a two-year head start over the GDPR in terms of the power of the data protection authority to impose significant sanctions.