Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.

The issue giving rise to the financial penalty was a security breach relating to the company’s website notified by a user to the CNIL on 12 August 2018. The user stated that he was able to access other users’ personal information from his website account by changing the URL address.

Online and on-site inspections by the CNIL at the company’s offices respectively on 7 and 13 September 2018 revealed that many documents sent by prospective tenants were freely accessible on the company’s website without prior authentication. It also appeared that, among the documents available online, were included copies of identity cards, health insurance cards, certificates issued by the family allowance fund, divorce judgments and bank details. According to SERGIC, the website’s security breach could have impacted around 29,440 users.

In view of this, the CNIL identified two breaches of the General Data Protection Regulation[3] (GDPR):

1. The CNIL considered that SERGIC had failed to fulfil its obligation to preserve the security of personal data of its website’s users in accordance with Article 32 of the GDPR, which requires the controller to implement security measures appropriate and proportionate to the risks to the rights and freedoms of individuals arising from the processing, in particular from unauthorised access to personal data.

Here, the CNIL outlined that SERGIC had not implemented an authentication procedure for users in relation to such access and that this was a basic security measure that should have been foreseen and implemented.

In addition, the company first became aware of the vulnerability of its website through a complaint that was directly addressed to it by one of its website’s user in early March 2018. The company had not remedied the situation, allowing the vulnerability to persist, and it was aware that a peak in activity was expected as of May due to the summer season. It was not until September 2018 that the security breach was finally corrected after CNIL investigations revealed that the problem persisted. However, as pointed out by the CNIL, emergency measures to remedy the security breach would not have been technically complex and time-consuming to implement: indeed, the files could have been moved to a temporary folder and URL filtering measures could have quickly and effectively prevented access to documents.

Finally, according to the CNIL, the breach of the security obligation was even more serious considering the nature of the personal data made available, including both identification data (surname, first name, contact details) and information likely to reveal very intimate aspects of individual’s lives, such as divorce judgments.

2. The CNIL also noted that the company had failed to comply with the data retention provision as set out in Article 5-1-(e) of the GDPR.

In the present case, the Restricted Committee noted that SERGIC “kept in an active database the personal data of applicants who did not access the rental for a period exceeding in significant proportions the period necessary to achieve the purpose of the processing, namely the allocation of housing, without any intermediate archiving solution in place“.

It recalled that, as a matter of principle, the storage period of personal data must be determined according to the purpose of the processing and that, when the said purpose is achieved, the data must be either deleted or placed in an intermediate storage if this is necessary to fulfil legal obligations or for pre-litigation and litigation purposes.

In setting the amount of the fine at €400,000, the CNIL took into account:

  • the seriousness of the breach;
  • the company’s lack of diligence in correcting the vulnerability; and
  • the categories of personal data concerned by the breach, since the data processed by the company in managing tenant applicants’ files included particularly intimate information about their private lives.

Our take

There appears to have been a serious security failing and therefore it is not surprising that the CNIL imposed a fine in these circumstances. It definitively marks the end of any “leniency period” that the CNIL may have been operating. It also underlines the importance of instituting defensible data retention policies for records and unstructured data sets containing personal data (and in particular sensitive data) and ensuring that the policies are executed.

For more information, please find the full decision (only in French) at the following link.

 

 

 

[1] CNIL, Deliberation No. SAN – 2019-001 of 21 January 2019 imposing a financial sanction against GOOGLE LLC.

[2] CNIL, Deliberation No. SAN – 2019-005 of 28 May 2019 imposing a financial sanction against SERGIC.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.