On June 30, 2022, the Commission Nationale de l’informatique et des libertés (“CNIL”), the French Data Protection Agency, imposed a € 1 million fine on TotalEnergies Électricité et Gaz France for failing to fulfil its obligations in the area of commercial marketing and individual rights.
The CNIL began investigating the company’s data privacy practices after multiple complaints had been filed by consumers. The CNIL found that the subscription form for new customers on the company’s website required consumers to agree to the use of their personal information for the receipt of marketing communications, but did not offer a way to opt out of such communications. In addition, the CNIL found that in telephone solicitations to consumers, TotalEnergies failed to communicate important information about how the company handles personal data, and did not offer the option of accessing additional information on the topic. The CNIL found, further, that TotalEnergies had failed to provide individuals access to their own data, had failed to respond to consumers’ requests to access their own data and their requests not to receive marketing materials, and had not answered, within the one-month time limit, consumers’ requests to exercise their rights.
The CNIL concluded that these practices constituted infringements of Articles 12, 14, 15, and 21 of the General Data Protection Regulation, and Article L.34-5 of the French Code of Postal and Electronic Communications. In determining the appropriate penalty, the CNIL took into consideration these infringements and the TotalEnergies’ conduct during the course of the investigation, including the company’s failure to provide its 2020 balance sheets when requested to do so. Whereas the law allows for the imposition of both injunctive relief and monetary penalties up to 4% of the company’s global annual turnover, it also requires the relevant authority to assess these measures such that they are effective, proportionate and serve as a deterrent. The CNIL panel decided that, on the one hand, a harsh penalty would not be consistent with the extent, gravity and duration of the violations, yet on the other hand, a monetary penalty is appropriate – particularly in light of the fact that TotalEnergies is the third largest energy supplier in France, and has access to approximately 8 million customers and prospective customers. Therefore, the CNIL determined on a € 1 million fine. And since, during the course of the investigation the company took measures to bring its practices into conformity with the law, the CNIL deemed that no injunction would be necessary. The CNIL viewed the publication of its determination to be appropriate, but after two years will not identify the company by name.