20
June
2019
The CNIL confirms its power to impose sanctions without formal notice: SERGIC sentenced to 400,000 euros for serious breach of their security obligation
At the end of April, the Conseil d’État (the French administrative supreme court) confirmed the CNIL’s (the French data protection control authority) ability to sanction violations of personal data security rules without necessarily resorting to a prior formal notice intended to leave the offender the possibility of correcting his behaviour (note: link to our news on the OPTICAL CENTER case).
In its decision of 28 May 2019, the supervisory authority confirmed its willingness to exercise this power.
The targeted company is SERGIC, a company specialising in the real estate sector that had been the subject of a complaint by a user, surprised that the simple modification of a number in the URL address of the company’s website allows it to access the files and supporting documents of candidates for rental.
An audit in September 2018 revealed a flagrant breach of data security in terms of the volume of data involved and the duration of the breach. CNIL agents were able to download more than 9,000 documents including “copies of identity cards, health cards, tax notices, death certificates, marriage certificates, social security affiliation certificates, certificates issued by the family allowance fund, disability pension certificates, divorce judgments, account statements, bank statements and rent receipts”.
In addition, despite a previous report, the lack of data protection persisted for a period of more than 6 months before measures were taken to put an end to it.
Finally, the violation is aggravated by the fact that, according to the company’s admission, the data of rental applicants are not deleted once their file has been closed and the application accepted or rejected.
In its decision of May 28, the CNIL therefore found a breach of Article 32(1) of the GDPR, concerning reasonable data protection measures. She insists on the duration of the breach, the large number and the sensitive and intimate nature of the data left unprotected.
In addition, the CNIL finds a violation of the provisions of Article 5-1-e) of the Regulation on the proportionality of data retention periods; for the supervisory authority, the company in question has aggravated its case by keeping well beyond the original purpose the data relating to candidates who did not access the lease, which should have been deleted as soon as their file was closed.
In view of the seriousness of these breaches and the company’s lack of diligence in their management, the CNIL sentences the company to pay a fine of 400,000 euros, and to publish the said sanction, without prior formal notice, and therefore without allowing SERGIC to correct the errors before deciding on the sanction.
On this subject, the CNIL points out in its decision that a formal notice is in no way made mandatory by the provisions of the 1978 Data Protection Act, which governs its action; this decision is thus to be placed in the continuity of the OPTICAL CENTER case.
The CNIL’s message is clear: no catching up for serious violations, the vigilance of data controllers is essential at the highest level.
Read the decision (in French)
14
June
2019
French Supervisory authority sanctions: no obligation of prior formal notice confirmed by the Administrative Supreme Court
In a decision of April 17 2019, the French supreme administrative authority refused to overturn the sanctions imposed by the CNIL (the French data protection authority) on the OPTICAL CENTER company on the grounds that they were not preceded by a formal notice allowing the company to correct the problems.
In 2017, a CNIL investigation initiated following several complaints about OPTICAL CENTER revealed that simply entering URLs in a browser allowed access to many invoices and purchase orders from the company’s customers because due to access not being restricted by connecting to a personal space.
The CNIL then took the decision to impose a fine of 250,000 euros for this serious security breach, which violated Article 34 of the French Data Protection Act [1], without any sort of formal notice allowing the company to correct the errors and even though the company had already taken the necessary measures to correct the problem.
This decision was referred to the Conseil d’Etat which, in its judgment of April 17 2019, confirmed the decision and reminded that the formal notice is not a mandatory step before imposing sanctions, and that Article 45 of the law of 6 January 1978 provides that “Where the breach found cannot be brought into conformity in the context of a formal notice, the restricted formation may pronounce, without prior notice and after a contradictory procedure, the sanctions provided for”.
The Conseil d’Etat concludes from this that the CNIL may overlook the formal notice stage when it is clearly unnecessary; either when the breach cannot be remedied or, as in the present case, when it has already been remedied.
However, the Conseil d’État reduced OPTICAL CENTER’s penalty, ruling that the CNIL, not taking into account the company’s promptness to react to its requests, imposed a disproportionate penalty; the latter will therefore be reduced to 200,000 euros.
Read the full decision here (in French)
[1] Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés
09
May
2019
Google negative reviews: Free Speech vs Data Protection
Author:
teamtaomanews
On April 12th, 2019, a court order from the judge of summary proceedings in Paris rejected a request to delete a dentist’s “Google myBusiness” page and the negative reviews that patients had published there. These pages are available through Google maps to users who search for any entity registered on it, varying from museums and stores to legal firms and fitness gyms.
The dentist argued that the webpage and its content were akin to an illegal processing of her personal data and a manifestly unlawful disturbance.
Although the judge first answered by confirming that the data used to identify a liberal professional was indeed personal, he ruled against ordering the removing of the webpage. He also highlighted that the only liable company in this case was Google LLC, as opposed to Google France which is not in charge of the “MyBusiness” service and as such cannot be considered as the data controller, according to the provisions of the European General Data Protection Regulation (GDPR).
This solution seems to contradict a previous court order delivered by the same jurisdiction, which ruled to delete the “MyBusiness” sheet of another dentist for the sole reason that he expressed his will to have it removed and thus withdrew his consent[1]. It indeed seems questionable that a professional’s personal data could be freely processed by a third party with no other justification than their availability on business directories.
Regarding patients’ reviews on the dentist’s services, the Court ruled that “the consumer’s legitimate interest to be informed” allowed Google to link comments to a doctor’s identity and that the potential abuse of free speech should have been based on different legal grounds than the ones invoked by the claimant; specifically, the Press Act of 1881 (“loi du 29 juillet 1881 sur la presse”) in cases of defamation or insult[2] and Section 1240 of the French Civil Code regarding disparaging speech.
The plain and simple removal of the webpage where the comments were published, on the grounds of the 1978 “Digital Freedom” Act (“Loi Informatique et Libertés du 6 janvier 1978”) would represent a disproportionate breach of freedom of speech, at least when delivered by a judge of summary proceedings.
[1]TGI de Paris, summary proceeding order of April 6, 2018
[2]Further readings (in French)