CNIL Deliberation No. SAN-2020-008 of 18 November 2020 against Carrefour France

CNIL Deliberation No. SAN-2020-009 of 18 November 2020 against Carrefour Banque

The seventh and eighth post-GDPR decisions of sanction issued by the CNIL offer a wide panorama of a variety of possible privacy laws violations and their assessment by the French data protection authority. More importantly, it led the CNIL to state its position for the first time on the notion of “undertaking” whose total annual worldwide turnover constitutes the basis for calculating the maximum applicable fine under the GDPR.

The sanctions decisions were issued against Carrefour France and Carrefour Banque, both French affiliates of one of the largest retailers in the world: Group Carrefour. The CNIL started its investigation against these two entities after receiving fifteen complaints from data subjects in less than a year. It led it to identify 22 potential violations of the GDPR and e-privacy rules.

Even though Carrefour France and Carrefour Banque had fully remedied all the violations before the oral hearing held by the restricted panel of the CNIL, this did not prevent the French authority from issuing a €2,250,000 fine to Carrefour France and a €800,000 fine to Carrefour Banque for their past conduct.

The violations identified were numerous, but, overall, rather common:

1. Failure to properly inform data subjects: The CNIL held that the information provided by the two entities lacked accessibility, clarity, and comprehensiveness.

On the first point – accessibility – the CNIL considered that both Carrefour France and Carrefour Banque failed to provide an easy access to a dedicated privacy policy. For example, the privacy language of Carrefour France was buried in the website’s and the loyalty program’s general terms and conditions. Furthermore, although Carrefour France was using a multi-layer approach to the provision of the information, which can enhance the information’s clarity, the CNIL considered that the information provided in the first layer was not sufficient. Indeed, it only included some general language but did not inform on the detailed processing purposes, the identity of the data controller and the data subjects’ rights – as recommended by the WP29 (now the EDPB).

On the second point – clarity – the CNIL criticized Carrefour France for using open expressions such as “…such processing includes, for example…”, “…your data may be processed for one or more of the following purposes. . .” etc. In addition, the CNIL noted that some of the sentences were simply not understandable. The CNIL also blamed Carrefour France for not structuring the information in a way that enhanced clarity: the information was in the form of a lengthy listing of the various GDPR topics.

On the third point – comprehensiveness – the French data protection authority held that Carrefour France failed to properly inform data subjects on the identity of the data controller, the legal basis of processing as well as of the existence of data transfers outside of the EU. In addition, the CNIL also found that Carrefour France and Carrefour Banque failed to properly inform data subjects on retention periods. The CNIL reminded the two entities that all these information items are mandatory. With regard to the legal basis, the CNIL stressed the importance of providing this information which allows data subjects to have an overall assessment of the processing carried out, in particular on its origin and on their rights (e.g., if the processing is based on consent, then data subjects know they have the right to withdraw that consent).

2. Failure to determine a valid retention period: This violation only concerned Carrefour France. According to the CNIL, the retention period determined by this entity for its loyalty program’s members was too long: four years after the member’s last activity. The French authority considered that such a duration is not justified because members of a loyalty program usually go back to the same store on a regular basis. Thus, there was no ground for Carrefour France to depart from the “default” retention period recommended by the CNIL for similar processing, which is three years after the last contact from the data subject. In any case, the CNIL agents observed that Carrefour France had failed to enforce its own four-year retention policy because the data of loyalty members who had been inactive for up to ten years were still present in the databases.

Finally, Carrefour France was also criticized for not deleting the copies of the data subjects’ identification documents as soon as the identity was verified in the context of data subject requests.

3. Failure to effectively address data subjects’ requests: In connection with the last critic described in the above paragraph, the CNIL held that Carrefour France could not systematically asking data subjects to provide identification document when exercising one of their rights (e.g., access, deletion, etc.). The CNIL considered that the verification of the identity is only legitimate if there are actual doubts regarding the identity of the data subject.

The CNIL noted that Carrefour France was in most cases way behind the legal deadline for processing data subjects’ requests, with delays that could go up to nine months and during which no information was provided to the data subjects.

The CNIL also blamed Carrefour France for specific failures in addressing data subjects’ requests – i.e., failures brought to the attention of the French data protection authority through the complaints it received. Some of these failures were clearly one-time human errors – e.g., a wrong hyperlink inserted in a marketing email instead of the link allowing recipients to unsubscribe – but others were structural – e.g., processing opt-out requests on a monthly basis rather than as soon as the request is received.

4. Violation of the rules regarding cookies: The CNIL agents observed that both Carrefour France and Carrefour Banque placed cookies on the users’ devices as the website renders, i.e., without offering users the possibility to effectively consent to the use of cookies. However, the CNIL noted that some of the cookies used by the two websites clearly required consent. For example, both websites used Google Analytics which has clearly and repeatedly been considered by the CNIL as requiring consent because of the possibility offered by Google to cross-reference the data obtained by this cookie with other data, notably for the purpose of advertising.

5. Violation of security and breach notification obligations: The supervisory authority held that Carrefour France had failed to properly secure some of its clients’ data because the clients’ invoices were accessible through a permanent URL which did not require prior authentication. Thus, everyone could access the clients’ invoices if they had the URL.

Furthermore, the CNIL noticed that Carrefour France had recorded a data breach without notifying the CNIL. It was a cyberattack consisting of 800,000 connection attempts from 10,000 IP addresses and resulting in 4,000 successful authentications and 275 effective accesses to client accounts. Carrefour France argued that it was not under the obligation to notify this data breach because it considered it “unlikely to result in a risk to the rights and freedoms of natural persons”. The CNIL disagreed. In particular, it stressed that although only 275 accounts had been effectively accessed, the 4,000 successful authentications were also an issue because a lot of persons use the same combination of email address and password for all websites.

6. Violation of the obligation to process personal data faithfully: This violation only concerns Carrefour Banque, which had expressly declared to its customers that it would “not” share any other information than the last name, first name and email address to “Carrefour Fidélité”. However, the CNIL found that it did: it shared the postal address, the phone number and, when available the number of children.

To justify the amount of the fines imposed for all these violations, the restricted panel of the CNIL provided details about how the relevant criteria set forth by article 83 of the GDPR were considered and came into play. This is a first in CNIL’s decisions.

More importantly, the decision against Carrefour France is also the first in which the CNIL gives its interpretation of the notion of “undertaking” whose total annual worldwide turnover constitutes the basis for calculating the maximum applicable fine. The CNIL stated that, as for competition law, this notion “is to be understood as designating an economic unit even if, from a legal point of view, this economic unit is made up of several natural or legal persons”.

In the case at hand, the CNIL considered that the legal organization of the Carrefour group would have rendered ineffective any fine that would be imposed in consideration of the turnover of Carrefour France, which was only of 14 million euros. Furthermore, it noted that two subsidiaries of Carrefour France: “Carrefour Hypermarchés” (turnover of €14,3 billion) and “Carrefour Proximité” France (turnover of €636 million) had benefited from, and even participated in, the collection of data by Carrefour France. This led the CNIL to consider that the relevant “undertaking” in this case was constituted by Carrefour France and these two subsidiaries, and consequently to add the turnovers of the three entities (€14,9 billion euros) to determine the relevant basis for calculating the maximum applicable fine in this case (€596 million euros). Although the actual fine of €2,250,000 imposed to Carrefour France is way below the applicable maximum, it represents more than 16% of Carrefour France’s turnover.