28/03/2019 – The CNIL publishes compulsory model Bylaws on biometric data in the workplace
The CNIL has adopted model bylaws, which will be compulsory for all employers setting up biometric access control systems for locations, applications and work tools.
We must remember that biometric data (fingerprints for example) are sensitive data for which the processing is in principle not allowed, with limited exceptions stated in article 9 of GDPR.
In virtue of the CNIL’s model bylaws, the employers which resort / would like to resort to biometric recognition systems with regards to their employees will have to demonstrate the following:
- Limit their use to the purposes of accessing the premises, the equipment or work-related applications.
- Justify and document the special circumstances which justify their resorting to this system rather than any other access control system
- Be subjected to particularly rigorous security measures
- Justify and document every one of their choices during the setting up of the system
- Conduct an impact analysis to evaluate the risks relating to the rights and freedoms of individuals to identify them and if needed deal with them appropriately.
It is especially important to remember that the circumstances under which an employer may resort to processing biometric data are limited. The CNIL cites for example contexts involving the handling of particularly dangerous products or machines and accessing funds, objects of value or highly regulated products (psychotropic, chemical products being used for weapon fabrication).
It must also be noted that, as long as the conditions required to set up the system are met, the consent of employees need not be obtained.
The most delicate issue will undoubtedly be to demonstrate the existence of specific situations which justify the use of biometric data instead of any method of access control.
15/03/2019 – UK – ICO (Information Commissioner’s Office)/ 2 employees fined for personal data breaches: £1000 & £200
Note: Due to the date of the incidents, GDPR was not yet applicable.
In addition to data controllers, workers can also be sentenced for breaching data protection laws.
In two separate cases, the ICO, the English data protection authority, has just fined two employees.
The first one worked for the Heart of England NHS Foundation Trust (HEFT). She had access to personal data due to the nature of her job but the investigation showed she had accessed personal data which was not needed for her said job. This was a breach of English data protection law.
The second was employed by V12 Sports and Classics Ltd. Before resigning a few weeks later, she had forwarded several professional e-mails containing personal data belonging to clients and other employees to her personal e-mail. The judges considered she as well had breached English data protection law.
Penalty: A £1000 (approximately £1170) fine + £ 50 per victim + £590 prosecution costs for the 1st person.
A £200 (approximately £230) fine + £30 per victim + £590 prosecution costs for the 2nd person.
Data protection laws could be become an additional tool in the event of disputes between employers and workers!
12/03/2019 – UK – ICO (Information Commissioner’s Office) / Searches begin against companies suspected of conducting millions of nuisance calls
Following a year-long investigation, the ICO, the English data protection authority, has executed searched warrants in offices located in Brighton and Birmingham which are suspected of making millions of unsolicited calls (concerning subjects such as road traffic accidents or insurance for household goods) to both UK landlines and mobile phone numbers. Computers and documents were seized by the ICO’s enforcement officers.
Indeed, the ICO received over 600 complaints and the individuals contacted were:
- unable to identify the person making the call
- unable to opt out of the call list
Both are against the law.
In the field of direct marketing, the company must always give the individual concerned the possibility to refuse receiving any further calls and that his phone number be deleted from the database.
27/02/2019 – UK – ICO (Information Commissioner’s Ofice) / Sentencing of a former senior council officer: £660
Note. Due to the date of the incidents, GDPR was not yet applicable.
Following a one-year investigation, the ICO, the English data protection authority, has sentenced a former senior council officer for having illegally shared personal data.
The individual was employed at the Nuneaton and Bedworth District Council when his partner applied for an administrative position at the council. The senior officer did not take part in the selection process due to the nature of his relationship with the applicant. However, he did access the council’s recruitment platform and transferred the data belonging to nine shortlisted rival candidates to both his partner’s work and personal e-mail addresses. The data included the shortlisted candidates’ name, address, phone number, CV and the contact details of their referents.
Penalty: A £600 (approximately 771€) fine + £66 per victim. It is important to note that once the breach was uncovered, the individual resigned and his partner – whom had been hired – saw her employment terminated for obvious reasons.
25/02/2019 – CNIL / end of formal enforcement notice targeting the company Vectaury
Facts: The CNIL had given the company Vectaury a 3-month deadline to become compliant with regards to their methods of obtaining consent for which they had detected a major lack of prior information for the people affected by the processing of personal location data with the purpose of targeted advertising. They had also found that data collection was activated by default.
Measures taken to comply with the enforcement notice:
- development of a banner that appears during the installation of mobile phone applications before the data collection, which allows user to give a free, specific, informed and positive consent with the following information: purpose of the processing (location targeted advertising), the identity of the data controllers (the geomarketing partners) made easily accessible via a link, the nature of the data collected (advertising ID of the phone and location data), the possibility to remove consent at any moment, the exercising of their rights (via a link).
- absence of data collection in those cases where the users declines that their location data be used for the purpose of targeted advertising and possibility to continue using the application without any alteration to the quality of service provided
- prior checking of consent validity by the entity transmitting the data and it is ensured that processing only takes places when the consent is valid
Penalty: None, considering Vectaury complied during the set legal time frame, the CNIL has ended this procedure with serving any penalty.
For more information on this case, view our feed of 30/10/2018.
07/02/2019 – UK – ICO (Information Commissioner’ Office) / Magnacrest limited sentenced to a fine: £300
Note: Considering the data of the incidents, GDPR was not yet applicable
The rights of access for the data subjects is a fundamental right in terms of personal data which was born long before GDPR.
An individual attempted, on the 17/04/2017, to exercise his rights to access his personal data held by Magnacrest Limited, a housing developer. He received no response during the 40-day legal timeframe, and therefore filed a complaint to the ICO, the English data protection authority.
The ICO took charge of the case and served Magnacrest Limited with a formal enforcement notice to comply with its legal obligations and provide the individual with the requested information.
As the enforcement notice had no effect, the ICO issued a criminal prosecution against the company.
Penalty: A £300 fine (approximately 350€) + £30 per victim + £1133.75 in prosecution costs.
21/01/2019 – France – CNIL – Sentencing of Google LLC, 1st French fine under GDPR >> 50 million €
Facts: The American company Google LLC processes personal data via its Android operating system and the services they provide in relation to the creation of a Google user account when configurating a mobile phone.
On the 25th and 28th May 2018, following the recent entering into force of GDPR, the Austrian non-profit organization None of Your Business(“NOYB”) and the French one La Quadrature du Net (“LQDN”) issued collective complaints to the CNIL, blaming Google for not having the required legal basis to process personal data of its users, especially in the purpose of targeted advertising.
