In a decision dated January 9, 2018, published in the official journal, the CNIL (French Data Protection Authority) imposed a particularly severe penalty on the company Darty, ordering it to pay a fine of €100,000. The company was primarily accused of failing to adequately secure the data of customers who had submitted online after-sales service requests.
After filling out an after-sales service form, the appliance company’s official website displayed a hyperlink “corresponding to the request registration number,” the URL of which displayed the case number: http://darty.epticahosting.com/selfdarty/requests.do?id=XXX. By modifying the last variable, it was then possible to view the forms completed by other customers who had used the same form and all their associated personal data.
GDPR & Data Protection: Negligence in protecting customer data
Having been informed of this security incident in February 2017, the CNIL (French Data Protection Authority) conducted several online and on-site audits, confirming the aforementioned security flaws and allowing unrestricted access to all customer requests and data – 918,721 records in total. The accessible data included customers’ names, surnames, postal addresses, email addresses, and telephone numbers.
Noting the lack of corrective measures taken despite notification from the CNIL, sanction proceedings were initiated against the company “Etablissements Darty et Fils” for failing to meet its obligation to ensure the security of personal data. The restricted panel noted that “good practice in IT security would have consisted of disabling features or modules of a tool that were not used or necessary.”
The CNIL based its decision on Article 34 of the French Data Protection Act of 6 January 1978, which states that “the data controller is required to take all necessary precautions, in view of the nature of the data and the risks presented by the processing, to preserve the security of the data and, in particular, to prevent it from being distorted, damaged, or accessed by unauthorized third parties.”
Personal data: Software developed by a third party was the source of the vulnerability
This decision, which is subject to appeal before the Council of State, reveals the severity of the CNIL’s sanction in several ways. Firstly, the fact that the data was neither critical nor particularly sensitive highlights the general nature of data protection obligations. Secondly, the after-sales service request form, which was the source of the security breach, originated from a service provided by a third-party subcontractor.
Yet, the CNIL considered Darty, as the data controller, to be bound by the obligation to ensure the security of the data processed on its behalf, and required to ensure compliance with software configuration and security rules – “basic tests that must be carried out by an information systems security company” – as well as the regular review of the forms in question.
GDPR: Corporate accountability
The foundation of this decision lies in the Law for a Digital Republic of October 7, 2016, which significantly increased the CNIL’s (French Data Protection Authority) sanctioning powers through Articles 64 and 65. These articles allow the CNIL, in addition to issuing formal notices and injunctions, to impose financial penalties on companies, capped at three million euros.
The law specifies that the following factors are taken into account: the seriousness of the breach and the benefits derived; whether the breach was intentional or negligent; the measures taken by the data controller to mitigate the harm suffered by the data subjects; the degree of cooperation with the CNIL to remedy the breach and mitigate its potential negative effects; the categories of personal data concerned; and how the CNIL was notified of the breach.
Data protection: a major new challenge for companies
The first sanction based on the French Law for a Digital Republic, issued by the CNIL (French Data Protection Authority), came in July 2017 against Hertz for failing to meet its data security obligations within the framework of a subcontracting relationship, fining the company €40,000.
Following this decision, the sanction against Darty comes as the General Data Protection Regulation (GDPR) is set to enter into force on May 25, 2018, imposing new obligations and particularly severe penalties for businesses.
Among the new measures, the GDPR places particular emphasis on companies’ responsibility for data processing and protection, and their obligation to demonstrate their due diligence in controlling their users’ data. Article 33 of the GDPR thus generalizes the obligation to notify the competent supervisory authority of security breaches and imposes a new obligation to inform individuals affected by a breach of their personal data.
It is up to French companies to comply with the new data protection legislation as quickly as possible to avoid potentially severe penalties.
