On June 7, 2018, the French Data Protection Authority (the CNIL) published a decision (issued one month earlier) in which it imposed a record 250,000 euros fine on Optical Center (which, although its name does not indicate, is a French company) for having insufficiently secured the personal data of its customers.
The CNIL noted that customers could access more than 300,000 documents (mainly invoices) of other customers on Optical Center’s website site rather easily, by entering several URLs in a browser’s address bar. Optical Center did not implement a feature requiring customers to connect to their personal space in the customer area before any invoices are displayed (which would have limited access to other customers’ information). In other words, Optical Center customers could see too much!
The breach was qualified as critical because these invoices contained sensitive personal data: surname, first name, postal address, health data (vision correction) and, in some cases, the social security number and date of birth of the data subjects. Health data and social security numbers, as sensitive data, have indeed an even deeper protection than standard personal data, as we explained on this blog before. The company had already been fined for a security breach in 2015. Hence the large amount of the fine, which is the highest ever imposed in France for a security breach.
The CNIL also explained that the publication of its decision was necessary because the number of data breaches has increased substantially in the recent years and there is a need to raise awareness. The decision is available in French here.
The General Data Protection Regulation (GDPR) was not yet applicable to this case, but French law (Law n° 2016-1321 of 7 October 2016 for a Digital Republic) had, in that respect, anticipated the GDPR at the time by increasing the maximum amount of fines for non-compliance with data protection rules from 150,000 euros to 3 million euros.
For future cases to which GDPR will apply, in France and elsewhere in the European Union, the fines could be even higher, as GDPR increases the maximum fines up to 4% of the total worldwide annual turnover or 20 million euros, whichever is the greater.