Competence of the CNIL: The “one stop shop” mechanism set up by GDPR defines that an organization established within the EU must have a single point of contact; the leading data protection authority of the country in which its “main establishment” is located, which is then required to communicate with other national data protection authorities.
In this case, considering that at the time when the complaints were filed, Google Ireland did not have any decision-making power over the concerned data processing (with the Android operating system, during the creation of a user account when configurating a mobile phone), the European data protection authorities considered that the Google LLC did not have a main establishment in the EU. The CNIL, as well as the other national authorities in the EU being competent in this case.
Inspection method: In September 2018, the CNIL undertook an online inspection and analysis of both the user’s journey and document/information made available to them when creating a Google account as part of the mobile phone configuration under Android.
Obligation of transparency and information towards the people impacted: The CNIL has retained the difficulty of accessing the information meant for the people impacted, especially due to the fact that key information (purpose, length of data retention, data categories) is shown on several different documents and require numerous (5 or 6) actions from the user in order to reach them (enough to discourage the users…). The CNIL has also considered that the information made available
- was lacking understandability for the user who could not be warned that the legal basis of the data processing was his consent (which he was not obliged to give) nor measure the extent and potential consequences of the processing carried out by Google (quantity and type of data that is processed, cross referencing of data by Google).
- was too vague, especially concerning the purpose and nature of the impacted data
- was not complete as the length of data retention was not systematically indicated
Obligation to obtain an informed, specific and unequivocal consent: Google stated they conducted their data processing on the legal basis of consent. However, the CNIL has considered their processing was illicit in the sense that the consent was not obtained in a way which, based on three criteria, was not compliant with the regulations:
- the consent was not informed: this requirement is directly linked to the lack of information mentioned above: if the person concerned doesn’t have easy access to the information relating to the processing of data and if this information is too vague or incomplete, the person can obviously not give his consent in full knowledge
- the consent was not unequivocal: this supposes that the user gives his consent by means of a positive action, whereas in this case the choice to view personalized adverts was ticked by default (the only possibility was to opt out).
- the consent was not specific: this requires that the purposes be clearly defined (whereas here they were too vague) and that the user give his consent to each purpose separately instead of in a global manner such as a general statement of agreement, the same way in which the acceptance of Googles T&C’s took place.
Penalty: A 50 million euro fine (to be paid to the national treasury), with the first-time application of the fine ceilings defined in GDPR and the publication of the decision
On this occasion, the CNIL reminds that it has the power to set a fine without having previously served a formal enforcement notice to the data controller and given him time to comply. The CNIL further explains that the litigious processing is still being carried out and Google has not used the time during the investigation period of this case to modify their behavior.
This decision is especially based on:
- the seriousness of the acts which directly concern essential principles of privacy
- the fact Google’s activity is predominantly oriented towards processing personal data (with targeted advertising) make them even more responsible and requires even more vigilance on their part with regards to respecting privacy.
- the volume of the impacted data and the almost infinite cross referencing
The amount of the fine may seem high, but it is in reality fairly low considering Google’s annual turnover exceeds 110 billion euros. Indeed, the allegations facing Google concern fundamental principles of privacy and are liable to a fine which can go up to 4% of company’s worldwide turnover.
What should be taken out from this case: It is essential:
- to identify within a global corporation, which entity has the decision-making power over the processing of personal data, this element is key in determining both the identity of the data controller and the competence of European authorities
- to provide complete, clear, understandable and easily accessible information to the user: 1 click should be enough!
- to make sure that a positive action of the user takes place for the consent to be valid… there are still too many pre-ticked boxes or presumed consents (for example when the user simply continues to browse, especially in terms of cookie preferences)
- to enable consent to be given separately for each purpose, which must be defined in a sufficiently precise manner
- to react rapidly and modify data processing conditions to make sure they are compliant whenever the CNIL issues even the slightest warning.
29/12/2018 – International / Brazil – Provisional measure on the application of LGPD
On the 29th December, a provisional measure (n°869/18) was adopted, thus creating the Brazilian data protection authority: the ANPD.
The measure also delays by 6 months the coming into force of the new protection of privacy law: initially supposed to come into force on the 15th February 2020, it has been moved to the 15th August 2020.
As a reminder, this new regulation will also concern non-Brazilian companies as it will apply to:
- data processing taking place in Brazil
- data processing taking place outside of Brazil if the activities related to the processing consist in offering products or services to people located in Brazil or if the data was collected in Brazil
28/12/2018 – France – CNIL Principles to be met before transmitting data to third parties
Consent, information to be communicated to the relevant people, the CNIL reminds the steps that have to be followed, not to mention that the relationship with the third party and what the latter has the right to do with the data must be set up within a legal framework.
26/12/18 – France – CNIL – Sentencing of the company Bouygues Telecom: 250K€
NB. Considering the date of the incidents, GDPR was not yet applicable
Origin of the investigation: On the 2nd March 2018, the CNIL received a report informing them of a security incident concerning the personal data of clients of the brand B&You, which is owned by the company Bouygues Telecom. On the 6th March 2018, Bouygues Telecom, after being informed of the data breach via a message on the company’s Twitter account, informed the CNIL of this breach.
Facts: A vulnerability was detected, which gave access to contract and invoices belonging to B&You customers (therefore their name, surname, date of birth, e-mail address, postal address, mobile phone number) by simply modifying a URL on Bouygues Telecom’s website. This impacted the data of more than 2 million B&You customers over the course of 2 years and 3 months. An inspection led by CNIL took place on the premises of Bouygues Telecom on the 9th March 2018 which prompted Bouygues Telecom to rapidly fix the vulnerability such that the customers’ personal data was no longer freely accessible at the time of the inspection.
Obligation to ensure security and confidentiality: The security issue arose from the omission to reactivate the authentication function of the online customer area, which had been de-activated for the purpose of a testing phase following the merging of the databases and IT systems of both Bouygues Telecom and B&You. It therefore appears to be a human error. Despite this, the CNIL considered that because of Bouygues Telecom’s choice to set up a single security measure and no complementary measures, it was their responsibility to be particularly vigilant with regards to the effectiveness of this single security measure. The CNIL also considered that even though Bouygues Telecom proved they had set up regular intrusion tests, whether directly or via service providers, these tests were not adapted to the specifics of the database and were therefore ineffective. Bouygues Telecom should have set up a manual review of the code focused on the critical authentication mechanism. This was possible considering the Bouygues Telecom’s resources and was necessary due to the amount of people impacted by this risk. The CNIL recognizes that Bouygues Telecom cannot be totally immune to human errors but considered they should have set up measures allowing them to detect this said human error.
