Tag: France

CNIL fines Google for violation of GDPR

25. January 2019

On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.

CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.

The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.

Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.

This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.

Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.

CNIL fines Telecom Operator

7. January 2019

The French Data Protection Authority CNIL imposed a fine of €250.000,00 on telecom operator BOUYGUES TELECOM for not taking required security measures to protect the personal data of its clients.

BOUYGUES TELECOM offered their clients an option to create a profile on their webpage to have easier access to their contract details and telephone bills.

In March 2018, CNIL was informed that a lack of security measures gave free access to personal data of clients of B&You, a subsidiary company of BOUYGUES TELECOM. Each profile had its own URL address, which involved the first and last name of the client. Just by exchanging the name in the URL address, one gained free access to first and last name, date of birth, e-mail address, address and phone number as well as contracts and bills. The violation of data security went on for two years and had an impact on over two million clients.

Shortly after CNIL was informed, BOUYGUES TELECOM notified the data breach to CNIL. The company explained that the incident occurred after the computer code, which depends on user authentication, was deactivated for a test phase, but was forgotten to be re-activated after completion of the test phase. After noticing the data breach, the company quickly blocked the access to the personal data.

Nevertheless, CNIL stated that the company failed to protect the personal data of its clients and violated its obligation to take all required security measures, especially as appropriate measures would have revealed the data breach earlier.

As the incident occurred before the legal validity of GDPR, CNIL decided to impose a fine of €250.000,00 on BOUYGUES TELECOM.

France: Intelligence agency officer caught selling sensitive police data

9. October 2018

A massive case of misuse of confidential data from security authority surveillance systems has been uncovered in France. After the French customs tracked down an illegal marketplace called “Black Hand” in June, the investigators also found data that was sold by an anonymous user called “Haurus”. Haurus sold for example confidential documents and information from national police databases.

Meanwhile the investigators gleaned the identity of the hacker with the help of specific codes attached to the data. According to French newspaper “Le Parisien”, Haurus is an officer at the “Direction générale de la sécurité intérieure” (DGSI), a French intelligence agency. The DGSI is normally in charge of counter-terrorism, countering cyber-crime and surveillance of potentially threatening groups and organisations.

According to the reports, the agent offered services in exchange for bitcoin. For example, he advertised to track the location of buyer’s gang rivals or spouses based on the telephone number or he offered to tell them, if the French police tracked them. The investigators believe that he used the resources, which the French police uses to track criminals.

Haurus was arrested at the end of September and faces up to seven years in prison and a fine up to 100.000€.

Category: Cyber security · EU
Tags: ,

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Uber must pay a total over $1 million

14. June 2016

Accoring to the New York Times, Uber was fined €800,000, about $900,000, plus court fees, which adds to a total over $1 million, for running an illegal transport service and breaking privacy laws in France.

Half of those sanctions that Uber has to pay are “suspended sentences,” which means that Uber only needs to pay 50 percent of the fines as long as there are no further breaches of the law.

On top of that, Uber’s EMEA director Pierre-Dimitri Gore-Coty and Thibaud Simphal, the French company’s boss, were fined €30,000, about $34,000, and €20,000, about $22,500. The two men were detained for questioning by French authorities a year ago.

 

Category: General
Tags: , ,