On July 27, 2017, France’s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, €40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address.
According to CNIL’s filing, on October 15, 2016, an editor of the French cybercrime news site Zataz.com alerted the data protection authority of a security vulnerability lurking on the website of Hertz France’s discount program. After conducting an investigation, CNIL authorities discovered that 35,327 customers’ personally identifiable information – including names, dates of birth, post and email addresses, as well as driver’s license numbers – could be easily accessed through a URL address. CNIL alerted Hertz France of the security breach, and Hertz France in turn alerted its IT service provider. An audit by the car rental company of the service provider revealed that the security breach was the result of a botched server change operation, in which the IT service provider mistakenly deleted a line of code from the website while transferring the site to a new server.
The 2016 Digital Republic Bill and CNIL’s Expanded Enforcement Powers
This incident constitutes the first monetary penalty issued by CNIL for a data breach since the passage of France’s 2016 Digital Republic Bill (Loi n°2016-1321 pour une République numérique) on October 7, 2016.
The French National Assembly and Senate enacted the massive omnibus bill after months of legislative debate and a period of open online consultation with French citizens. With 113 articles, the Digital Republic Bill constitutes a comprehensive piece of national data protection legislation deliberately crafted to conform to France’s republican tenets, while also securing the nation’s relevance and longevity in the digital age. The bill has its own website that outlines its fundamental tenets: “wider data and knowledge dissemination,” “equal rights for internet users,” and “fraternity through an inclusive digital society.”
In practice, these tenets translate to placing stringent requirements on data controllers regarding the erasure, transfer, and retention of personal data, as well as increasing penalties for violations of the French Data Protection Act.
To realize these policies, the Bill expands the enforcement powers of CNIL. CNIL may now impose a maximum monetary penalty of €3 million, a significant increase from the previous maximum of €150,000 for any infringement of French data protection laws. Once the European Union’s General Data Protection Regulation (GDPR) comes into full effect in May 2018, CNIL’s maximum enforceable penalty will rise to €20 million, or, in the case of large companies, up to 4% of the company’s worldwide gross national turnover.
What to Expect, in France and Beyond
For a multinational company such as the Hertz Corporation, €40,000 is a paltry sum. However, CNIL is merely flexing its muscles at this point. In the filing announcing the penalty, CNIL notes that it had considered Hertz’s swift response to and resolution of the data breach as well as full cooperation with CNIL as mitigating factors, and thus imposed a light penalty despite the corporation’s “negligence.” In the future, other entities might not get so lucky. Once the GDPR takes full effect, CNIL may take particular aim at U.S. based companies such as Facebook, on which it imposed a €150,000 penalty in March, as well as Google, which it is gearing up to battle in Europe’s highest court for an extraterritorial version of the digital “right to be forgotten.”
What about other countries, in the European Union and beyond? Will they follow France’s lead, and stringently enforce their national data protection laws on U.S. companies? In general, we may expect greater enforcement from data protection authorities in the European Union, especially once the GDPR takes effect. Furthermore, among U.S. rivals such as Russia and China, we will likely see national data protection directives repurposed as political capital, especially against the United States. In late 2016, one month after the U.S. government accused Russia of hacking the Democratic National Committee’s servers, Russia’s internet watchdog Roskomnadzor blocked Linkedin for alleged data protection violations. Similarly, in China, U.S. companies have faced increased restrictions on cloud-computing as they struggle to comply with new cybersecurity regulations that outside groups allege discriminate against non-Chinese businesses.