Penalty: A 250K€ fine. The rapporteur had first suggested a 500K€ fine to the CNIL, but after being made aware of Bouygues Telecom’s observations, he suggested to bring the fine down to 250K€. The seriousness of the breach was taken into account (amount of both data and people impacted, duration of the vulnerability) as well as the reactivity shown by Bouygues Telecom in terms of resolving the security incident and the numerous measures set up to limit the impacts of the vulnerability (e.g. reminders of good practices and advice sheets distributed to their clients, fighting against phishing, dark web surveillance, training of employees).
Publication of the decision: Considering the large number of both data and people affected, the duration of the vulnerability, the current context in which security incidents are repeating themselves and the necessity to raise awareness amongst both data controllers and web users.
19/12/2018 – France – CNIL – Uber France SAS sentenced: 400K€
NB.Considering to the date of the incidents, GDPR was not yet applicable
Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media…with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016, including those of 600 000 drivers.
Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Uber had kept this incident a secret for 8 months, which represents a breach of the American law on computer security and resulted in a very poor publicity for Uber in late 2017, especially considering Uber allegedly transferred 100 000 dollars to the hackers for them to not divulge the incidents to the public and destroy the information they had collected. All computer experts have recommended such a practice be banned.
To coordinate the investigations procedures led by European data protection authorities, the G29 created a work group which has allowed for a better understanding of the attack:
- The hackers accessed logins which were stored in plain text on the collaborative development platform “Github”.
- They used these logins to access a data storing server
- They downloaded information concerning 57 million users, of which 1.4 million were located on French soil
Liability: The liability of Uber B.V. was not contested. On the other hand, Uber Inc. invoked their role as a simple subcontractor based on a signed contract with Uber B.V., stating this position limits their role with regards to data processing. The CNIL rejected this argument considering it was indeed Uber Inc. which determined the essential aspects of data processing.
In particular, the CNIL has identified the following:
- the data controller cannot be withdrawn from the management of the consequences that follow a breach of data
- Uber Inc.’s broad scope of action (drafting of guidelines regarding data management which are applied by all subsidiary companies, training of new employees, signing contracts with third parties which supply essential tools for the service) confirms their key role in determining the means and purposes of data processing.
Uber B.V. and Uber Inc. are considered to share joint liability.
The CNIL decided the fine would be directed at Uber France SAS, treated as an establishment of the data controllers Uber B.V. and Uber Inc., considering that via the Uber France SAS, Uber has the benefit of having stable premises in France and of conducting their activities in France (supporting customers/drivers and undertaking marketing campaigns in France).
Obligation to ensure security and confidentiality: This hack would not have succeeded if certain basic security measures had been set up. These especially include:
- although this does not correspond with the recommendations (despite being a possibility) made by the collaborative development platform “Github”, Uber should have planned for their engineers to login to “Github” via strong authentication measures (for example, a login and password followed by a code sent by text message). In practice, they logged in to “Github” with nothing more than their personal e-mail and a password which they had configured themselves. In addition, no removal of authorizations procedure was in place for the cases where an engineer left the company;
- Uber shouldn’t have stored unencrypted logins enabling server access in the source code of the “Github” platform
- with regards to accessing the servers which held user data, the company should have set up a system which filtered IP addresses
In these conditions, the CNIL restricted committee considered that the company had breached its obligation to secure personal data. It sentenced Uber France SAS, the establishment of the companies Uber Technologies Inc. and Uber B.V., to a 400 000 euro fine.
Penalty: 400K€ fine
Publication of the decision: Due the very large number of people affected and the necessity to raise awareness amongst operators
NB. On the 06/11/18 the Dutch data protection authority served Uber with 600K€ fine for failing to meet their obligation to inform of a data breach. The 26/11/18, the British data protection authority, served Uber with a 385 000 £ fine for failing to meet their obligation of securing data.
NB. Reminder that the use of the “Github” platform had already been linked to the sentencing of the company Dailymotion for failing to meet their security obligations (see Infra in this thread).
19/12/18 – Court of Cassation – Mediapost – Location tracking of employees
Facts: Mediapost, a subsidiary of La Poste, distributes targeted adverts in letter boxes. It has set up a system called “Distrio” which saves the location of its couriers every ten seconds and tracks their eventual lack of movement or complete motionlessness. This system functions via a tracker worn by the couriers during their journey and which they activate themselves. The purpose sook by Mediapost is to supervise the effective working time of the couriers. Considering this system illegal, the Sud PTT trade union took Mediapost to court. The Lyon court of appeal has deemed this location tracking system in order to determine the effective working time of the couriers as being legal as it is justified by the work which needs to be accomplished and proportionate to the purpose sook by Mediapost.
Decision: On the 19th December 2018, the Court of Cassation quashed the judgement made by the Lyon court of appeal and sent the parties back to the latter so that case could be re-examined. The Court of Cassation blamed the Court of appeal for taking its decision without “considering if this location tracking system set up by the employer was the only way to supervise the working time of employees”.
The article L1121-1 of the French employment code plans for two cumulative conditions in which the rights to privacy of employees, including that of having their location tracked, may be restricted:
- The restrictions must be justified by the nature of the task the employee is required to accomplish
- They must also be proportionate to the purpose sook by the employer
The Court of Cassation state that in this case the location tracking system set up to supervise effective working time must be the only way supervise the latter for it to be considered legal. It also adds that whenever the employee has large enough freedom in the organization of his work, this type of system cannot be justified.
What must be taken out of this case: Before setting up a location tracking system for employees (which by nature undermines their freedom), in the aim of supervising their working hours, a company must imperatively research if any other means of doing so could be used (even if those may be less effective) and, depending on the freedom the employees concerned by the measure possess in terms of organizing their work, whether or not it is justified to implement this supervision.
19/12/2018 – ECJ – Advocate general’s conclusions in the fashion ID case
Facts: the fashion accessories online retailer Fashion ID GmbH & CO.KG has integrated a “plug in” on their website: Facebook’s “like” button. Therefore, when an internet user visits the Fashion ID website, information concerning their IP address and their browser’s character string are transmitted to Facebook. This transmission takes place automatically as soon as the Fashion ID web site is loaded, regardless of whether the user has clicked on Facebook’s “like” button and whether he does or does not possess a Facebook account.
A German consumer protection organization launched injunctive relief proceedings against Fashion ID on the motive that the use of this plug-in was against the laws on the protection of personal data.
Several prejudicial questions are asked by the German court to the ECJ. In substance these are:
- When a company inserts a program code in its website which allows the user’s browser to request third party content thereby enabling it to transmit personal data to this third party, should the company be considered a data controller.
- If in this context the consent of the internet user is required, to whom should it be given (the company or the third party)?
Position of the advocate general: It is genuinely not in favor of those web site editors which are offering third party plug-ins.
