Category: French DPA
27. December 2018
Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.
As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.
1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).
The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.
Great Britain and the Netherlands have also already imposed a fine totalling €1 million.
12. December 2018
Due to the GDPR and the new French data protection law (“loi Informatique et Libertés”), the French Data Protection Authority (“CNIL”) launched two draft standards (in French: référentiels) on November 29, 2018. One o these CNIL’s draft standards deals with the processing of personal data to manage business activities, the other with unpaid invoices.
Until January 11, 2019 the possibility to consult the CNIL on the two draft Referentials will be open to the public. According to the CNIL, the draft standards will afterwards be adopted by the CNIL in plenary session.
CNIL’s Draft Referential on Data Processing for Managing Business Activities represents an update to the CNIL’s Simplified Norm No. 48 on the management of customers and prospective customers. It provides a framework for the implementation of “customer” and “prospect” files. The Draft Referential is applicable to data processing activities carried out by any data controller, except the following: health or educational institutions, banking or similar institutions, insurance companies and operators subject to approval by the French Online Gambling Regulatory Authority.
CNIL’s second draft (Draft Referential on Data Processing for Managing Unpaid Invoices) intends to provide a framework regarding the processing of personal data for managing unpaid invoices by private or public law entities. It does not apply to the processing of customer data for detecting risks of non-payment, or to identify other infringements (such as incivilities shown by customers).
Adherence to these two standards will ensure that the processing of unpaid invoices and business activities comply with current data protection principles.
21. December 2017
The French National Data Protection Commission (CNIL) has found violations of the French Data Protection Act in the course of an investigation conducted in order to verify compliance of WhatsApps data Transfer to Facebook with legal requirements.
In 2016, WhatsApp had announced to transfer data to Facebook for the purpose of targeted advertising, security and business intelligence (technology-driven process for analyzing data and presenting actionable information to help executives, managers and other corporate end users make informed business decisions).
Immediately after the announcement, the Working Party 29 (an independent European advisory body on data protection and privacy, set up under Article 29 of Directive 95/46/EC; hereinafter referred to as „WP29“) asked the company to stop the data transfer for targeted advertising as French law doesn’t provide an adequate legal basis.
„While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the “business intelligence” purpose which aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior.“
In the wake of the request, WhatsApp had assured the CNIL that it does not process the data of French users for such purposes.
However, the CNIL currently not only came to the result that the users’ consent was not validly collected as it lacked two essential aspects of data protection law: specific function and free choice. But it also denies a legitimate interest when it comes to preserving fundamental rights of users based on the fact that the application cannot be used if the data subjects refuse to allow the processing.
WhatsApp has been asked to provide a sample of the French users’ data transferred to Facebook, but refused to do so because being located in die United States, „it considers that it is only subject to the legislation of this country.“
The inspecting CNIL thus has issued a formal notice to WhatsApp and again requested to comply with the requirements within one month and states:
„Should WhatsApp fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.“
13. December 2016
Peter Fleischer, a global privacy counsel, raised the question: „Should the balance between the right to free expression and the right to privacy be struck by each country?“
In basic terms, the right-to-be-forgotten is a right of every European citizen to demand the erasure of certain links from the internet. However, this can also be seen as cencorship and rewriting history, which is why there is a neverending debate upon this topic.
The French Data Protection Authority, CNIL, has demanded an ultimate right-to-be-forgotten, which would mean that French data could be demanded to be removed, for example from Google search, from all over the world.
The problem which might occur is that also non-democratic countries have to follow this rule in theory. One might argue that the internet can be seen as as an independent source of infromation that is now being endangered.
Google disagrees with the idea that the right-to-be-forgotten should also be applied upon the countries outside the Europe.
Google’s only confirmation is that it is acting in accordance with the local laws as well as within the standards set by the European Court. What is more, Google makes a promise to remove the respective links from all European Google versions simultaneously.
Nevertheless, it has also beeen pointed out that one still could have found a link on the non-European version of Google.
As a feedback Google has delisted links as well on Google.com, Google.co.kr and Google.com.mx.
24. October 2016
Since the ECJ established the right to be delisted from search engines (right to be forgotten) in 2014, Google has received numerous requests from individuals and organizations regarding the deletion of search results that contain their personal data which is not any more current, correct, relevant or which causes damages to the data subjects. The right to be forgotten refers to certain domains, such as co.uk; fr, de, es or nl.
