French, German Legislators Increase Exposure for DP Violations
On January 26, the French National Assembly passed a bill that would immediately give the CNIL the same sanctioning power it would otherwise receive only when the General Data Protection Regulation comes into effect in 2018. In particular, the CNIL would be empowered to impose fines of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover, far above its current maximum fine of 150,000 euros. While the bill also adopts other requirements found in the GDPR, such as the right to data portability and new limits on data retention, the increase in potential penalties is the most significant, given that the CNIL currently has enforcement actions in various stages of development against both Facebook and Google. The Digital Rights Bill is now pending before the Senate, where its passage is expected sometime this year. Meanwhile, in Germany the long-heralded “Act to Improve the Civil Enforcement of Consumer Protection Provisions of Data Protection Law” came into effect on February 24. Under the new law, consumer protection organizations may initiate legal actions against companies for data protection violations in advertising and marketing, opinion research, the creation of personal profiles and the sale of addresses and personal data to third parties. While courts may not award damages in cases filed under the law, the negative publicity engendered should be a powerful penalty. Suggesting awareness by the legislators of the present murk surrounding the EU-US Privacy Shield, consumer organizations are expressly denied the right to make claims involving data transfers made before October 6, 2015 under Safe Harbor until September 30, 2016. Consumer organizations in Germany, traditionally quite active, are expected to take advantage of the new law without delay. A summary of key provisions of the law, which introduces legal recourse somewhat akin to class action lawsuits, may be found here.