Indeed, the advocate general has proposed to conclude that any person inserting a third party plug-in on their website which collects and transmits personal data should be considered a joint data controller insofar as his liability is limited to those operations for which he is effectively a co-decider of the means and purposes of the processing of personal data. In the case of Fashion ID, this would be the stages at which they collect and transmit personal data to Facebook. Although the purpose for Fashion ID and Facebook is different, it is unitary: commercial and advertising related in both cases, as Fashion ID’s choice to insert Facebook’s plug-in on their website is based on a desire to improve the visibility of their products via Facebook.
Consequently, the consent of the internet user must be given to the manager of the web site that inserted the third-party content, and that before the collection and transfer of the data takes place.
Conclusion: We all remember the ECJ’s judgement on 5th June 2018 confirming that the administrator of a fan page is a joint controller of data together with the social network, which in this case was Facebook (you may view our comments on this matter further below). If the position of the advocate general is followed by the court, these questions will place even further responsibility on companies operating on the web, which will need to modify their confidentiality policies and the information provided to web users.
18/12/2018 – Controversy surrounding Facebook granting tech giants access to some of their users’ personal data
14/12/2018 – Facebook announces another security breach:
The social network has just announced a security breach which concerns the sharing of Facebook profiles with 1500 applications, involving images uploaded (whether they were posted or not) by 6.8 million users of the platform, during a period going from 13th to 25th September of this year.
The Irish data protection authority is investigating the conformity of the data processing done by Facebook.
29/11/2018 – CNIL – end of formal enforcement notices targeting Fidzup and Singlespot
Facts: Formal notices sent on the 25th June 2019 and the 8th October 2018 by the CNIL, with a compliance period of 3 months given in both cases
Measures taken to comply with the enforcement notices: the two companies have taken the following measures
- Displaying banners during the installation of the mobile applications, which allowed people to receive prior communication of the compulsory information concerning processing
- Possibility for individuals involved to either accept or refuse that their location data be processed in the purpose of targeted advertising, prior to the collection of the data and without a refusal leading to altered service quality
Singlespot has also taken the following measures:
- Set up a system of automated data purging when the retention period ends
- Set up a restrictive password policy for database access
To complement this brief, you may consult in this same rubric our briefs from the 25/06/18 on the Fidzup case and that of the 30/10/18 on the Singlespot case.
26/11/18 – UK – ICO (Information Commissioner’s Office) / Joint sentencing of companies Uber BV and Uber establishments in the UK (Uber London Ltd, Uber Britannia Ltd, Uber Scot Ltd, Uber NIR Ltd): £385 000
NB. Considering the date of the incidents, GDPR was not yet applicable
Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media… with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016. Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Data from approximately 82 000 British drivers and 2.7 British users was impacted.
Liabilities: The ICO considers that Uber BV is a joint data controller together with its British affiliates, insofar as these affiliated companies are established in the United Kingdom, direct their activities (sales and marketing operations) towards a British public and Uber B.V. carries out a genuine and stable activity in the United Kingdom via these establishments, leading to the processing of data which is the matter of this case. On the other hand, the ICO does not questions the subcontractor status of Uber Technologies Inc in the United States.
Obligation to ensure security and confidentiality:
The ICO has determined that Uber did not set up adequate security measures:
- Uber engineers may access the collaborative development platform “Github”, with nothing but their personal e-mail address and a password configured by themselves;
- No removal of authorizations procedure is set up for cases where an engineer leaves the company;
- Unencrypted storage of logins enabling server access within the “Github” platform’s source code.
The ICO also blames Uber for having treated the breach as a “bug bounty” (reward for those who had detected and reported a vulnerability) whilst it was clearly a hack, as the hackers stole personal data.
Although applicable British law at the time (as opposed to GDPR which became applicable in May 2018) did not include the obligation to notify authorities or the people impacted of a security breach, the ICO blames Uber for not having done so and see it as an aggravating factor.
Penalty: A £385 000 (434 341€) fine which must be paid by 03/01/19 at the latest, which will be reduced to £308 000 if the payment is received by 02/01/2019, unless the decision is appealed.
22/11/2018 – Amazon: client names and e-mails divulged by mistake
Amazon has revealed that a computer glitch has accidentally divulged the names and e-mail addresses of certain clients directly on the company’s website. The e-commerce giant has assured the issue has been fixed and that the impacted clients have been informed.
21/11/2018 – Germany – Baden-Württemberg Data Protection Authority (BWDPA) – Another GDPR related fine – Sentencing of the social network Knuddels.de >> 20K€
Facts: On the 8th of September 2018, the social network Knuddels.de sent a data breach notification to the land of Baden-Württemberg’s ICO equivalent. The company had just noticed that a cyberattack having occurred back in July 2018 had enabled the theft of personal data belonging to the social network’s users: over 800 000 e-mail addresses and close to 2 million usernames and passwords. In a bid to be perfectly transparent with regards to the data protection authority, the company revealed the users’ passwords were stored in plain text (not encrypted or modified in any way).
Breach of personal data principles: Breach of the obligation to ensure the security and confidentiality of the data. The encryption of website data is one of the minimum requirements in terms of security.
Penalty: A 20K€ fine for having stored their users’ passwords in plain text. This can seem like a rather lenient penalty considering the maximum fines defined in GDPR (up to 20 million euros or 4% of turnover). This leniency can be explained by the cooperation and transparency that was demonstrated by Knuddels.de, which immediately notified the data protection authority as soon as they became aware of the breach, provided precise details and did not hesitate to reveal the fact they didn’t encrypt passwords. The data protection authority also considered the great diligence shown by the company when taking corrective measures.
06/11/2018 – Netherlands – AP (Autoriteit Persoonsgegevens) – joint sentence for Uber BV and Uber Technologies, Inc: 600K€
NB. Due to the date of these incidents, GDPR was not yet applicable
Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media… with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016. Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Data from approximately 174 000 Dutch users was affected.
Liabilities: The liability of Uber B.V. was not contested. However, Uber Inc argued they were a mere subtractor based on a signed contract with Uber B.V. on the 31/03/2016 which defined the role of both entities as follows: Uber B.V. as the data controller and Uber Inc. as the subcontractor. The AP rejected this claim as they considered Uber Inc. and Uber B.V. jointly determined essential aspects of data processing means, data security policy, data retention decisions, the development of the service offering, and the Uber application and the fact Uber Inc. was the one providing the application to the Apple App store and Google Play Store. The AP charged them with joint liability.
Obligation to inform of the data breach: AP are blaming Uber for not having informed the users concerned during the 72 hours that followed the leak, but only on the 21/11/2017, despite the fact the breach took place in late 2016 and Uber was informed of it by the hackers themselves on the 14/11/2016.
