Presentation
GDPR & Personal Data: Alliance Française fined by the CNIL – 30,000 euros
In a decision dated September 6, the CNIL imposed a fine of 30,000 euros on the Alliance française Paris Ile de France association, which is responsible for supporting 90,000 people each year in learning French.
CNIL sanction: Manipulated URL and lack of responsiveness
Informed in 2017 of a security incident on its online platform that made the data of individuals enrolled in French courses freely accessible, the CNIL (French Data Protection Authority) discovered that modifying a number in the URL allowed for the exchange of user accounts and the downloading of personal data documents, such as invoices, registration certificates, and course summaries.
More than 400,000 documents were thus accessible during an inspection of the association’s premises launched in early 2018. Despite the problem persisting for several weeks afterward, the association promptly informed the CNIL that the vulnerability had been resolved in early March.
GDPR: Basic security measures and a responsible party despite outsourcing
Through its decision, the CNIL (French Data Protection Authority) highlights shortcomings in the procedures of the Alliance Française Paris Ile de France. It specified that basic security measures should have been implemented: a user identification or authentication procedure for the website, which could have been supplemented by a mechanism to prevent predictable URLs.
The CNIL’s decision underscores an important aspect of personal data protection: although the vulnerability originated from an error committed by an IT subcontractor, this does not absolve the data controller of the responsibility to rigorously monitor the subcontractor’s actions.
These criteria will likely be used to justify a future sanction against the InfoGreffe platform, which also recently discovered security vulnerabilities.
GDPR & Alliance Française – Excerpts from the decision
“Firstly, the restricted panel notes that the absence of user complaints and the fact that the accessible data did not contain any data that could be considered sensitive, as defined in Article 8 of the French Data Protection Act, have no bearing on the characterization of the breach of the obligation incumbent upon a data controller to ensure the security of the data it processes. It further emphasizes that the data breach involved a significant number of documents, all containing identifying data such as names, surnames, and postal addresses.”
Secondly, regarding the association’s responsiveness in ending the data breach, the restricted panel notes that as early as December 4, 2017, the CNIL’s supervisory delegation sent the association an email reporting the existence of the data breach and containing the type of URL from which it originated. The association was therefore able to begin investigations on its subdomain from that date. The restricted panel emphasizes that, contrary to the association’s claim, the data breach was not ended on December 20, 2017, since the CNIL delegation observed its persistence first during the on-site inspection on February 5, 2018, and then again during the online inspection on February 23, 2018. It was only on March 2, 2018, that the association informed the CNIL that the data breach had been definitively resolved.
Thirdly, the restricted panel considers that the seriousness of the breach is established, in particular with regard to the elementary nature of the security incident constituted by the absence of authentication measures for persons accessing the documents and by the predictable nature of the URL addresses allowing them to be downloaded.
In light of the elements developed above, the established facts and the breach of Article 34 of the amended Law of 6 January 1978 justify the imposition of a penalty of €30,000 (thirty thousand euros).
Finally, the restricted panel considers that, given the seriousness of the aforementioned breach, the current context in which security incidents are multiplying, and the need to raise awareness among data controllers and internet users regarding the risks to data security, it is appropriate to make its decision public.
