GDPR News feed

07/24/2019 : USA – Facebook sentenced to an historical sanction for misleading its users about the confidentiality of their data >> 5 billion dollars (about 4.43 billion euros)

 The US competition authority, the Federal Trade Commission (FTC), has just imposed Facebook to pay $5 billion for violating the privacy of its users.

 Even though the United States has no federal legal framework in respect of personal data, this is the most severe sanction ever imposed for a personal data breach, far ahead of the £183 million that the British supervisory authority intends to impose on British Airways. This sanction is based on local consumer protection laws: Facebook’s personal data protection practices have been found misleading.

 The case began in 2012, when the FTC sued Facebook for misleading its users about the extent to which they could keep their personal data confidential. For instance, Facebook promised Internet users that they could choose to make their data accessible only to their “friends”, even though the applications used by these “friends” were authorized by the social network to access their information. A settlement agreement had been reached between the FTC and Facebook, under which the social network was to refrain from future consumers deception about the confidentiality of their data.

For the FTC, the social platform breached this agreement by giving access once again to third party companies, including Cambridge Analytica, to information that network users had said they did not want to share. Facebook has also made misleading statements about how it uses facial recognition, mobile phone numbers and other personal data of Internet users.

For instance, Facebook had stated in a privacy policy update dated 2018 that facial recognition was only used if the user enabled the option. However, for more than 10 million consumers, this function was turned on by default.

In addition, the social network offered its users to collect their telephone number in order to secure access to their account through double authentication, without informing them that this number would also be transmitted to advertisers for promotional purposes.

 As a result, and following a new settlement agreement with the FTC, Facebook will have to pay $5 billion to the U.S. Treasury. Beyond this financial sanction, which is relative compared to the company’s revenue of 55 billion in 2018, Facebook will have to comply with a monitoring program for the next 20 years.

 One of the provisions of this program is that CEO Mark Zuckerberg will no longer be the company’s privacy decision-maker. An independent committee of Facebook’s Board of Directors will be created to supervise decisions regarding Facebook’s privacy. In addition, Facebook will have to put an end to its misleading practices regarding the facial recognition and use of its users’ mobile phone numbers, by informing them in a transparent manner about how their data will be processed and by seeking their consent for advertising purposes. Facebook will also have to implement the strictest measures to ensure data security, including those collected through its subsidiaries, such as Instagram and WhatsApp.

The next few months will tell us if the FTC has achieved its goal of a major overhaul of Facebook’s often controversial privacy practices.


07/09/2019 – UK – ICO – The Marriott Group, in the sight of the British authority, is also facing a record fine >> over 99 million pounds (about 110 million euros)

 After British Airways, it is now the turn of the Marriott hotel group to be threatened with a record fine of several million euros, one year after revealing the massive theft of its customers’ data.

Origin of the investigation: in September 2018, Starwood Hotels (Marriot Group) revealed in a press release that they had been victims of massive piracy: data from 500 million customers worldwide, including EU nationals, would be involved: name, postal address, mobile phone number, e-mail address, passport number, account information, date of birth, gender, hotel arrival and departure information, even credit card data.

In November 2018, Marriott officially reported the incident to the ICO, which began a thorough investigation as lead authority on behalf of other European data protection authorities.

The facts: the ICO investigation reveals that the hacking was made possible by a computer security breach of the Starwood hotel group allegedly dating back to 2014. When Starwood was acquired by Marriott in 2016, the vulnerability had not been detected. 399 million files containing personal data were exposed.

ICO Statement: the British authority believes that Marriott is responsible for the data breach, for failing to take the necessary steps to secure Starwood’s system. The group should have assessed the reliability of the system when it acquired Starwood, and as a result, ICO intends to impose a fine of more than £99 million (approximately €110 million) on Marriott, which has however cooperated with the authority and improved from its IT security system. The group is invited to submit its comments in an attempt to reduce the sanction before the ICO makes its final decision.

Situation in the United States: it should also be noted that the group had been the subject of several complaints in the United States at the end of 2018, following the public disclosure of the violation of its customers’ data. Five American states are currently investigating piracy, so the ICO sanction will probably not be the only one facing the hotel group.


