French Data Protection Authority Imposes a Record 250,000 € Fine to Optical Center for a Security Breach on its Website

Foley Hoag LLP - Privacy & Data Security
Contact

Foley Hoag LLP - Privacy & Data Security

On June 7, 2018, the French Data Protection Authority (the CNIL) published a decision (issued one month earlier) in which it imposed a record 250,000 euros fine on Optical Center (which, although its name does not indicate, is a French company) for having insufficiently secured the personal data of its customers.

The CNIL noted that customers could access more than 300,000 documents (mainly invoices) of other customers on Optical Center’s website site rather easily, by entering several URLs in a browser’s address bar. Optical Center did not implement a feature requiring customers to connect to their personal space in the customer area before any invoices are displayed (which would have limited access to other customers’ information). In other words, Optical Center customers could see too much!

The breach was qualified as critical because these invoices contained sensitive personal data:  surname, first name, postal address, health data (vision correction) and, in some cases, the social security number and date of birth of the data subjects. Health data and social security numbers, as sensitive data, have indeed an even deeper protection than standard personal data, as we explained on this blog before. The company had already been fined for a security breach in 2015. Hence the large amount of the fine, which is the highest ever imposed in France for a security breach.

The CNIL also explained that the publication of its decision was necessary because the number of data breaches has increased substantially in the recent years and there is a need to raise awareness.  The decision is available in French here.

The General Data Protection Regulation (GDPR) was not yet applicable to this case, but French law (Law n° 2016-1321 of 7 October 2016 for a Digital Republic) had, in that respect, anticipated the GDPR at the time by increasing the maximum amount of fines for non-compliance with data protection rules from 150,000 euros to 3 million euros.

For future cases to which GDPR will apply, in France and elsewhere in the European Union, the fines could be even higher, as GDPR increases the maximum fines up to 4% of the total worldwide annual turnover or 20 million euros, whichever is the greater.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Privacy & Data Security | Attorney Advertising

Written by:

Foley Hoag LLP - Privacy & Data Security
Contact
more
less

Foley Hoag LLP - Privacy & Data Security on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.