French Data Protection Authority Imposes Fines on Data Controller and Its Processor for Security Violation

The French Data Protection Authority (the “CNIL”) announced (in French) on January 29, 2021 that it was imposing a fine of  a €150,000 on a data controller, and €75,000 on its data processor for failure to implement adequate security measures. The CNIL found that inadequate security resulted in credential stuffing attacks on the data controller’s websites. In its decision, the CNIL did not reveal the names of the companies sanctioned. The CNIL received several dozen personal data breach notifications from a website that individuals routinely use to make online purchases. In investigations of both the company responsible for processing the data through the website (the data controller) and the…

READ MORE

French Data Protection Authorities Fine Google Nearly $57 Million for Violations of the General Data Protection Regulation’s Notice and Consent Requirements

French regulators have fined Google nearly $57 million for violations of the General Data Protection Regulation (GDPR). This fine was the first major penalty levied against a large U.S. technology company since the regulation took effect in May 2018. France’s data protection authority, known as the CNIL, said that Google failed to fully disclose to users how their personal information is collected and what happens to it. Significantly, regulators said that Google also did not properly obtain users’ consent to use the data to serve them personalized advertisements. The CNIL said in a statement that the violations “deprive the users of essentially guarantees regarding processing operations that can…

READ MORE

You Can’t Outsource Liability for Failure To Protect Data – Fine Issued for Negligence in Overseeing a Vendor’s Performance

If a recent decision of the French Data Protection Authority (CNIL) is any indication, companies can expect that data protection authorities will hold them responsible for ensuring that the vendors they contract with can secure and protect the company’s personal data. On July 27, 2017, the French Data Protection Authority (CNIL) fined the Hertz Corporation €40,000 when information about approximately 35,000 users was exposed to inappropriate access because of the negligence of a vendor in charge of designing the Hertz France website. The privacy office’s enforcement committee July 18 held that Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a…

READ MORE