The CNIL’s decision provides useful guidance on security measures that the CNIL considers must be taken by data controllers.

Earlier this year, Orange discovered that the database of one of its sub-subcontractors had suffered a server malfunction that led to a security breach. The sub-subcontractor’s database contained the personal data of more than 1.3 million Orange customers (including name, date of birth, e-mail address, and landline and mobile phone numbers) and was used for sending promotional email campaigns.

In compliance with its obligations as an electronic communications operator, Orange notified the CNIL of the security breach in April 2014. On-site inspections conducted by the CNIL in May 2014 showed that the sub-subcontractor’s database had become publicly accessible by modifying the URL address of “unsubscribe” links in emails sent to customers, and that an unidentified third party had collected customers’ personal data a few months before.

Under French law, data controllers must use best efforts to ensure that the confidentiality of customers’ and prospects’ personal data is adequately secured. In issuing its warning, the CNIL cited three facts:

  • First, Orange did not carry out any security audit of the sub-subcontractor’s proprietary technology after it was implemented in November 2013;  the solution had been specifically adapted for Orange;
  • Second, Orange regularly sent updates of its customer database to its service providers by email, without any additional security measures;
  • Finally, although Orange and the subcontractor had entered into a contract setting forth security and confidentiality obligations for the subcontractor, those obligations were not passed through to the sub-subcontractor.

The decision serves as a timely reminder of the CNIL’s expectations as concerns personal data security.