Penalty: A 600K€ fine (considering fines cannot exceed 800K€ under current Dutch law), payable in the next six weeks, unless the decisions is appealed.
06/11/2018 – Microsoft becomes certified host of healthcare data in France
During the 2018 Microsoft Experiences in Paris, Microsoft has announced that it has recently obtained the “healthcare data host” certification (granted by the specialized organization BSI) in France.
This certification applies to all cloud services offered by the editor in France: Azure and Office 365.
If Microsoft is the first amongst the major public cloud providers to obtain this certification, it is mainly to reward the company’s ability to manage security incidents rapidly and efficiently. Indeed, amongst the conditions that must be met to obtain such a certification, it is necessary to meet certain standards:
- ISO 27001 for information systems security·
- ISO 20000, which defines the organizational expectations required to ensure the quality of information processing services
In practical terms, this certification will enable the development of personalized healthcare solutions, which will decompartmentalize patients’ pathway to healthcare (secured sharing of sensitive data), thereby opening the door to telemedicine.
Microsoft will thus be able to develop collaborative healthcare solutions with healthcare facilities.
06/11/2018 – FIFA’s computer systems hacked
After experiencing another hacking of their computer systems, FIFA leaders have assured they are progressively setting up preventive measures such as encouraging staff to be extremely vigilant with regards to phishing by informing them of the different techniques and methods used.
Despite this, it is clear the cybersecurity measures must be reviewed, and more sensitization action must be taken to avoid this kind of hacking.
The strict application of GDPR rules could have allowed for faster detection of the data leakage and increased vigilance in the ranks of FIFA.
06/11/18 – France – CNIL – Publication of a non-exhaustive list of data processing which requires an impact analysis
- the criteria used to determine whether a processing requires an impact analysis: collection of sensitive data, concerns “vulnerable” individuals (employees, children, elderly people, patients, asylum seekers, etc.), evaluation or grading, systematic surveillance, cross-referencing or combining several data sets, automated decision taking leading to legal effects or other similarly significative effects, innovative usage or application of new technological solutions, data processing at a large scale.
- examples of processing concerned: processing to detect payment fraud (used on many online shopping websites), combining data sets operated by data brokers, processing aimed at personalizing online advertising, mobile application enabling the large scale collection of location data.
30/10/18 – France – CNIL – Application of GDPR – Formal enforcement notice for company Vectaury
Facts: CNIL has inspected the company Vectaury, which uses technologies enabling personal data collection via smartphones and the carrying out of advertising campaigns on mobile phones.
This company relies on technological tools known as Software Development Kits (SDK) which are integrated in the application code of the company’s partners. The tools allow the company to collect data (mobile phones’ advertising ID’s and location data) from mobile phone users even when the relevant applications are closed.
This data is then cross-referenced with points of interest determined by partners (retail stores) in order to display the targeted advert on the user’s terminal depending on the places they visited.
Vectaury also processes, in the aim of user profiling and target advertising, location data it obtains from real-time bids it initially received so it could purchase advertising space. Vectaury has received a formal enforcement notice that it must obtain effective consent from all the users concerned and delete the data it wrongfully acquired.
Legal basis and compulsory information
# Breach of the obligation to obtain user consent for the data acquired from SDKs
- when downloading mobile phone applications, users are not systematically informed that an SDK is collecting their location data
- during installation, the user is not informed that the final purpose is target advertising, nor is he of the identity of the data processor
- the information in the T&C’s of the apps is not prior to the processing of data
- it is not always possible for the user to download the mobile application without activating the SDK and in these cases the use of the applications leads to data being automatically transmitted to Vectaury
- the Consent Management Provider (CMP) set up to reinforce the information is not systematically implanted within the applications and the information it gives to the users is insufficient
- the collection of location data is activated by default
# Breach of the obligation to obtain consent on data coming from real-time bids for advertising space
- consent is not obtained before the processing of data for user profiling
- the information given to the user does not explain the final purpose of the processing (real-time bidding system, followed by the retention of data in order to define a commercial profile)
- the collection of data is activated by default
Risks for individuals: particular risk for their privacy as the data reveals their physical movements and daily habits
Exercising of rights: the processing takes place without the people concerned being aware of it, and without them being able to exercise their rights defined by GDPR.
Compliance deadline: 3 months
Publication of the decision: considering the nature of the breaches, the number of people concerned, (over 5 million via SDKs and more than 42 million via the real-time bidding system) and the need to raise awareness amongst professionals of the sector regarding the stakes associated to the use of this type of technology
24/10/18 – France- CNIL – end of formal notice targeting Direct Energie
Facts: Formal enforcement notice served on 5th of March 2018 by the CNIL, with a 3-month compliance period
Measures taken to terminate the breach
- Commercial offers allowing the consumer to choose what data he agrees to share (detailed monitoring, standard monitoring, no monitoring)
- No default data collection
- Information provided to consumers clear and unambiguous: possibility of accepting daily or half hourly electricity consumption readings without believing it is a mandatory consequence of installing the smart meter; possibility of removing consent at any moment via the online customer area; set up of a specific method for informing clients when contracting with them on the phone: general conditions of use communicated orally and then with an SMS or e-mail sent during the call with the agent.
16/10/2018 – International / Turkey – Marketing communications via e-mail, SMS or phone call
On the 15th of August 2018, the Turkish personal data protect authority (Kişisel Verileri Koruma Kurulu) has ruled over marketing communications taking place via e-mail, SMS or phone calls, stating that the data controllers as well as their subcontractors are to cease this type of communication immediately unless they have obtained explicit consent from the recipient or they are able to justify the data processing in question is exempted from the legal obligation to obtain prior consent. The authority also reminds that the data controllers are to take all the technical measures necessary in order to ensure an adequate level of security for the data as well as guaranteeing its protection and that the subcontractors are jointly responsible with regards to making sure the measures are well implemented.
11/10/2018 – France – CNIL – Adoption of two certification frameworks relating to DPO competences
A certification is not mandatory to practice as a Data Protection Officer (DPO), nor is it to be registered as one with the CNIL. It only enables one to prove his skills and know-how.
The CNIL has thus adopted:
- a certification framework setting the conditions of admissibility as well as the list of expected skills/know-how to be certified as a DPO
- a framework of approval setting the applicable criteria for organizations wishing to be authorized by the CNIL to deliver DPO certifications: indeed, the CNIL itself will not be the entity granting DPO certifications
As of now, the CNIL is yet to approve a certifying organization.
