{"id":158,"date":"2017-08-15T19:58:29","date_gmt":"2017-08-15T19:58:29","guid":{"rendered":"http:\/\/ielrblog.com\/?p=158"},"modified":"2017-08-17T21:19:48","modified_gmt":"2017-08-17T21:19:48","slug":"french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach","status":"publish","type":"post","link":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/","title":{"rendered":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach"},"content":{"rendered":"

On July 27, 2017, France\u2019s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, \u20ac40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address.<\/p>\n

According to CNIL\u2019s filing<\/a>, on October 15, 2016, an editor of the French cybercrime news site Zataz.com alerted the data protection authority of a security vulnerability lurking on the website of Hertz France\u2019s discount program. After conducting an investigation, CNIL authorities discovered that 35,327 customers\u2019 personally identifiable information \u2013 including names, dates of birth, post and email addresses, as well as driver\u2019s license numbers \u2013 could be easily accessed through a URL address. CNIL alerted<\/a> Hertz France of the security breach, and Hertz France in turn alerted its IT service provider. An audit by the car rental company of the service provider revealed that the security breach was the result of a botched server change operation, in which the IT service provider mistakenly deleted a line of code from the website while transferring the site to a new server.<\/p>\n

The 2016 Digital Republic<\/em> Bill and CNIL\u2019s Expanded Enforcement Powers <\/em><\/p>\n

This incident constitutes the first monetary penalty issued by CNIL for a data breach since the passage of France\u2019s 2016 Digital Republic Bill<\/a> (Loi n\u00b02016-1321 pour une R\u00e9publique num\u00e9rique<\/em>) on October 7, 2016.<\/p>\n

The French National Assembly and Senate enacted the massive omnibus bill after months of legislative debate and a period of open online consultation with French citizens. With 113 articles, the Digital Republic Bill constitutes a comprehensive piece of national data protection legislation deliberately crafted to conform to France\u2019s republican tenets, while also securing the nation\u2019s relevance and longevity in the digital age. The bill has its own website<\/a> that outlines its fundamental tenets: \u201cwider data and knowledge dissemination,\u201d \u201cequal rights for internet users,\u201d and \u201cfraternity through an inclusive digital society.\u201d<\/p>\n

In practice, these tenets translate to placing stringent requirements on data controllers regarding the erasure, transfer, and retention of personal data, as well as increasing penalties for violations of the French Data Protection Act.<\/p>\n

To realize these policies, the Bill expands the enforcement powers of CNIL<\/a>. CNIL may now impose a maximum monetary penalty of \u20ac3 million, a significant increase from the previous maximum of \u20ac150,000 for any infringement of French data protection laws.\u00a0 Once the European Union\u2019s General Data Protection Regulation (GDPR) comes into full effect in May 2018, CNIL\u2019s maximum enforceable penalty will rise to \u20ac20 million, or, in the case of large companies, up to 4% of the company\u2019s worldwide gross national turnover.<\/p>\n

What to Expect, in France and Beyond<\/em><\/p>\n

For a multinational company such as the Hertz Corporation, \u20ac40,000 is a paltry sum. However, CNIL is merely flexing its muscles at this point. In the filing announcing the penalty<\/a>, CNIL notes that it had considered Hertz\u2019s swift response to and resolution of the data breach as well as full cooperation with CNIL as mitigating factors, and thus imposed a light penalty despite the corporation\u2019s \u201cnegligence.\u201d In the future, other entities might not get so lucky. Once the GDPR takes full effect, CNIL may take particular aim at U.S. based companies such as Facebook, on which it imposed a \u20ac150,000 penalty<\/a> in March, as well as Google, which it is gearing up to battle in Europe\u2019s highest court<\/a> for an extraterritorial version of the digital \u201cright to be forgotten.\u201d<\/p>\n

What about other countries, in the European Union and beyond? Will they follow France\u2019s lead, and stringently enforce their national data protection laws on U.S. companies? In general, we may expect greater enforcement from data protection authorities in the European Union, especially once the GDPR takes effect. Furthermore, among U.S. rivals such as Russia and China, we will likely see national data protection directives repurposed as political capital, especially against the United States. In late 2016, one month after the U.S. government accused Russia of hacking the Democratic National Committee\u2019s servers, Russia\u2019s internet watchdog Roskomnadzor blocked Linkedin<\/a> for alleged data protection violations. Similarly, in China, U.S. companies have faced increased restrictions on cloud-computing<\/a> as they struggle to comply with new cybersecurity regulations that outside groups allege discriminate against non-Chinese businesses.<\/p>\n","protected":false},"excerpt":{"rendered":"

