What learning can we get from the first CNIL’s formal notices under the GDPR?

Since the GDPR entered into force in May 2018, multiple decisions were issued by the CNIL according to the ancient law.

Their analysis put into bright that the most frequent breaches are about:

  • the legality of the personal data processing (data that are not minimized, purpose diversion, lack of consent of the data subject),
  • the information obligation of the people and the security obligation (data confidentiality).

In those cases, the CNIL set the amount of the fines between K€ 10 and 50 and allowed a deadline of 1 to 3 month to comply. Generally, the CNIL decides to set public its decisions in function of the gravity of the breach, the number of people concerned and in a pedagogic will to raise the awareness of the data treatment actors.

Therefore, the first decisions given under the authority of the GDPR were awaited. Public fines that will inform us on how the CNIL will apply the amounts normally set from 10 to 20 million € or 2 up to 4% of the turnover were not released yet. However, the CNIL published two formal notices full of practical and concrete information for companies to implement the GDPR.

Both cases concerned the same type of processing and have in common multiples breaches, it is interesting to jointly analyze them.

The Cases SingleSpot and Vectaury – Cease and desist of the 8 and 30 October 2018

The CNIL investigated the company SINGLESPOT and the company VECTAURY which use technologies allowing to collect personal data via smartphones and to realize advertisement campaigns, on mobiles. These companies use a technical tool called “SDK” which is integrated in the app mobile code of their partners and allow them to collect data from the smartphones users (advertisement ID of the phones, geolocation data), at precise period of time (every 5 minutes) or in function of the distance made (every 200m) even when these apps are not enabled. These data are crossed over with others point of interest determined by the partners (shops).

Purposes of those processing are the display of aimed publicity on the people’s smartphone thanks to the establishment of a commercial profile and the gathering of the location they visited.

Several breaches were detected by the CNIL which required the following measures within the 3 months:

  • Effective consent gathering of the concerned users
  • Setting of security measures
  • Suppression of data unduly obtained.

Given the amount of data gathered (that justifies the publication of the formal notices, more than 14 million for SingleSpot and more than 47 million for Vectaury), it’s obvious that the obligation of deleting the unduly gathered data will have a major impact on the business model of the companies.

What can we learn from these decisions?

 # The CNIL considers that the collection of the geolocation data constitutes a particular risk for private life because the data reveals the routine of the people.

# Different criterions were retained by the CNIL to confirm the status of data collector, with the determination of the means and endings of the treatments:

  • A prior declaration of the processing (if we consider ourselves as responsible, its difficult to admit the contrary in the future)
  • A personal data processing for himself, allowing the selling of analysis services or profiling to his clients that are advertisers (if the data is exploited for an ending that is necessary for the company herself, she will not be considered as a subcontractor)
  • An integration of the data collected via the different advertisers’ mobile apps in the same database (if the data is collected in different data base for each advertiser, the processing could have been judged as destinated to the advertisers and not the company.

# To collect a legal consent and fulfill the information obligation it is necessary to:

  • Communicate enough information to the apps’ users before the collection and the processing of the data (the presence of these information in the general term of selling terms or the confidentiality policy are not enough.): who is the data controller, which data is gathered, for which purpose
  • Not enable the by default data collection
  • Allow the user to download the App without activating the “SDK” (thus without collecting and transmitting his personal data automatically) and to refuse the collection of certain data for certain purposes
  • Ask (and obtain) a consent for the different purposes (first the geolocation data gathering for the app’s functionality aim, then the advertisement display, the constitution of the commercial profiles in the end)

The CNIL recommends obtaining a prior consent to the processing for example by putting in place a pop-up containing enough information and a ticking case dedicated or a button that express a refusal.

# The lack of information of the data subjects automatically entails a breach of the obligation to allow the exercise of their rights: if the processing is carried out without the data subject being aware of them, they can not exercise the rights provided for by the RGPD.

# A storage time limit proportionate to the purpose of the processing must be defined (the CNIL observed that the data were conserved during multiple months after the end of the advertiser project).

Here the CNIL recommends deleting the geolocation data of the users that were gathered without these points of interest, once the correspondence between these geolocation data and the points of interest area done. She reminds us the possibility to not delete but to transform the ancient data into anonymous data.

# Concerning the breach of the obligation to ensure the security and the confidentiality the CNIL recommended that the password must be stored with encryption (for example, using the SHA256 algorithm) and that the admin account granting access to the data must be under a strict password policy.

It is necessary to adopt for the accounts granting access to the data base or to their administration platform the following measures:

  • The password must contain 12 characters, containing one capital letter at least, a lower-case letter, numbers and a special character
  • Or the password must contain 8 characters composed by 3 of the 4 characters categories (capital letter, lower case letter, numbers and special character.) with a complementary measure, such as a temporary restriction when failing to enter the password, the time limit augments in function of the wrong attempts. The installation of a tool allowing to avoid the automatic and intensive submissions (captcha) and/or the blocking of the account after few authentication failure (10 maximum)

To preserve the data security, the CNIL reminds us that using this real data for the development and test stage can be a risk for the data, notably in case of a loss, unauthorized modification, mistake or access by unauthorized people and the development teams are not all allowed to know the data which comes from the production and in the hypothesis where the real data will be less required, those should be anonymized.

The CNIL also calls for the implementation of a separation policy between the development tests and the production tests.

It is worth knowing that the CNIL enriches its decision with useful practical information for the good appliance of the regulations, with examples perfectly applicable by the other actors that treat personal data.

The continuation of these cases (conviction or closing) will be useful to appreciate the tendency of the CNIL, of a hard or more flexible appliance of the GDPR, notably for the amounts of the fines. 

To be kept informed about the next events and the publication of the CNIL, follow our Newsfeed.

Charlotte Urman