Privacy & Information Security Law Blog

On July 27, 2017, the French Data Protection Authority (“CNIL”) imposed a fine of €40,000 on a French affiliate of the rental car company, The Hertz Corporation, for failure to ensure the security of website users’ personal data.

On October 15, 2016, the CNIL was informed of the existence of a security incident which resulted in the compromise of personal data on a French website related to Hertz France’s discount program. The CNIL carried out an online investigation and found that personal data of approximately 35,000 users was easily accessible from a URL address. The CNIL notified Hertz France of the issue, who in turn informed its service provider in charge of designing the website. The service provider immediately took corrective actions to stop the issue. The investigation revealed that the issue was due to a mistake made by the service provider during a server change operation. The CNIL concluded that Hertz France had been negligent in overseeing the actions of its service provider (acting as a data processor). As a result, the CNIL decided to impose a fine of €40,000 on Hertz France. In deciding the amount of the fine, the CNIL took into account the responsiveness of the company in remedying the issue, its initiative to conduct a security audit of its service provider and its appropriate level of cooperation with the CNIL.

This is the first fine imposed by the CNIL since the amendment of the French Data Protection Act by the French Digital Republic Act of October 7, 2016, which has strengthened the CNIL’s enforcement powers, pending the application of the GDPR. Prior to that amendment, the CNIL likely would have simply issued a public warning in such a case (i.e., a decision finding that the company failed to comply with its data protection obligations).