11/10/2018 – PORTUGAL – CNPD (Comissão Nacional de Proteção de Dados) – 1st GDPR related fine in Europe– Sentencing of Barreiro-Montijo >> 400K€
Facts: In June 2018, the CNPD (ICO equivalent in Portugal) proceed to an inspection of the Barreiro-Montijo hospital following a warning from a doctors’ organization. On this occasion, the CNPD discover that 9 members of the hospital’s administrative staff have access to the patients’ clinical files, whilst they should be accessible by doctors exclusively. Following this, the CNPD notice that 958 doctors have an account allowing them to access patients’ clinical files, despite the hospital staff only having 296 doctors. This gap is attributed to the fact an account is created for every temporary doctor, considering the accounts are not deleted nor deactivated at the end of their respective assignments (sometimes 2 years back). Several other flaws are detected in the creation and the management of accounts. Strikingly, when creating a simple trial account, the CNPD experts were able to access sensitive data relating to patients which were no longer treated by the Barreiro-Montijo hospital.
Breach of personal data principles: the CNPD retains 3 GDPR violations:
- not respecting data integrity and confidentiality principles
- failure to respect the obligation of limiting access to data (not taking into account the profile of each employee)
- person responsible for the data processing incapable of guaranteeing the integrity of the data
Defense of the hospital: the healthcare center called upon the fact the Portugese ministry of health manages the authorizations enabling access to patient data and their lack of necessary computing resources to manage the data effectively
Penalties: The Hospital was sentenced to a 400K€ fine, 150K€ for each of the first two violations and 100K€ for the third violation.
Bearing in mind that GDPR plans for fines that can reach 20 million euros for this type of breach, this fine seems relatively lenient, especially considering the sensitive nature of the data in question, which relates to the medical field.
09/10/2018 – Belgian data protection authority wishes for a globally reaching right to oblivion
In July 2016, the Belgian Commission for the Protection of Privacy (CPP) (has since become Data Protection authority or DPA) received a complaint regarding URLs available on a search engine which included calumnious and defamatory information that associated the plaintiffs with serious cases in which they had not been involved and for which they were never prosecuted.
The plaintiffs had therefore filed requests to be delisted with the search engine concerned. These attempts were eventually useless as new links with slightly modified URLs yet identical content seemed to re-appear endlessly.
The delisting process was also revealed as being partial and ineffective for the following reasons:
- it didn’t affect all the search engine’s various extensions from all the regions in which it is accessible
- it was limited to search keys which included the name and first name of the plaintiffs; as a result, adding a specific term associated to the name and first name caused the previously de-listed results to re-appear.
The plaintiffs therefore requested the CPP that the delisting process concern all the versions of the said search engine, that it no longer be limited in geographical scope and that the modalities for exercising their right to be delisted be adapted to include , for example, the introduction of a filtering system.
This complaint was positively welcomed by the CPP which believe that the various extensions of a search engine can be considered as nothing but various technical pathways to a single search engine, allowing for one single processing. The search engine’s URLs can then be targeted by differentiated blockage decisions depending on the origins of their artificial territorial location.
According the CPP, the limited territorial scope results in preventing any useful effects to arise from exercising one’s right to privacy.
A similar case concerning the territorial scope of the right to be delisted recognized by the 14th May 2014 “Google Spain” judgement around three prejudicial questions is currently pending before the ECJ and the Court’s decision is expected during the coming months.
On the 10th of January, the advocate general presented his conclusion in which he explained not being in favor of such wide-reaching interpretation of Union rights, as this would imply the latter to have effects beyond the borders of the 28 member states.
Despite this, he doesn’t rule out the possibility of obliging search engines to proceed to worldwide delisting in certain cases.
08/10/2018 – Security vulnerability on social network Google+
The Wall Street Journal revealed on the 8th October that a security vulnerability on Google +’s program interface had been putting the users’ personal data at risk during a 3-year period from 2015 to 2018, when Google noticed the vulnerability during an internal audit. Google is said to have hesitated before disclosing this discovery to the public, but eventually did so soon after. Google estimates 500 00 accounts were concerned by this vulnerability and 438 third party applications (API) potentially had access to this data. Amongst the data concerned were name, e-mail address, job, age and the gender of the users.
Google soon announced the imminent closing of Google + to the public, largely due to this issue. Despite this, Google state no collection or wrongful utilization of the data has been noted. Google has since corrected this vulnerability and has limited the accessibility of personal data via APIs.
08/10/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Heathrow Airport Limited (HAL): £120,000
Facts: On the 16th of October 2017, a USB memory stick lost by a HAL employee was found by a member of the public, who later viewed the material it contained (76 folders and over 1000 files containing employees’ personal data, not encrypted or password protected). It was viewed and passed to a national newspaper which took copies of the data. The ICO became aware of the incident via the media.
Data Security: Companies must ensure that proper corporate standards, training and procedures are being put in place to minimise the vulnerability of personal data. At HAL, only 2% of staff members had been trained in data protection, and staff members were using removable media in contravention of HAL’s policies. Controls and policies were inefficient. Appropriate technical and organisational measures shall be taken against unlawful/unauthorised processing and loss of personal data.
Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts. That being so, the HAL was fined £120000 (approximatively 136K€) in accordance with the Data Protection Act 1998 considering the seriousness of the contravention (sensitive data involved, inefficient measures, and size of HAL), and to promote compliance with privacy legislation.
28/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Bupa Insurance Services Limited (Bupa) : £175,000
Facts: An employee was able to extract 547 000 customers’ information (such as name, date of birth, email address, nationality) and offered it to sell on the dark web. The ICO was notified through complaints from Bupa’s customers.
Data security: Bupa failed to assess the risk and to have effective security measures in place to protect customers’ information. The data controller must take appropriate technical and organisational measures against unauthorised and unlawful processing.
Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Bupa was fined £175000 (approximatively 197K€) in accordance with the Data Protection Act 1998 given the seriousness of the breach and to promote compliance with privacy legislation.
20/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Equifax Ltd : £500000
Facts: The US parent company of Equifax Ltd was subject to a cyber-attack back in 2017 which affected 146 million customers globally, including 15 million UK citizens.
Data security: The UK branch was responsible for the personal data of its UK customers and failed to take appropriate measures to ensure that the processor, i.e. the US branch, was protecting the information (names, dates of birth, addresses, passwords, driving licence and financial details).
Data principles breached: failure to secure personal data, poor retention practices (data retained much longer than needed), general lack of lawful purpose, and lack of legal basis for international transfers of UK citizens’ data.
Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Equifax Ltd was fined £500000 (approximatively 562K€) in accordance with the Data Protection Act 1998, which is the highest level of fine under this law (considering the number of victims, type of data at risk and Equifax’s inexcusable behaviour), in order to promote compliance with privacy legislation.
