By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This €400,000 euros fine is the first sanction imposed on a French company under the General Data Protection Regulation (GDPR) and is also the most significant financial penalty imposed on a French company for data breaches to date. It represents close to 1 per cent of the yearly turnover of the fined company.
Failure to maintain the security of personal data has become one of the heaviest risks for French companies since the entry into force of the GDPR. Pressure on companies has gradually increased over recent months as the CNIL has been constantly warning stakeholders about the consequences of security breaches because breaches would be increasingly important to, or at least increasingly noticed by, data subjects. In that respect, the CNIL’s recently published activity report states that the CNIL received 1,170 data breach notifications in 2018, compared to approximately 100 notifications in 2017.
Unsurprisingly in that context, the Sergic case started with a complaint filed by a data subject a few months after the GDPR entered into force, stating that Sergic failed to ensure the security of personal data. The investigation conducted by the CNIL on the Sergic website showed that any user could access documents and files stored by other users in their personal spaces, by slightly changing the URL address displayed in the browser. These documents included copies of ID cards, death and marriage certificates, banking information, as well as very sensitive information such as copies of health cards and social insurance cards.
In this decision, the CNIL refers to basic security measures defined in its guidelines and in its previous decisions that must be implemented by data controllers in order ensure the security of personal data. This includes the implementation of strong authentication processes such as the implementation of a policy requiring the creation of complex and frequently updated passwords or the encryption of data. On the other hand, the CNIL noted that data controllers should implement data retention policies, defining specific retention periods according to the purposes of each processing.
In France, this new sanction seems like a déjà vu moment. The CNIL recently issued emergency signals specifically in the field of data breaches. For instance, the CNIL imposed a sanction on a global transportation network company in December 2018, stating that strong authentication measures, such as a secret password to be sent by text message, is a basic precaution that should have been taken by data controllers. The CNIL also imposed a sanction on the French company Optical Center for alleged security breaches (read more in our previous blog). However, regarding the amount of the penalty, the CNIL may have taken the path of rigour.
In addition, this decision shows that medium size French companies are no longer immune in case of data breaches, although Mrs Marie Laure Denis, the new president of the CNIL, recently stated that the reliability of the CNIL would depend on its ability to sanction major players. In view of the number of complaints filed for data breaches currently being handled by the CNIL departments, this decision may soon be just one of many to come.