CNIL and GDPR: shortcomings in the protection of personal data
For several months, the CNIL (French Data Protection Authority) has been issuing rulings against companies and associations for violating rules related to the protection of personal data on an increasing number of occasions, including the imposition of substantial fines:
Find the latest news related to the GDPR, commented on by the law firm PCS Avocat:
- CNIL & Data Protection: Common GDPR Mistakes
- GDPR Cheat Sheet: Data Processing Documentation
- Latest CNIL GDPR Sanctions: “The Joke’s Over”
- GDPR: An Exemplary €50 Million Fine Against Google
On June 21st, the Association for the Development of Hostels (ADEF), which provides housing in residences and hostels, particularly for students, single-parent families, and migrant workers, was fined €75,000 for serious breaches of data security and confidentiality. données personnelles utilisateurs de son site internet.
Updated 2019. Seized with a challenge to the independent authority’s decision, the Council of State upheld the ruling, specifying that the fines and publicity measures imposed were proportionate to the identified breaches.
In its decision of April 17, 2019, the Council of State stated that:
“It appears from the investigation that the breach identified by the CNIL’s restricted panel consisted of a security flaw in the online housing application form made available to beneficiaries of services offered by ADEF, allowing any unauthorized third party to access, by simply modifying the corresponding URL links, the documents downloaded by housing applicants.”
Given the nature and seriousness of the breach, which could have been prevented by simple security measures, the significant resources available to the association, and the time with which it implemented corrective measures to remedy this breach, the restricted panel of the CNIL did not impose a disproportionate sanction on ADEF by issuing a fine of 75,000 euros.
General Data Protection Regulation: Data security breaches
Informed in June 2017 of a security incident that allowed access to the personal data of housing applicants who had registered on the association’s online platform, the CNIL (French Data Protection Authority) conducted an investigation.
The CNIL found that “a modification of the URL path displayed in the browser allowed access to documents saved by other applicants: tax notices, passports, identity cards, residence permits, payslips, and CAF (French family allowance fund) payment certificates.”
On the same day, the CNIL alerted the association to this personal data breach and asked them to rectify it. A few days later, an on-site inspection was carried out at the association’s premises.
It was found that the data was still accessible, even though the association stated it had asked the company that developed its website to intervene.
Similar to the ruling against Darty earlier this year, the association was held liable for security flaws inherent in the development of its website, flaws that ADEF never addressed: the predictability of the URLs and the lack of a user identification or authentication procedure.
Collection and processing of personal data: A variety of determining criteria
This decision highlights the proportionality attached to the various criteria established by the CNIL (French Data Protection Authority). Indeed, good faith and cooperation were among the factors taken into account in its decision, including:
- the significant volume of data involved – 42,652 documents;
- the response times following notification and the particularly intimate and comprehensive nature of the data – names, surnames, dates of birth, postal addresses, marital status, and number of children;
- the national identification number (NIR);
- bank account details (IBANs);
- data relating to private life: salary, reference tax income, payment of personalized housing assistance or disability allowance.
In this case, it was these last two criteria that led to the company’s conviction.
With this decision, the CNIL reaffirms the principle of data protection responsibility.ité des propriétaires de sites internet qui ne peut se borner à de simples diligences de complaisances.
