A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website - where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center's appeal, the French Highest administrative Court ("Council of State"), confirmed the sanction but reassessed the amount of the penalty to 200,000 euros in a recent decision dated 17 April 2019.
Contrary to the U.S in particular, the sanctions pronounced for data breaches remain in France in the hands of the regulator, the CNIL. Given that the sanctions pronounced took place before the entering into force of the GDPR, the CNIL was limited in its sanction powers, which, compared to applicable standards at that time, can be seen as severe. Another factor played a role: Optical Center had already been imposed a 50,000 euros penalty for a similar data breach on 5 November 2015, which was confirmed on 19 June 2017 by the Council of State.
In that respect, the slight reduction of the fine by the Council of State shows a pragmatic, more tolerant approach on the part of the Highest administrative Court. This reduction can be explained by the Council of State taking into account the behavior of the data controller, highlighting the level of cooperation and reactivity of the company, whereas the CNIL decided to take only the reoffend into account.
Although the reduction of the amount of the fine by the...