The French Data Protection Authority (‘CNIL’) imposed a huge GDPR fine on Google LLC (EUR 50 million) on 21 January 2019, based on a lack of information and transparency for users. It took into account the large volume of data and number of individuals involved in this violation of privacy.
In general, the CNIL has not yet imposed fines as vigorously and as widely as many people feared: it started first and foremost by providing information, guidelines, e-learning training and various tools about the GDPR on its website. Also, smaller companies are being treated with more leniency.
Nevertheless, the CNIL has already imposed fines on Bouygues Telecom (EUR 250,000), Uber (EUR 400.000), Dailymotion (EUR 50.000) and Optical Center (EUR 250.000), all relating to a lack of technical measures securing client data.
Complaints to the CNIL have increased by 32.5% compared with 2017 and relate to requests to erase data on the Internet, but also complaints regarding inadequate security for personal data in the marketing and business, human resources, banking and health and social services sectors.
Despite its aim of ending the fragmentation of rules within the EU, the GDPR still allows the possibility for each EU member state to set its own, or further, rules on a number of subjects. France decided to implement the GDPR by staying as close as possible to the text of the GDPR and by updating its current data protection legislation, which dates back as far as 1978. A law dated 20 June 2018 and an order (‘ordonnance’) dated 12 December 2018 integrated some European provisions on criminal data into French legislation.
The GDPR is slowly gaining attention in labour law but it is too early to cite case law relating to privacy issues covered by the GDPR in the context of employment.
Nevertheless, issues around data protection arise more and more frequently in organisations, for example, data subject access requests. Some employees ask for a copy of their personal data, as a possible preliminary to litigation, notably in cases of termination of employment. Unions and staff representatives are more aware of the issues and question employers regarding the implementation of the GDPR.
Some IT and HR departments have already been confronted with breaches in the security system for personal data, which have forced them to communicate swiftly with the CNIL and with potentially affected employees.
Multinational companies with French subsidiaries have also had to re-think the volume and the level of detail of (local) personal data that they ask to be transferred to their headquarters, especially outside the European Union.