French Supervisory authority sanctions: no obligation of prior formal notice confirmed by the Administrative Supreme Court

Author: teamtaomanews
14 June 2019
0

In a decision of April 17 2019, the French supreme administrative authority refused to overturn the sanctions imposed by the CNIL (the French data protection authority) on the OPTICAL CENTER company on the grounds that they were not preceded by a formal notice allowing the company to correct the problems.

In 2017, a CNIL investigation initiated following several complaints about OPTICAL CENTER revealed that simply entering URLs in a browser allowed access to many invoices and purchase orders from the company’s customers because due to access not being restricted by connecting to a personal space.

The CNIL then took the decision to impose a fine of 250,000 euros for this serious security breach, which violated Article 34 of the French Data Protection Act [1], without any sort of formal notice allowing the company to correct the errors and even though the company had already taken the necessary measures to correct the problem.

This decision was referred to the Conseil d’Etat which, in its judgment of April 17 2019, confirmed the decision and reminded that the formal notice is not a mandatory step  before imposing sanctions, and that Article 45 of the law of 6 January 1978 provides that “Where the breach found cannot be brought into conformity in the context of a formal notice, the restricted formation may pronounce, without prior notice and after a contradictory procedure, the sanctions provided for”.

The Conseil d’Etat concludes from this that the CNIL may overlook the formal notice stage when it is clearly unnecessary; either when the breach cannot be remedied or, as in the present case, when it has already been remedied.

However, the Conseil d’État reduced OPTICAL CENTER’s penalty, ruling that the CNIL, not taking into account the company’s promptness to react to its requests, imposed a disproportionate penalty; the latter will therefore be reduced to 200,000 euros.

 

Read the full decision here (in French)

[1] Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés