Lessons from the latest CNIL sanctions of 2021

In two decisions dated December 28, 2021, the CNIL's restricted committee fined the companies SLIMPAY and FREE MOBILE for failure to comply with their obligation to ensure the security of personal data, even though no fraudulent use of the data had been observed and no harm had been established.

Analysis of the sanction of €180,000 imposed on the company SLIMPAY (available here)

On December 28, 2021, the CNIL's restricted committee fined SLIMPAY €180,000 for failing to comply with its obligation to ensure the security of personal data and its obligation to inform the data subjects.

Jurisdiction of the CNIL - The competent authority to pronounce this sanction is the CNIL because the company's head office is in France. However, as the persons concerned by the data breach are located in Germany, Spain, Italy and the Netherlands, the CNIL (lead supervisory authority) cooperated with the supervisory authorities of these countries.

Facts and Procedure - SLIMPAY, which is in the business of IT systems and software consulting, is an authorized payment institution in the Single Euro Payments area ("SEPA") and offers recurring payment services and subscription management solutions to its customers.

In 2015, the company imported its customers' personal data, contained in its databases, to a specific server for use in an internal research project on an anti-fraud mechanism.

However, one year later and even though the research project had come to an end, the clients' data remained stored on this server without any particular security procedure, thus exposing the personal data (civil status, banking data and contact information) of 12 million people freely accessible on the Internet.

It is only in February 2020 and following the alert of one of its customers that SLIMPAY proceeded to the isolation of the server, sequestered the data and notified the CNIL of the data breach.

Following this notification, the CNIL carried out an inspection on the company and found various breaches of the obligations provided for by the GDPR.

It should be noted that the fact the company initiated the procedure relating to the breach of its security obligation does not affect the possibility for the CNIL to note the existence of other breaches of the GDPR.

Thus, the CNIL has identified three breaches of the GDPR:

1. Failure to comply with the obligation to provide a formal legal framework for the processing operations carried out by a sub-processor

Article 28 of the GDPR lists all the obligations, clauses and compulsory information that must be included in the contract concluded between a data processor and a data sub-processor who processes data on behalf of the data controller. Indeed, the sub-processor has the same obligations and guarantees regarding the implementation of technical and organizational measures as the initial processor.

However, the CNIL found that when SLIMPAY, which acted as a data processor in the context of providing its services to its customers, had recourse to sub-processors, it had not complied with the provisions of Article 28 of the GDPR insofar as the company had merely drawn up a questionnaire relating to subcontracting, which was not binding, and the contracts entered into with sub-processors contained neither the clauses nor the compulsory information imposed by Article 28 of the GDPR.

2. Failure to comply with the obligation to ensure the security of personal data

Article 32 of the GDPR requires the data controller and the data processor to implement appropriate technical and organizational measures in order to guarantee a sufficient level of security.

However, the CNIL found that SLIMPAY had continuously failed to meet its security obligation insofar as the data of SLIMPAY's customers remained hosted on a server between November 2015 and February 2020 without any particular security measures having been put in place and resulting in free access to the data from the internet by means of a URL.

Indeed, the CNIL criticizes the company for not having put in place measures to restrict access and log access to the server and for having kept this data in readable formats.

3. Failure to inform data subjects of a personal data breach

Article 34 of the GDPR provides that where a personal data breach is likely to result in a high risk to the rights and freedoms of an individual, the data controller has an obligation to communicate the data breach to the data subject.

The CNIL considered that, given the nature of the personal data (notably banking information), the volume of data subjects (12 million), the ease of identifying the data subjects and the possible consequences for the data subjects (risk of phishing or identity theft), the risk associated with the breach must be considered high.

Thus, the CNIL concluded that SLIMPAY failed to comply with its obligations under Article 34 of the GDPR insofar as it did not inform the data subjects of the data breach, which it should have done.

Sanction and publicity of the decision - Considering the important number of data subjects, the sensitivity of the exposed data, the long period of accessibility of these data and the activity sector of the company, the CNIL decided to fine SLIMPAY €180,000 and to make its decision public.

