GDPR: case law is becoming clearer!

GDPR: case law is becoming clearer! The CNIL had already distinguished itself by imposing a record fine of 50 million euros on Google last January for failing to inform its customers when using Android, a fine confirmed in June by the Council of State.

Today, Carrefour France and Carrefour Banque have been fined 2,250,000 and 800,000 euros respectively by the French Data Protection Authority.

While the CNIL has already taken numerous repressive actions since the GDPR came into force, the deliberation of November 18 tells us a little more about its assessment of violations of the law and the reasons that guide its decisions.

Triggers for an investigation

Generally speaking, the CNIL begins an investigation either following the filing of a complaint or a specific report, or on its own initiative as part of its monitoring missions.

In the latter case, the controls will cover more extensively those responsible for a previously identified sector. 

The CNIL has thus defined in its control strategy for 2020 several priorities which are subject to more in-depth verifications: health data, geolocation for local services as well as cookies and other trackers.

In this case, the two companies Carrefour France and Carrefour Banque were the subject of an investigation following the filing of 15 complaints with the CNIL between June 2018 and April 2019.

These complaints concerned commercial prospecting practices and failure to respect the rights of access and erasure of data.

The CNIL carried out several online checks at the companies' premises and initiated a formal investigation at the end of January 2019.

The adversarial procedure gave rise to several exchanges of observations between the company and the CNIL rapporteur, culminating in its official deliberation on November 18.

Reasons for the decision

The CNIL notes failures to comply with numerous articles of the GDPR:

• The obligation to inform individuals (Article 13 of the GDPR)

The information provided to individuals regarding the processing of their data was difficult to access, incomplete and buried in long texts on other topics.

The CNIL criticizes the use of overly vague terms: The use, almost systematically (…), of terms such as "these treatments include in particular, for one or more of the following reasons" Or “your data may be used” do not allow the persons concerned to fully understand the processing implemented.

• Cookies (article 82 of the Data Protection Act)

Upon arriving at the website, every visitor was presented with 39 cookies before even having the opportunity to accept or reject them.

Three of these cookies belonged to the Google Analytics solution, with the aim of targeting advertising to Internet users.

The data of visitors to the Carrefour.fr website was therefore collected in violation of Article 82 of the Data Protection Act.

For more information on tracking internet users, the CNIL published an update to its guidelines on October 1st.

• Data retention period (article 5.1.e of the GDPR)

The CNIL considers that the retention period for customer data (4 years) is excessive: a customer who has not traded with the company for several years should no longer be considered an active customer. 

The Commission refers to its doctrine on the subject which recommends a maximum retention period of three years: it cites the old simplified standard no. 48 relating to customer-prospect files and online sales, and its recent draft reference framework relating to the processing of personal data implemented for the purposes of managing commercial activities.

• Exercise of rights (Article 12 of the GDPR)

The procedure implemented by Carrefour France required proof of identity from applicants in circumstances where this was not necessary because the identity of the customers had been established.

Furthermore, the processing times for requests exceeded the legal requirements in several cases.

• Respect for rights (articles 15, 17 and 21 of the GDPR and L34-5 of the Postal and Electronic Communications Code)

The CNIL noted several cases of lack of response to complainants' requests for access, opposition and deletion of data.

• Obligation to process data fairly (Article 5 of the GDPR)

Certain data (postal address, telephone number, number of children) communicated when signing up online for a Carrefour credit card (Pass card) were transmitted to the Carrefour loyalty program, in contradiction with the information provided to the persons concerned.

• Security breach (Article 32 of the GDPR)

The CNIL has finally noted a vulnerability allowing online access to customer invoices, and stresses that the measure put in place, namely the addition of a string of random characters, is not sufficient on its own to overcome such a vulnerability.

The CNIL points out that the ANSSI has been warning about this vulnerability linked to URL addresses since 2013.

A mandatory pre-authentication system should have been implemented following the discovery of the vulnerability.

Compliance efforts and appropriate sanctions

The companies cooperated with the CNIL during the procedure and took all necessary measures to bring their data processing into compliance with the law.

While the CNIL highlights this cooperation, it nonetheless sanctions those responsible, due to the seriousness of the violations: these concern serious failings and affect a significant number of people.

However, we are still far from the maximum penalty that the CNIL could have imposed, amounting to 4% of turnover. 

To calculate this turnover, which serves as the basis for calculating the basis for the fine, the CNIL first identifies the company concerned.

It considers that, in order to assess the concept of an undertaking in accordance with Articles 101 and 102 of the TFEU, it is appropriate to take into account the turnover achieved by the company CARREFOUR FRANCE and by the subsidiaries which it owns and which have benefited from the processing. 

The turnover of this company (…) thus amounts to 14.9 billion euros in 2019.

The CNIL's restricted training, however, also takes into consideration the specific nature of the economic model of mass distribution, characterized by particularly high turnover but low margins. 

These elements led it to decide on a fine of 2,250,000 euros against Carrefour France and 800,000 euros concerning Carrefour Banque.

The seriousness of the breaches also justifies the publicity of the decision, and constitutes a means of informing the many people concerned.

Remedies

The CNIL's decision constitutes an act of an administrative authority, subject to appeal before the Council of State within two months of its notification. 

And also

France:

• The event organized by the CNIL on November 23 on the data portability is available online on the authority's website.

• In order to raise awareness among municipalities and inter-municipalities of the – very real – risks of cyber attacks, ANSSI is publishing a guide to cybersecurity issuesThis guide aims to convince elected officials to invest in developing the protection of their information systems.

Europe:

• The Belgian privacy authority concluded a settlement on 26 November memorandum of understanding with DNS Belgium to suspend the “.be” domain names of sites in violation of the GDPR.

• Before January 8, the European Commission will decide on theGoogle acquires FitBit, an acquisition that raises questions in the areas of data protection and competition.

• The European Commission published its draft standard contractual clauses on 12 November, a draft open for comment for four weeks.

This revised version aims to remedy the consequences of the now famous Schrems II ruling, and to allow the data transfers to the United States in compliance with European law.

We also refer to the recommendations of the European Data Protection Committee on the same subject, adopted on November 10.

• The new European regulation on digital services is expected to be published in early December.

The objective of the Commission is to regulate “big tech” by also enabling VSEs/SMEs to develop their services, empower digital players and combat online disinformation.

International :

• The new Canadian personal data protection law has been made more effective, with substantial fines for violations of its principles.

• United States: the California Privacy Rights Act (“CPRA”) was adopted on November 3.

This new text establishes a supervisory authority, the California Privacy Protection Agency, with the power to impose financial penalties.

It is the first supervisory authority in this sector in the United States.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.