However the French DPA requested Google to delete these results from all Google search domains (including .com). As Google did not fully comply with this request, the French DPA (CNIL) imposed Google a fine early this year.
As the French Highest Court has still to decide about this, Wikimedia, the parent company of Wikipedia, filed a petition in order to take part in the case and support Google France regarding the ongoing dispute about implementation of the “right to be forgotten”. Wikimedia’s legal counsel said in a statement that “no single nation should attempt to control what information the entire world may access”. Furthermore, she added that the application of the right to be forgotten involves the disappearance of several Wikimedia websites, which has an impact on the availability of knowledge.
Not only in France, but also in other jurisdictions is Google facing similar processes regarding the application of the right to be forgotten.
21. June 2016
In June 2016, a public consultation process about the GDPR was opened by the French DPA (CNIL). The consultation is based on the topics that the WP 29 identified as having priority in its action plan for the implementation of the GDPR, published beginning 2016.
The consultation aims at encouraging stakeholders to formulate questions regarding the GDPR in order to identify potential interpretation difficulties. Once the main questions and difficulties have been addressed, the WP 29 will issue guidelines regarding the relevant topics. The CNIL also offers the possibility to formulate questions about other topics, which are not directly mentioned in the consultation.
The main topics that are object of the current consultation are the institution of the DPO, Privacy Impact Assessments (PIA), data protection certifications and the right to data portability.
The consultation is opened until the 15th July 2016 and stakeholders can participate through the CNIL´s website. After that, the French DPA will publish a summary with the contributions.
29. March 2016
The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.
The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.
26. February 2016
In February 2016, the French DPA (CNIL), published a single decision (AU-046) addressed to cover data processing activities from public organisms and private organizations for the purpose of managing and enforcing court actions.
The CNIL states that corporations may process certain categories of personal data, such as criminal convictions, offences or security measures in this context, in order to defend their interests in court. Art. 25. I. 3° of the French Data Protection Act, regulates the processing of these categories of personal data, for which a prior authorization from the CNIL is required. Also the prevention of criminal offences falls under the scope of this article. However, this article does not apply if the offences and criminal convictions are not related to the criminal sphere.
The AU-046 aims at accelerating and simplifying the process to obtain CNIL´s authorization for the processing of these personal data categories. The scope of application of this authorization is the processing related to offenses, convictions and security measures to prepare, perform and follow disciplinary action or judicial proceedings and, if necessary, to enforce the decision.
This authorization concerns all sectors and all types of litigation.
12. February 2016
On the 8th February, the French DPA (CNIL) announced that it issued a formal notice in which it gives Facebook Inc. and Facebook Ireland Limited 3 months to comply with the French Data Protection Act.
After Facebook informed about changes in its privacy policy at the beginning of 2015, a group formed by the French, the Belgian, the Dutch, the Spanish and the DPA of the German Federal State of Hamburg carried out online and on site audits in order to find out if the updated privacy policy is compliant with the respective data protection legislations.
These audits revealed several incompliances with the French Data Protection Act regarding Facebook´s data processing activities:
- Facebook collects data of internet users that do not have a Facebook account by using cookies when these users visit a public Facebook page, such as public events or the page of a friend. As a result, the cookie provides Facebook with information about third-party websites with Facebook plug-in buttons, such as “like” button, that are visited by the user.
- Sensitive data such as religious beliefs or sexual orientation are also processed by Facebook without prior explicit consent of the account holders.
- Users are not informed in the sign up page about their rights as data subjects and the processing of their personal data.
- Cookies are also set up in the Facebook website without informing users properly and obtaining their consent.
- The company does not provide its users with tools to opt-out targeted advertising.
- Data transfers to U.S. take place on the basis of the Safe Harbor Decision, although it was declared invalid by the ECJ in October 2015.
According to CNIL, this formal notice is not a sanction. However, if Facebook fails to rectify these incompliances within 3 months, the matter will be referred to the CNIL´s Select Committee in order to impose the corresponding sanction.
These findings are also being analyzed by the Belgian, the Dutch, the Spanish and the the DPA of the German Federal State of Hamburg within a cooperation framework in order to act accordingly.