Analysis of the sanction of €300,000 imposed on the company FREE MOBILE (available here)

On December 28, 2021, the CNIL's restricted committee imposed a fine of €300,000 on FREE MOBILE for failing to comply with its obligation to ensure the security of personal data and to respect the rights of individuals.

Facts and procedure - FREE MOBILE is a cell phone operator that markets cell phones and/or packages. Between December 2018 and November 2019, the CNIL received 19 complaints from individuals indicating that they had face difficulties exercising their right to access or object to commercial prospecting messages sent by the operator.

Following these complaints, the CNIL carried out two on-site and document-based investigations of FREE MOBILE during which it noted several breaches of the GDPR:

1. Failure to respect the individuals' rights (right of access and right to object)

Regarding the right of access, several individuals have asked FREE MOBILE to access their personal data (telephone number, copy of a call recording, etc.).

However, the CNIL found that the operator failed to comply with the obligations set out in Articles 12 and 15 of the GDPR relating to the right of access by not responding to the requests made by the complainants within the one-month period provided by the GDPR.

Regarding the right to object, several individuals have received commercial prospecting communications (telephone canvassing, commercial prospecting by SMS and mail, etc.) from FREE MOBILE even though they had previously objected to the processing of their personal data for commercial prospecting purposes.

In this context, the CNIL noted that the operator had not complied with the obligations set out in Articles 12 and 21 of the GDPR relating to the right to object by not taking into account the complainants' requests to object to the processing of their data for commercial prospecting purposes within the one-month time limit provided for by the GDPR.

2. Failure to comply with the obligation to protect individuals' data by design

Several individuals continued to receive invoices for telephone lines whose subscription had been previously cancelled.

The CNIL therefore considered that FREE MOBILE had failed to comply with the obligations set out in Article 25 of the GDPR insofar as an invoice process producing obsolete information had been implemented and technical and organizational measures allowing the deletion of personal data that was no longer necessary for invoicing purposes had not been implemented at the design stage.

3. Failure to comply with the obligation to ensure the security of personal data

The CNIL found that the operator failed to comply with the security obligation set forth in Article 32 of the GDPR insofar as FREE MOBILE transmitted users' passwords in clear text by e-mail when they subscribed to an offer with the company, without these passwords being temporary or for a single use and without the company requiring them to be changed. This made the passwords easily usable by a third party.

Sanction and publicity of the decision - Considering the plurality of breaches of the GDPR, the numerous complaints, the risk to privacy associated with the lack of data security and the importance of FREE MOBILE in the telecommunications sector, the CNIL has decided to impose a fine of €300,000 on FREE MOBILE and to make its decision public.

What can we learn from these two decisions?

In general, these sanctions demonstrate once again the strong interest of the CNIL in the security measures implemented by organizations and their effectiveness. Indeed, the breach of the security obligation is one of the most frequently invoked by the CNIL in its sanctions over the last few years.

With regard to the contributions to be retained from these new sanctions, the CNIL has considered that the absence of fraudulent use of data and proven prejudice has no impact on the characterization of the breach of the security obligation set forth in Article 32 of the GDPR.

Indeed, in these two decisions, people's data have only been exposed to a risk of breach but have not been exploited by a hacker in fact.

Furthermore, the CNIL seems to accept that the mere lack of security or insufficient security risk creates a risk of data breach that is sufficient to characterize a breach of the security obligation.

Indeed, if the CNIL did not find a violation in the strict sense of the obligation of security which derives from the GDPR and the French Data Protection Act (namely, Loi Informatique et Libertés or LIL), it considered that the processing considered is contrary to the guides and recommendations of the CNIL and of the ANSSI in terms of data security.

The guides and recommendations of the CNIL and ANSSI are not binding. However, the CNIL considers that they set out "elementary security precautions corresponding to the state of the art" which justify taking into account the soft law in its decisions in addition to the application of the GDPR.

These deliberations therefore deserve special attention insofar as from now on, the applicable sanctions provided for by the GDPR in the event of a breach of the security obligation may be applied even in the absence of proven harm or data breach.

Thus, it is recommended that data controllers and processors be particularly vigilant in implementing appropriate security measures and mechanisms for timely notification of such data breaches to data subjects and supervisory authorities.