04/09/2018 – UK – ICO (Information Commissioner’s Office) / Enforcement notice served to the London Borough of Lewisham
Facts: Data subjects access requests to the London Borough of Lewisham are not handled in due time, owing to its inefficient internal systems, procedures and policies for dealing with subject access requests.
Exercise of the right of access: When a request of access is made, the data controller must respond to subject access requests without undue delay. In addition, the means to respond to such requests must be adequate.
Notice: The ICO set a deadline on the 15th of October, for the London Borough of Lewisham to respond to the 19 individuals who submitted a subject access request to their personal data before last 25th of May, with a weekly reporting on actions taken.
31/08/2018- Data breach at Abbyy’s
Facts: Failure of a server that has made nearly 200 000 scanned documents from a single client of the Russian company accessible.
Information through a press release (probably to avoid the possible bad buzz and to reassure).
28/08/2018 – Data breach at System U (car rental website)
Facts: hacking resulting in a data breach (identification, contact information, booking information, no payment date)
Notification of the violation to the CNIL et through a press release.
27/08/2018 – Data breach at T-Mobile US
Facts: Potential security breach detected and quickly corrected, potentially resulting in data breaches of possibly more than 2 million potential victims (name; billing postcode, phone number, email address, account number and type of account, no payment data).
Notification though a press release.
03/08/2018 – Publication of Decree No. 2005-1309 supplementing the LIL.
Fixation of deadlines and procedures applicable to CNIL’s missions and clarification of certain provisions of the law (medical data, means of information of the persons concerned, etc.)
24/07/2018- CNIL- Sanction for Dailymotion : 50 K€
Facts: Violation of encrypted data during an attack by accessing the identifiers of an administrator account stored clearly on the collaborative development platform “Github” and exploitation of a vulnerability in the code of the platform Dailymotion on “Github”: 82.5 million email addresses and 18.3 million passwords concerned.
Obligation of security of the personal data: elementary measures could have avoided the violation: to not store clearly in the source code identifiers related to an administrator account; Set up an IP address filtering system or a VPN (Virtual Private Network) when outsiders can connect remotely to an internal computer network.
Sanction: it would certainly have been higher if the data breach had not been encrypted.
Publication of the decision: to make accountable the responsible and given the huge amount of data involved.
24/07/2018 CNIL – Sanction for the Public Housing Office of Rennes Métropole Archipel Habitat : 30K€
Facts: Complaint received concerning the use of the President of the DPO (also Mayor of Rennes) of the file of the tenants of social housing to send them a politicized letter about the APL and the position of the government.
Lawful processing: the personal data collected cannot be processed for purposes other than those that justified the collect (here the management of application for social housing and for the real estate park). If a purpose of external communication was possible, it was not here a newsletter because of the controversial content of the mail (critique of a government announcement).
Publication of the decision: to remind all the actors of the social sector the prohibition to use the data out of the initial purpose and because of the lack of knowledge of the OPH of a fundamental principle of the LIL.
17/07/2018- CNIL – Closing of the formal notice against Genesis Industries Limited
Following the CNIL’s formal notice, the answers provided by Genesis and the subsequent controls from the CNIL, allowed to verify that the voice recognition, necessary for the toys to respond to the questions asked by the children, is no longer used. The discussions with the toys are no longer transferred to the servers of a third-party company outside the EU and the use of the toys no longer leads to the processing of data.
10/07/2018 CJUE- The data protection regulation applies to religious communities
Co-responsibility of a religious community (Jehovah’s witnesses) and its preaching member: preaching by door-to-door is not an exclusively personal and domestic activity of each preacher, which would allow them to escape from the regulation, since it goes beyond their private sphere. The joint responsibility does not necessarily presuppose that each actor has access to personal data: the community organizing, coordinating et encouraging preaching by its members participates in determining the purpose and the means of the treatment.
02/07/2018 CNIL press release – What controls for 2018?
The CNIL’s controls in 2018 will follow the same lines as before, with investigations based on complaints and reports sent to the CNIL, verifications carried out following closures, formal notices or sanctions, missions carried out on the basis of current topics and the annual program of controls on the specific themes selected. For 2018, it concerns the processing of personal data related to recruitment (including evaluation tools), rental real estate (on the vouchers requested by the agencies) and paid parking carried out with connected tools.
02/07/2018 CNIL- Formal notice against the Institute of informatic and commercial techniques- CCTV: The constant surveillance of employees or students is excluded.
Is excessive any systems that constantly monitors employees or students, that is to say, to film both access to the establishment, the traffic and the places of life during business hours of the establishment, except in exceptional circumstances.
The obligation of information of the filmed person can be filled by mentioning it in the general conditions of inscription, a posting and the diffusion to the employees (note of information/ employment contract).
When the final purpose of the treatment is to protect goods and people (thefts, aggression, damage) and to avoid overflowing students, an adequate conservation period would be of one month.
01/07/2018- International/ Brazil – the LGPD should come into force within 18 months.
After 8 years of work and inspired by the 1995 European Directive, the 1st Brazilian law on the protection of personal data (LGPD) will come into force. It creates and standardizes a comprehensive system of protection with 10 legal bases to justify the processing of personal data (including consent), enhanced protection for so-called sensitive data (eg ethnic origin, political and religious opinions, sexual preferences and genetical data), the creation of a dedicated authority (ANPD), the establishment of a function of leader of privacy within public and private entities, data breach notification obligations, fines that can escalate up to 50 million Brazilian reals (about 10 millions euros) with a possible prohibition of the incriminated treatments.
28/06/2018 CEDH- When convicted criminals more than 20 years ago are denied anonymity in the media à The right to be forgotten is not absolute.
In order to identify whether the right to be forgotten has to be implemented, a balance must be struck between respect of privacy and public’s freedom of expression and information.
28/06/2018 CNIL press release- The most common negligence in the security of websites.
The pitfalls quite easy to avoid and yet most often encountered concerning the security of the web sites are in particular: an authentication by a password too flexible, the absence of authentication rules to an account (the only incremental URL enough to access), the lack of encrypted data, the indexing of data in a search engine.
21/06/2018 CNIL- Sanction for the association for the development of fireplaces : 75K€.
Facts: Notification sent to the CNIL, which carries out an online check and warns the ADEF of a personal data breach (modification of the path of the URL displayed in the browser allowed access to documents registered by other applicants: taxi notices, passports, identity cards, residence permits, pay slips, CAF payment certificates, NIR, IBAN, etc. housing applicants who have made a registration process on the website of the association) and asks him to fix it. A few days later, the CNIL notes that, although the ADEF asked the company that developed its website to intervene, the data is still accessible.
