Over the years, the penalties imposed by the CNIL have become increasingly severe. This rise was marked by the entry into force of the GDPR in 2018, introducing considerable fines for non-compliance with data protection rules. Since that date, the CNIL has imposed more than €500 million in fines, and that figure continues to climb.
If you are in breach of the GDPR, what penalty can you expect? More importantly, what do you need to do to comply and avoid GDPR fines? We explain.
The legal framework for GDPR fines
The role of the CNIL, the authority responsible for enforcing compliance with the GDPR
The CNIL (Commission Nationale de l’Informatique et des Libertés) is the independent administrative authority responsible for ensuring that all organisations in France comply with the principles of the GDPR. Its role is to advise, alert and inform the general public, individuals and professionals alike, but it also has the power to carry out checks and impose penalties.
Inspections, whether carried out on site, based on documentary evidence, at a hearing or online, enable the CNIL to check that organisations are actually implementing the GDPR. At the end of the inspection and investigation carried out by the departments, the President of the CNIL may decide, depending on the breaches found, to close the case, issue a formal notice or refer the matter to the CNIL’s select committee with a view to imposing a penalty on the organisation.
The origin of GDPR fines
There are two main sources of GDPR fines:
- Complaints from data subjects: citizens are much more aware of the risks and their privacy rights, and no longer hesitate to exercise them. This is why the majority of sanctions imposed by the CNIL come from complaints from data subjects or associations. These complaints have been on the increase since the GDPR came into force, with more than 12,000 complaints lodged in 2022, according to the CNIL’s 2022 assessment. In response to these complaints, the CNIL carried out 345 inspections, issued 147 formal notices and 21 sanctions, resulting in a total of €101 million in fines;
- The decision to carry out an inspection also depends on current events and the 2023 CNIL’s priority themes. This is an annual programme drawn up by the CNIL on the basis of topics where privacy issues have been identified. In 2023, the CNIL is focusing on:
o The use of “augmented” cameras by public bodies ;
o The use of the personal credit incident file ;
o The management of health files ;
o And mobile applications.
The CNIL sanctions process
If a breach is found following a complaint or a CNIL inspection, the organisation is informed and has one month to submit its observations. Once the investigation has been completed, a meeting of the select committee is organised. At the end of the meeting, the members of the CNIL’s select committee decide on the sanctions and may decide to make them public.
While it is mainly the big American companies that have been hit with the largest GDPR fines (up to €150 million against Google), it should not be forgotten that all organisations are affected, regardless of their size, particularly since the introduction of the simplified penalty procedure.
The new simplified penalty procedure
Introduced in April 2022, this procedure enables the CNIL to deal quickly with cases involving small organisations and presenting no particular difficulties. It is therefore aimed at a wide range of players, including SMEs, universities, doctors and local authorities. Penalties imposed under this new procedure may not exceed €20,000 and are not made public. For example, the CNIL has imposed penalties under this simplified procedure on :
- a marketing agency for failing to cooperate with the CNIL: €10,000 fine and injunction ;
- a university for failing to comply with the principle of data processing purposes: €10,000 fine.
How are CNIL sanctions determined and what impact do they have on companies?
Determination of the amount of GDPR fines by the CNIL
The CNIL assesses GDPR fines according to the seriousness of the infringements committed by companies. There are two levels of fine:
- Up to 2% of the company’s worldwide annual turnover or €10 million (for breaches relating to the collection of consent from minors, privacy by design, etc.) ;
- And a more severe level of up to 4% of annual worldwide sales or €20 million (for breaches of data protection principles or conditions of lawfulness, for example).
The penalties imposed by the CNIL under the GDPR are not imposed arbitrarily. On the contrary, they are determined according to a structured process that takes several factors into account. Article 83 of the GDPR sets out the criteria taken into account to determine the appropriate fine:
- Nature, seriousness and duration of the breach ;
- Number of data subjects ;
- Personal data concerned ;
- Cooperation with the CNIL ;
- Measures taken by the organisation to mitigate the damage suffered by data subjects ;
- The company’s track record in terms of GDPR compliance.
Proactive cooperation with the CNIL during the inspection and the swift implementation of corrective custom play a crucial role in minimising the amount of the fine.
