Tag: France

Ikea France on trial for spying on staff and customers

7. April 2021

Ikea’s French subsidiary and several of its former executives stood trial on Monday, March 22nd, after being sued by former employees on charges of violating privacy rights by surveilling the plaintiffs, job applicants and customers.

Trade unions reported the furniture and household goods company to French authorities in 2012, accusing it of fraudulently collecting personal data and disclosing it without authorization. The subsequent criminal investigation uncovered an extensive espionage system. According to French prosecutors, the company hired a surveillance company, private investigators and even a former military operative to illegally obtain confidential information about its existing and prospective employees as well as customers. The files received contained, inter alia, criminal records and bank statements. The system has been used for years, possibly even over a decade, to identify individuals who were particularly suspicious or working against the company.

After the case caused outrage in 2012, Ikea’s main parent company fired several executives at the French branch, including the former general manager. But the extensive activity in France has again raised questions about data breaches by the company.

At Monday’s trial an employee accused the company of abuse since it had wrongly suspected him of being a bank robber because its investigative system had found prior convictions of a bank robber with the same name. Others claimed the retailer had browsed through employees’ criminal records and used unauthorized data to reveal those driving expensive cars despite low incomes or unemployment benefits. Even an assistant director who had taken a year of medical leave to recover from hepatitis C was monitored to investigate whether she had faked the severity of her illness. Illicit background checks on hundreds of job applicants were also conducted. Moreover, the system was used to track down customers seeking refunds for mismanaged orders.

One of the defendants, the former head of Ikea France’s risk management department, has testified at the hearing that EUR 530.000 to 630.000 a year had been earmarked for such investigations. The former CEOs and Chief Financial Officer as well as store managers are also on trial. In addition, four police officers are accused of handing over confidential information from police files.

Ikea France said in a statement that it takes the protection of its employees’ and customers’ data very seriously. The company added that it adopted compliance and training procedures to prevent illegal activity and changed internal policies after the criminal investigation had been initiated. But at Monday’s hearing, Ikea France’s lawyers denied a system-wide surveillance. The case was also called “a fairy tale” invented by trade union activists.

The deputy prosecutor claimed, Ikea France had illegally monitored at least 400 people and used the information to its advantage. She is asking for a fine of EUR 2.000.000 against the company, prison sentences of at least one year for two former CEOs and a private investigator, as well as fines for some store managers and police officers. A total of 15 people have been charged. The company also faces potential claims for damages from civil lawsuits filed by unions and several employees.

The trial ended on April 2nd. A verdict by a panel of judges is scheduled for June 15th.

French Government seeks to disregard CJEU data retention of surveillance data ruling

9. March 2021

On March 3rd, POLITICO reported that the French government seeks to bypass the Court of Justice of the European Union’s (CJEU) ruling on limiting member states’ surveillance activities of phone and internet data, stating governments can only retain mass amounts of data when facing a “serious threat to national security”.

According to POLITICO, the French government has requested the country’s highest administrative court, the Council of State, to not follow the CJEU’s ruling in the matter.

Last year in October, the CJEU ruled that several national data retention rules were not compliant with EU law. This ruling included retention times set forth by the French government in matters of national security.

The French case in question opposes the government against digital rights NGOs La Quadrature du Net and Privacy International. After the CJEU’s ruling, it is now in the hands of the Council of State in France, which will have to decide on the matter.

A hearing date has not yet been decided, however POLITICO sources state that the French government is trying to bypass the CJEU’s ruling by presenting the argument of the ruling going against the country’s “constitutional identity”. This argument, first used back in 2006, is seldomly used, however can be referred to in order to avoid applying EU law at national level.

In addition, the French government accuses the CJEU to have ruled out of its competence, as matters of national security remain solely part of national competence.

The French government did not want to comment on the ongoing process, however has had a history of refusing to adopt EU court rulings into national law.

CNIL publishes model regulation on access control through biometric authentication at the workplace

9. April 2019

The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.

Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.

The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.

Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.

Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.

The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.

CNIL fines Google for violation of GDPR

25. January 2019

On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.

CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.

The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.

Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.

This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.

Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.

CNIL fines Telecom Operator

7. January 2019

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

France: Intelligence agency officer caught selling sensitive police data

9. October 2018

A massive case of misuse of confidential data from security authority surveillance systems has been uncovered in France. After the French customs tracked down an illegal marketplace called “Black Hand” in June, the investigators also found data that was sold by an anonymous user called “Haurus”. Haurus sold for example confidential documents and information from national police databases.

Meanwhile the investigators gleaned the identity of the hacker with the help of specific codes attached to the data. According to French newspaper “Le Parisien”, Haurus is an officer at the “Direction générale de la sécurité intérieure” (DGSI), a French intelligence agency. The DGSI is normally in charge of counter-terrorism, countering cyber-crime and surveillance of potentially threatening groups and organisations.

According to the reports, the agent offered services in exchange for bitcoin. For example, he advertised to track the location of buyer’s gang rivals or spouses based on the telephone number or he offered to tell them, if the French police tracked them. The investigators believe that he used the resources, which the French police uses to track criminals.

Haurus was arrested at the end of September and faces up to seven years in prison and a fine up to 100.000€.

Category: Cyber security · EU
Tags: ,

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Uber must pay a total over $1 million

14. June 2016

Accoring to the New York Times, Uber was fined €800,000, about $900,000, plus court fees, which adds to a total over $1 million, for running an illegal transport service and breaking privacy laws in France.

Half of those sanctions that Uber has to pay are “suspended sentences,” which means that Uber only needs to pay 50 percent of the fines as long as there are no further breaches of the law.

On top of that, Uber’s EMEA director Pierre-Dimitri Gore-Coty and Thibaud Simphal, the French company’s boss, were fined €30,000, about $34,000, and €20,000, about $22,500. The two men were detained for questioning by French authorities a year ago.

 

Category: General
Tags: , ,