The French Conseil d’Etat has just ruled over the CNIL’s sanction against the company Optical Center dated May 7, 2018 (see our news feed https://www.ip-talk.com/en/accueil/rgpd/ 07/05/18 CNIL– Conviction for Optical Center : 250K€). On 28 July 2017, it was reported to the CNIL that personal data had been made freely accessible on Optical Center’s website.
By way of an online inspection on 31 July 2017, the CNIL observed a deficiency in the online ordering system of the website: notably the fact it was possible to access hundreds of customer invoices which contained personal data (surname, name, postal address, healthcare data and sometimes date of birth and social security number).
On 2 August 2017, Optical Center declared that the security deficiency had been fixed, with the help of their security provider. This was indeed observed by the CNIL during an on-site control on 9 August 2017 (added function which allowed them to secure the access to customer accounts and the personal data concerning them).
Despite Optical Center’s active collaboration in fixing this vulnerability, the CNIL had issued a 250K€ penalty as well as the publication of its decision because:
- the data made accessible were particularly sensitive and there was both a considerable amount of data (over 300 000 documents) and customers affected.
- restricting access to documents contained in private customer areas is an essential security measure
- the company already knew the risks relative to IT security (having been sentenced in 2015 – to 50K€)
By way of an application filed on 25 July 2018, Optical Center challenged this decision and requested that the Conseil d’Etat quash the decision regarding the fine and its publication (or alternatively, reduce the fine), close the proceedings in light of the disputed site’s compliance; and charge the CNIL 6K€ under Article L761-1 of the French Code of Administrative Justice.
Optical Center especially argues the fact it became compliant on 2 August 2017, which is just 5 days after the report was received and 2 days after the online inspection performed by the CNIL. On the contrary, the CNIL justifies its decision by stating that sufficient security precautions could have been set up prior to the website being launched, in order to avoid any breach of personal data on behalf of the data controller, which represents in itself a breach of their obligations.
If the Conseil d’Etat finds that by issuing a monetary penalty of 250K€ against Optical Center, the CNIL has failed to take into account the swiftness with which Optical Center has taken corrective measures to remedy the aforementioned breaches and therefore accepts to reduce the amount of the fine, the monetary penalty drops by a mere 50K€, thereby becoming 200K€, which remains a considerable amount.
What should be taken out of this case:
The key criteria for the CNIL when deciding on sanctions are the nature, seriousness and duration of the breaches along with the behavior of the data controller following the making of the observation.
In the event that a breach of obligations relative to the security and confidentiality of data is observed during a online inspection by the CNIL, complying rapidly – that is, even before the on-site control by CNIL – does not preclude the issuance of a hefty monetary penalty, even though the CNIL (considered too harsh in this case) must take into account the diligence demonstrated when implementing the means of compliance.
Generally speaking, there will be no leniency if the breach could have been prevented by standard security measures and it is compulsory that companies contractually oblige their subcontractors to prove they comply with the standards and current state of the art in terms of IT security.
Charlotte Urman