French Privacy Office Fines Hertz for Exposing Website User Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

France’s privacy regulator fined Hertz France SAS 40,000 euros ($46,920) over a 2016 data breach involving 35,357 users of the car rental company’s website, the office announced July 27.

The privacy office’s enforcement committee July 18 held that Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a computer coding error by a subcontractor exposed personal data, including names, addresses, and driver’s license numbers, for customers signed up for a discount promotion.

This is the first time that the French privacy regulator (CNIL) has imposed a financial penalty for a data breach. CNIL gained new monetary penalty authority under a 2016 update to the country’s framework data protection statute, the privacy office said. Before the update, the maximum penalty for a data breach would have been a warning, the office said. It can now issue fines of up to 3 million euros ($3.5 million), depending on the seriousness and circumstances of a violation.

Even as companies face the possibility of enforcement fines because of data breaches, cooperation with the privacy office and willingness to make things right can reduce the amount of such fines.

Hertz France was fined 40,000 euros ($46,920) because it quickly took remedial action and was cooperative throughout the audit and correction of the breach, CNIL said.

Gabriel Voisin, an international privacy and data protection partner at Bird & Bird LLP in London, told Bloomberg BNA July 28 that the fine “is a strong signal for organizations that they must make sure that they have implemented appropriate security measures” to protect users’ personal data.

Hertz told Bloomberg BNA in an emailed statement July 28 that the company “takes the security of its customer data extremely seriously.” The company took “took immediate, corrective action” once notified of the problem, Hertz said. “No harm resulted to any individual, as the potential breach was never exploited,” according to Hertz.

Hertz France SAS is a private company under the umbrella of publicly-traded Hertz Global Holdings Inc., according to Bloomberg data.

Voisin said another recent CNIL ruling illustrates that Hertz just had the “bad luck” to have its breach discovered after the new law took effect.

Car-sharing website OuiCar faced a similar subcontractor coding error that left personal data of hundreds of thousands of users exposed for almost three years. But July 20 it received only a warning because the breach was discovered and investigated before the amended law with fining power for CNIL took effect.

To contact the reporter on this story: Rick Mitchell in Paris at correspondents@bna.comTo contact the editor responsible for this story: Donald Aplin in Washington at

For More Information

Full text of CNIL's order is available, in French, at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security