On July 27, 2017, France\u2019s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, \u20ac40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address. According to CNIL\u2019s filing, on October 15, 2016, an editor of the French […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[13],"tags":[],"class_list":{"0":"post-158","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-international-administrative-penal-law","7":"entry"},"yoast_head":"\nFrench Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"French Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog\" \/>\n<meta property=\"og:description\" content=\"On July 27, 2017, France\u2019s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, \u20ac40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address. According to CNIL\u2019s filing, on October 15, 2016, an editor of the French […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"IELR Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/m.facebook.com\/intlenforcementlawreporter\/?ref=bookmarks\" \/>\n<meta property=\"article:published_time\" content=\"2017-08-15T19:58:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-08-17T21:19:48+00:00\" \/>\n<meta name=\"author\" content=\"Zarine Kharazian\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ielr\" \/>\n<meta name=\"twitter:site\" content=\"@ielr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Zarine Kharazian\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/\"},\"author\":{\"name\":\"Zarine Kharazian\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#\\\/schema\\\/person\\\/d97d5908cb441bbcaed11eaad074b544\"},\"headline\":\"French Data Protection Authority Fines US-based Car Rental Company for Data Breach\",\"datePublished\":\"2017-08-15T19:58:29+00:00\",\"dateModified\":\"2017-08-17T21:19:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/\"},\"wordCount\":712,\"commentCount\":0,\"articleSection\":[\"Administrative Penal Law\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/\",\"url\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/\",\"name\":\"French Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#website\"},\"datePublished\":\"2017-08-15T19:58:29+00:00\",\"dateModified\":\"2017-08-17T21:19:48+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#\\\/schema\\\/person\\\/d97d5908cb441bbcaed11eaad074b544\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/2017\\\/08\\\/15\\\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/ielrblog.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"French Data Protection Authority Fines US-based Car Rental Company for Data Breach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#website\",\"url\":\"https:\\\/\\\/ielrblog.com\\\/\",\"name\":\"IELR Blog\",\"description\":\"Official Blog of the International Enforcement Law Reporter\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/ielrblog.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#\\\/schema\\\/person\\\/d97d5908cb441bbcaed11eaad074b544\",\"name\":\"Zarine Kharazian\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g\",\"caption\":\"Zarine Kharazian\"},\"url\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/author\\\/zarine-kharazian\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/","og_locale":"en_US","og_type":"article","og_title":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog","og_description":"On July 27, 2017, France\u2019s national data protection authority (CNIL) fined Hertz France, the French branch of the American car rental company Hertz Corporation, \u20ac40,000 for a data breach that rendered roughly 35,000 individuals personal information easily accessible through a URL address. According to CNIL\u2019s filing, on October 15, 2016, an editor of the French […]","og_url":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/","og_site_name":"IELR Blog","article_publisher":"https:\/\/m.facebook.com\/intlenforcementlawreporter\/?ref=bookmarks","article_published_time":"2017-08-15T19:58:29+00:00","article_modified_time":"2017-08-17T21:19:48+00:00","author":"Zarine Kharazian","twitter_card":"summary_large_image","twitter_creator":"@ielr","twitter_site":"@ielr","twitter_misc":{"Written by":"Zarine Kharazian","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/#article","isPartOf":{"@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/"},"author":{"name":"Zarine Kharazian","@id":"https:\/\/ielrblog.com\/#\/schema\/person\/d97d5908cb441bbcaed11eaad074b544"},"headline":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach","datePublished":"2017-08-15T19:58:29+00:00","dateModified":"2017-08-17T21:19:48+00:00","mainEntityOfPage":{"@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/"},"wordCount":712,"commentCount":0,"articleSection":["Administrative Penal Law"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/","url":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/","name":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach | IELR Blog","isPartOf":{"@id":"https:\/\/ielrblog.com\/#website"},"datePublished":"2017-08-15T19:58:29+00:00","dateModified":"2017-08-17T21:19:48+00:00","author":{"@id":"https:\/\/ielrblog.com\/#\/schema\/person\/d97d5908cb441bbcaed11eaad074b544"},"breadcrumb":{"@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ielrblog.com\/index.php\/2017\/08\/15\/french-data-protection-authority-fines-us-based-car-rental-company-for-data-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ielrblog.com\/"},{"@type":"ListItem","position":2,"name":"French Data Protection Authority Fines US-based Car Rental Company for Data Breach"}]},{"@type":"WebSite","@id":"https:\/\/ielrblog.com\/#website","url":"https:\/\/ielrblog.com\/","name":"IELR Blog","description":"Official Blog of the International Enforcement Law Reporter","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ielrblog.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/ielrblog.com\/#\/schema\/person\/d97d5908cb441bbcaed11eaad074b544","name":"Zarine Kharazian","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ed80380bc8641773fc0a6e8c5dbfbcea53b521d2cddf4cd8e38d085691ea0a4d?s=96&d=monsterid&r=g","caption":"Zarine Kharazian"},"url":"https:\/\/ielrblog.com\/index.php\/author\/zarine-kharazian\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pas6ng-2y","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/posts\/158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=158"}],"version-history":[{"count":2,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/posts\/158\/revisions"}],"predecessor-version":[{"id":160,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/posts\/158\/revisions\/160"}],"wp:attachment":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}