Other CNIL penalties
In addition to fines, the CNIL can also impose other types of GDPR fines, including:
- A call to order ;
- The restriction or temporary suspension of certain data processing activities that do not comply with the GDPR ;
- The publication of press releases or other public statements to inform the public of a company’s breaches. This custom can have a significant impact on a company’s reputation ;
- Custom measures to remedy the damage suffered by data subjects: return of data, communication of a breach to data subjects and other remedial actions ;
- Suspension of data transfers outside the EU until adequate custom protection measures are put in place.
The real impact of GDPR sanctions
The higher a company’s revenues, the greater the risk and the higher the GDPR fines.
Some examples of financial penalties imposed by the CNIL:
- On 14 June 2021, following an inspection mission, the CNIL fined Brico Privé €500,000 for failing to comply with several GDPR obligations. This is a very interesting decision, particularly with regard to the procedures for informing data subjects and depositing cookies as part of the CNIL’s online monitoring mission.
The key point to note from this decision is the need to provide website users with full information within the meaning of Article 13 of the GDPR. This includes:
o The identity and contact details of the data controller and DPO ;
o All data processing purposes and the legal basis justifying each processing operation ;
o The recipients or categories of recipients of the data ;
o Any data transfers outside the European Economic Area ;
o The data retention period or criteria for each processing purpose ;
o The rights of data subjects ;
o The right to lodge a complaint with the CNIL.
- More recently, on 11 May 2023, the CNIL imposed two fines on Doctissimo, including one of €100,000 for a breach relating to cookies. Following a complaint from the association Privacy International, the CNIL found during an inspection that an advertising cookie had been deposited on the user’s terminal as soon as they arrived on the site without consent, and that two advertising cookies had been deposited even after they had clicked on the ‘Refuse’ button on the banner.
In this decision, the CNIL points out that advertising cookies are not considered strictly necessary for the provision of the service and are therefore subject to consent. It also points out that cookies subject to consent cannot be deposited before the user gives his consent or when he clicks on “Refuse”.
In addition to financial penalties, failure to comply with the GDPR may have other consequences:
- Publication of the penalty by the CNIL, at its discretion, which can have a negative effect on the organisation’s reputation, attracting media attention and potentially causing distrust among customers and partners ;
- Criminal penalties of up to 5 years’ imprisonment and a fine of €300,000 for failing to inform data subjects, failing to respect their rights or data security obligations, or misusing data for other purposes ;
- The payment of damages to compensate for the harm suffered by data subjects who are victims of the breach, in the event of recourse to the courts, particularly in the context of collective action.
Good practice to avoid GDPR fines
The most obvious: complying with the obligations imposed by the GDPR
To avoid GDPR fines, the most obvious first step is to take the GDPR seriously and comply with the obligations that are imposed. These obligations include the need to process personal data lawfully and ethically, to inform data subjects about how their data is used, and to ensure the security of that data. To ensure compliance, it is recommended, and in some cases compulsory, to appoint a Data Protection Officer (DPO).
The importance of documentation and record-keeping
When the GDPR came into force, the burden of proof was reversed compared with the previous Data Protection Act, with the introduction of the principle of accountability: it is now up to the organisation to be able to demonstrate its compliance at any time. This means keeping a register of data processing operations, carrying out DPAs (Data Protection Impact Assessments) for the riskiest processing operations, raising staff awareness, etc. This documentation is essential to demonstrate compliance in the event of an inspection by the CNIL.
Having a GDPR-compliant website
In the CNIL’s latest report, online checks on websites or mobile applications represent the second most common method of control used by the CNIL (37%). So having a GDPR-compliant website is crucial.
To comply with the regulations, you must meet several obligations:
- A privacy policy and cookie policy that are complete, clear and accessible at all times to inform users of what you do with their data. It is important to note that the confidentiality policy does not just concern the data of visitors to your website. It covers all external treatments for your organism;
- Manage your cookies effectively with a banner informing site users about the use of different cookies and a consent manager. This allows them to choose the types of cookies they accept or refuse and therefore to document the consents obtained.
- Thanks to these elements, you can ensure your GDPR and ePrivacy compliance, while strengthening trust with your users.