Back to publications
28 March 2017


New sanctioning powers of the French DATA PROTECTION AGENCY (CNIL)

The expected Law for a Digital Republic finally enacted on October 7, 2016 (Law No. 2016-1321) has substantially modified the control and enforcement power as well as the sanctions of the CNIL, this well before the entry into force of the General Data Protection Regulation 2016/679 of 27 April 2016 scheduled for May 25, 2018.

While the most significant part of this reform is the drastic increase of administrative fines which can now peak at € 3 million, the new provisions reinforces the sanction procedure which implies greater involvement of the controlled entity, in particular by laying down the criteria that the CNIL must observe in determining the quantum of the fines.

The combination of these measures should, in a virtuous approach, deeply change the relationship between the CNIL and data controllers by encouraging them to cooperate with the CNIL in order to ensure a more voluntary application of the Data Protection Act.

The following briefly outlines the main measures adopted in that regard.

I – More deterrent sanctions

During parliamentary debates, the inadequacy of the CNIL’s sanctions against some data controllers, notably the GAFA (Google, Apple, Facebook and Amazon) was pointed out. As a reminder, the maximum amount of fines was set at € 150,000 or € 300,000 in case of repeated offense. The new European Regulation 2016/679, to be made effective from May 2018 provides, as for competition law, very dissuasive financial penalties reaching up to € 10 or € 20 million depending of infringements. However, pending its entry into force and for infringements not covered by this Regulation, the Law for a Digital Republic has set to € 3 million the maximum amount of fine that can be imposed by the CNIL (Article 47 of the French Data Protection Act).

In addition, the law reinforces the publication of sanctions which is also a very dissuasive measure, granting the CNIL the power to order the sanctioned data controller to inform individually and at its own expense, each person concerned (article 46).

II – A more effective sanction proceeding

The CNIL can now impose sanctions without prior notice in cases where “the infringement cannot be brought into conformity in the context of a formal notice”, for example when an infringement happened punctually and has already been remedied. This will impact the behaviour of data controllers who could, under the previous law, safely wait for the formal notice of the CNIL to start complying with the law. As a result, sanctions were scarce, with the CNIL imposing fines only in cases where the formal notice had been ignored (last example: the dating sites Meetic and Attractive World which were respectively sentenced to € 20,000 and € 10,000 by a CNIL decision dated of December 15, 2016).

Now, data controllers should remain cautious and react quickly since the formal notice is no longer systematic and “in case of extreme emergency” the CNIL may require the controller to cease the infringement within 24 hours, while the minimum time period was previously of 5 days in case of emergency.

Finally, as it is already the case for the French Competition Authority and the Financial Markets Authority, the CNIL can now cooperate with an authority located in a State that is not a European Union member and which has similar powers to its own, provided that an agreement is concluded to organize their relationship.

III – A valued and encouraged cooperation of data controllers

In addition to these measures which reinforce the CNIL’s powers of sanction, article 47 now sets out the criteria that the CNIL must observe when determining the amount of a fine so that it is proportionate to the sanctioned infringement.

Then, the CNIL must take into account: “the intentional or negligent character of the infringement, the measures taken by the data controller to mitigate the damage suffered by the individuals, the degree of cooperation with the Commission to remedy the breach and to mitigate any adverse effects, the categories of personal data concerned and the manner in which the infringement has been brought to the attention of the Commission”.

With the Law for a Digital Republic, the CNIL must now justify precisely the amount of the imposed sanction. This provision is in line with the philosophy of the EU Regulation 2016/679 and ensures a progressive transition to the requirements stipulated in its Article 83 on the consideration of “general conditions for the imposition of administrative fines”.

To sum up:

The Law for a Digital Republic strengthens the sanctioning powers of the CNIL now allowing it:

  • to impose fines of up to € 3 million;
  • to order the sanctioned data controller to inform individually and at its own expense, each person concerned;
  • to impose penalties without prior formal notice where the infringement cannot be brought into conformity;
  • to reduce the cure period granted in the formal notice up to 24 hours in the event of extreme urgency;
  • to co-operate with an authority located in a State which is not a member of the European Union and which has powers similar to its own;

And, in return, the CNIL will have to:

  • justify precisely the amount of imposed fines in accordance with the criteria now laid down by the law.


YOUR contact :
f. lecomte

Frédéric Lecomte