Obligation of security and confidentiality of the personal data: basic measures upstream of the development of the site could have avoided the violation: to set up a device allowing to avoid the predictability of the URL and the procedure of authentication of the users of the web site.
Sanction: it would certainly have been higher if the ZDEF had not cooperated with the CNIL.
Publication of the decision: in view of the gravity of the situation related to the open access and the volume of documents (42652) and having in mind the intimate and complete nature of the data concerned.
21/06/2018- The age of the numerical majority in France is set at 15 years old.
A minor may consent to the processing of his personal data from the age of fifteen. Before this age, additional parental consent is required. 5Ar. 20 Law No 2018-493 of June 20, 2018, on the protection of personal data).
21/06/2018 – Promulgation of Law No. 2018-493 of June 20, 2018 amending the LIL.
Update of certain provisions regarding the Data Protection Regulation, exercise of the national maneuvers foreseen in the Data Protection Regulation (eg age of numerical majority) and transposition of the Directive 2016/680 “Police Justice”.
According to the CNIL, an order for a complete rewriting of the law “Data processing and liberty” is planned within a period of six months, to allow a legibility of the current legal framework (The current LIL still contains provisions which, according to the Data protection regulation, are no longer applicable or do not mention certain new rights and obligations provided by the Data Protection Regulation.
13/06/18 – Supreme Court – No conviction for Air France
Compliance: the tracking software of the activity of the pilots complies with the LIL (except for a few minor failures reported): fair collection of data (information of person concerned about the existence of the treatment, its purposes, the recipients and their rights by means of a paper memo and on the dedicated intranet), no diversion of the final purpose of the processing (the data contained in this software are not crossed with those taken into account for the monitoring or the pilots career).
Nature of the data: information about sick leaves are not sensitive data because the reason of the leave is not indicated, and therefore is not data on the health.
06/06/18 State Council- Conviction for challenges.fr : 25K€
Legal basis of the treatment: The advertising cookies even if they would be necessary for the economic viability of the web site, require a consent of the web user prior to their deposit.
Obligation of information: It is essential to inform the web user of the cookies that can be deposited by specifying those that are obligatory or subject to his consent, as well as the consequences of a possible opposition on his part. The only proposal to the web user to configure his browser is not a valid mode of opposition.
Shelf life: Cookies/ 13 months.
Obligation to cooperate with the CNIL: it is up to the company which has been subject of a notice from the CNIL to show that it has done what is necessary to rectify its infringement.
05/06/18 CJUE – Joint responsibility of the treatmentà Deactivation of a fan page on the social network Facebook.
Responsibility: Although the Social network is primarily responsible, the administrator of a fan page is jointly responsible for the processing: He brings an active and voluntary contribution (setting action) to the collection by RS of the personal data of the visitors of his page and profits from statistics resulting, for the purposes of management of the promotion of his activity (knowledge of the profile of the visitors who appreciate the fan page or use its applications, in order to propose them a more relevant content and to develop functionalities most likely to interest them more…). Even if their statistics are received by the administrator in an anonymized form, the processing itself is not, and it is not necessary in practice for the user to have an account on the RS for his data to be processed.
25/05/2018- The entry into force of the long awaited GDPR … and so dreaded
The week of entry into force of the new European regulation on personal data will have seen many companies rush around this deadline to assail their contacts and clients with e-mails.
- Several observations: the majority of these e-mails aimed to ask for a (new) consent to the people; the majority of people did not read these e-mails, received in shambles and even less confirmed a consent.
- Several reflections: it seems that in most cases, the legal basis of data processing did not have to be the consent (remember that a company can on the basis of a legitimate interest send offers to its customers naturally interested by its products and services); by massively addressing this demand, the companies themselves have had to obtain a consent; even if a consent was necessary, it is far from certain that is really was necessary for the 25th of May; the result of this precipitation is most certainly a massive loss of business data and the value that goes with it.
The CNIL has announced that it will remain fairly flexible as part of its controls until the end of 2018. So it is still time to reflect on the legal part and to verify on a case-by-case basis what are the obligations of the company and the steps to take regarding the compliance that needs to be implemented.
07/05/18 CNIL- Conviction for Optical Center : 250K€
Control online and then on the spot.
Security requirement: Default when placing online orders on its website: access to hundreds of customer invoices containing personal data (surname, first name, postal address, health data and sometimes date of birth and social security numbers).
Sanction: 250K€ despite the active collaboration of Optical Center to solve the flaw, because: the restriction of access to documents present on the personal spaces is a precaution of essential use; the company knew the risks of computer security, having already been condemned in 2015 (to 50K €).
Publication of the decision: because the data made available were particularly sensitive and numerous (334,769 documents) ant the number of customers affected important.
09/03/2018 State Council – Confirmation of the non-dismissal by the CNIL of a Correspondent Informatique and Liberty (CIL).
The information of the customers of a banking institution on the financial risk that they take by contracting a loan is not part of the duties of the CIL who did not therefore fail in its obligations.
14/02/2018 TGI Paris- Invasion of privacy and malice : 2K€ D&I, 2K€ art. 700, removal of the web page.
If court decisions are published in full, the freely accessible databases that reproduce them must anonymize them.
To identify on a web page a convicted person (for illegal practice of pharmacy, marketing of drugs without a MA, non-compliance with the rules of advertisement on drugs and tax evasion) by publishing the anonymized court decisions, by highlighting the facts that are very old and without fueling the debate with new elements is a malicious lift of anonymity and reprehensible.
20/02/2018 Referred Council of State- Implementation of an automated treatment of personal data “Parcoursup”.
Several students’ unions were calling for the suspension of an order authorizing the implementation of an automated processing of personal data “Parcoursup” considered illegal. After balancing the interests in question, the Stat Council considered that the suspension of “Parcoursup” would cause an infringement on the general interest (good progress of the procedures of pre-registration for the higher education) exceeding the inconvenient invoked by the claiming unions in view of the limited nature of the processing. The severity and urgency were not retained.
20/11/2017 CNIL – Notice against Genesis Industries Limited
Notice to proceed within two months to secure the connected toys the doll “My Friend Cayla” and the robot “I-QUE”, which answers the questions asked by children, who are equipped with a microphone and a speaker and associated with a mobile application, so the company collects a lot of personal information about children and their entourage (voice, conversation content, information entered in the application “My Friend Cayla App).
Failure of security: anyone located 9 meters away from the toys with a Bluetooth communication system can connect to the doll, without having to authenticate, and thus hear and record the words exchanged between the child and the toy or any conversation near the toy and also communicate with the child.
Default of information for the users of the toys: while personal information are processed by the company, toy users are not informed of the company’s data processing of informed that the company is transferring content from conversation to a service provider locates outside the European Union.