The French data protection act was passed in 1978 and is considered to be the inspiration for the EU data protection directive of 1995. Currently, data controllers are responsible for data protection, not data processors, but that will change when the EU data protection regulation comes into force.
The data protection authority, CNIL, has imposed relatively few sanctions to date, although it does like to publicise the sanctions that it imposes. Those sanctions that have been imposed have been relatively low level. However, it has stated recently that it will step up data breach investigations, placing a priority on organisations offering contactless payments, the internet of things for healthcare and on those organisations that have obtained authorisation for their binding corporate rules.