Data protection breach: France bring forward increase in fines


Data protection breach: France bring forward increase in fines

Data protection breach fines set to increase in France 

It appears France have decided they cannot wait until the GDPR comes in to force in 2018 to impose fines of up to 4% of global revenue for a serious data protection breach. A new Bill before the French National Assembly is set to amend the existing Data Protection Law, giving the CNIL powers to impose fines of up to €20,000,000 or 4% of global revenues (whichever is greater). Importantly, there is also an amendment which paves the way for the lesser fine of 2% or 10,000,000 (just like the GDPR).

In other words, they have decided that the sanctions in the new GDPR are exactly what they want, only now, not in two years time!

What does this mean?

If this (Digital Republic) Bill is passed intact, France will have introduced the GDPR sanctions two years ahead of everyone else in the EU.

This may sharpen the attention spans of some of the larger French data controllers, especially those with significant turnovers which could give rise to fines far in excess of the current maximum of €150,000.

It will be interesting to see how the data-political landscape adjusts to the new fines; will this be an indication of how the rest of Europe may react come 2018?

My predictions would be

  • the early adoption of the new Data Protection Officer (DPO) role, as they clearly have a risk mitigation remit, and that risk has just potentially increased over 100-fold
  •  an increase in demand for mandatory data protection staff training in French multi-nationals
  •  'closer' relationships between Facebook, Google and the CNIL

If you are a French data controller, let me know in the comments if I got these right.