French Data Protection Authority Confirms Enforcement Trend on Security Obligations for Data Controllers
The Situation: Even before the General Data Protection Regulation ("GDPR") became effective on May 25, there has been a noticeable trend in the enforcement of security obligations through increased sanctions.
The Development: The French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL") issued a pecuniary sanction against optical provider Optical Center for a security breach affecting the company's e-commerce website.
Looking Ahead: Especially now that GDPR has taken effect, it is important for controllers and processors to confirm that they have robust security policies and procedures in place.
In a decision dated May 7, 2018, the CNIL issued a pecuniary sanction of €250,000 against optical provider Optical Center for a security breach affecting the company's e‑commerce website. Although the decision was taken before May 25, when the GDPR became effective, this decision confirms a trend in the enforcement of security obligations through increased sanctions, as already evidenced earlier this year in the CNIL's decision against a household appliance distributor.
In spite of the company reacting swiftly to correct the anomaly as soon as it became aware of it, the CNIL considered that "elementary security measures" had not been implemented on the website, and thus found that Optical Center had breached its security obligations in relation to its customers' personal data.
The CNIL had been able to access documents stored on customers' accounts, such as customers' invoices and order history, on the company's e-commerce website. The documents the CNIL was able to access also included health information contained in prescriptions uploaded by customers, as well as social security numbers. The website did not contain an authentication system allowing it to restrict access to documents to a specific customer, and customers' accounts could be accessed merely by changing urls.
The CNIL noted that communications with the company's supplier regarding new website features had remained informal. This resulted in Optical Center, as data controller, lacking visibility on its supplier's actions, corrections or recommendations, including in terms of security measures.
Based on the CNIL's reasoning detailed in the decision, the following minimal security measures should have been applied on the website:
- Implement access control features allowing the company to verify that a user is authenticated prior to giving a user access to personal documents;
- Conduct security audits on the website, including to test access control features;
- Formalize communications with suppliers regarding website development, corrections, and recommendations, including in terms of security;
- Describe the testing procedures to be applied prior to launching new features or updates, and document that the testing procedures have been followed in each case (e.g., through a formal acceptance form).
By issuing a sanction without providing prior formal notice, the CNIL used its new sanctioning powers granted under Article 45 of the French Data Protection Act as modified by the Act for a Digital Republic of October 7, 2016. The provision allows for direct sanctions without prior formal notice when the violation is such that it could not have been corrected in the context of formal notice—similar to what is now applicable under the GDPR.
The CNIL ordered that the additional sanction of publicity of the decision be applied, in spite of the company's arguments that the security violation was not intentional, that the company had not derived any advantage from it, that there was no evidence that anyone but the CNIL's investigation teams had found the breach, and that no harm seemed to have been caused to the data subjects concerned.
With the increase in sanctions under the GDPR, this decision confirms that controllers and processors ought to check that they have robust security policies and procedures in place, including in terms of restrictions on suppliers involved in setting up data processing tools. Under the GDPR, sanctions for breaches relating to security obligations occurring since May 25 are set to a maximum of €10 million or two percent of a company's worldwide annual turnover for the preceding year.
Given the current trends and the recent increase in regulations under GDPR, companies need to ensure they have robust plans and procedures to protect consumer data. Breaches to security obligations will be met with financially significant sanctions.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Undine von Diemar
Daniel J. McLoon
Mauricio F. Paez
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.