What does this cover?

By its deliberation n°2015-379, the French data protection regulator, Commission Nationale de l’Informatique et Libertés (CNIL) pronounced a fine of EUR50.000 and a publication of the said deliberation, against Optical Center, a French optical retailer operating more than 400 points of sale and a website with registered users, for the violation of data security related provisions under the Law n°78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (the French Data Protection Act).

The case was brought to the attention of CNIL after a consumer complaint in July 2014 and following the identification of several breaches the CNIL provided Optical Center with a formal notice on 9 December 2014, requiring Optical Center to:

  1. Define and respect the duration of storage of personal data;  
  2. Put in place and guarantee the security of the personal data pursuant to the requirements of article 34 of the French Data Protection Act (notably ensuring encryption of the communication channel and improving the security measures related to the passwords of the employees and the clients); and  
  3. Ensure that its contracts with data processors contain a clause defining the obligations of the processor with respect to data confidentiality and security and specify that the processor shall act solely upon the instructions of the data controller pursuant to article 35 of the French Data Protection Act.  

After subsequent verifications, exchanges between the parties and the instruction of the case by the CNIL, it held in its abovementioned deliberation that the breaches related to password security were not corrected in the timeframe allocated by the CNIL and that its data processor contracts were still not conform to the requirements set out by article 35 of the French Data Protection Act.

The CNIL has already taken actions and pronounced fines against data controllers violating security related provisions under the French Data Protection Act (it has applied sanctions ranging from public warnings to fines up to EUR 10.000 often due to the lack of password security). 

Thus, particularly taking into account the manifestly insufficient security measures put in place by Optical Center, the main takeaway of this decision is the CNIL’s particular attachment to the concept, also contained in the Directive 95/46/EC, that the data processor acts solely pursuant to the instructions of the data controller.

CNIL's information on the requirements is available here.

What action could be taken to manage risks that may arise from this development?

Financial services companies should ensure that their security measures in place for personal data processing in France substantially conform to the requirements of the CNIL.

Financial services companies should also ensure that its data controller / data processor agreements contain the following statement as required by the CNIL:

The data processor shall act solely pursuant to the instructions of the data controller”.

Submitted by Thierry Dor, Partner and Dane Rimsevica, Associate at Gide Loyrette Nouel – Paris, France in partnership with DAC Beachcroft.