07/08/2019 – UK – ICO – British Airways threatened with a record fine of £183 million (approximately €204 million) for a data breach

Origin of the investigation: In September 2018, British Airways reported to the British Data Protection Authority that it had been the victim of a cyberattack following a computer breach that had led to the theft of its customers’ personal data. The company reveals that the data on 380,000 payment cards (card number, expiry date and security code) may have been stolen between late August and early September 2018. At the end of October, British Airways added that bank data from 185,000 other customers had also been stolen earlier, between April and July 2018.

Facts: Finally, the personal data of approximately 500,000 customers were compromised during the incident, including their connection, payment card and travel booking information, as well as their name and address. The ICO, acting as lead authority on behalf of other European data protection authorities, following a in-depth investigation, reveals that the incident was made possible by poor safety measures taken by British Airways.

ICO Statement: The UK authority has stated that it intends to impose a fine of £183 million (approximately €204 million) on British Airways, representing approximately 1.5% of the company’s worldwide turnover. This fine would be the largest ever imposed since the GDPR came into force.

The ICO must hear British Airways’ comments before making its final decision, knowing that the company could negotiate a less severe sanction thanks to its cooperation with the authority and the improvement of its safety provisions since the incident.


13/06/2019 – CNIL – UNIONTRAD COMPANY :  Translation company fined for excessive video surveillance of 9 employees >> 20K€

Facts: UNIONTRAD COMPANY provides certified and free translations of various documents (financial, legal and civil status translations).

Having received four complaints, the CNIL reminded the company of the rules governing the implementation of CCTV in the workplace and asked the company to provide them with additional information on this system. The company then confirmed that this system was designed to ensure the safety of people and property and not to monitor staff activities.

A few months later, after four new complaints alleging constant surveillance, the CNIL carried out an on-site inspection and observed the presence of three cameras on the company’s premises, one of which was installed in the translators’ office, which is not accessible to the public, and which made it possible to continuously view the workstations. The authority also found that no formal information has been provided to employees regarding this system, that the recordings are retained for a period which exceeds that required for the purpose of the processing operation and that the security and confidentiality of the data are not ensured when accessing computer workstations.

The CNIL gave a formal enforcement notice to the company with a 2 months compliance deadline in which they demanded the relocation of the camera in the translators’ office so as to avoid continuous filming, the application of a 15-day maximum retention period for recordings, that they inform employees of the cameras’ presence and that they implement security measures relative to accessing computer stations and for tracking access to the company inbox.

A few months later, the CNIL carried out a second on-site inspection which revealed that the company had not implemented the above-mentioned measures.

Principle of proportionality and collection necessary for the pursued purpose: The CNIL blames UNIONTRAD COMPANY for having failed to substantiate their decision to place their employees under permanent CCTV surveillance, which is particularly problematic from a security perspective. Indeed, several elements must be taken into account when installing such a system, namely the orientation, number, location, operating periods of the cameras or the nature of the tasks performed by the employees. The authority also criticizes the company for having been late to comply, although the formal enforcement notice set out the need to install a CCTV system that is proportionate to the pursued purposes.

Information for individuals: The CNIL noted that no formal information had been provided to employees regarding the new CCTV but the authority was informed that the company is committed to drafting an informative note. However, the CNIL blames the company for non-compliance with the compliance measures set out and for delays in taking action.

Obligation of security and confidentiality of data: The CNIL blames UNIONTRAD COMPANY for using a unique and shared identifier and password for all employees in order to access the company inbox as well as the access to computer workstations which is free of any authentication procedure. It also considers that compliance came too late in the process considering the seriousness of the alleged facts (more than a year after the first on-site inspection) and that no response has been given with regard to measures to ensure the traceability of access to the generic company inbox.

Penalty: A fine of €20K accompanied by the publication of the decision, which takes into account the multiple breaches, their persistence, their seriousness (in particular the disproportionate nature of the CCTV system) and the company’s lack of cooperation and diligence to remedy the breaches observed, despite numerous exchanges with the CNIL over the last number of years. However, the CNIL does take into account the measures taken by the company during the investigation and procedure in order to comply, as well as its size and financial capacity.

What should be taken out of this case: Before setting up a CCTV system on company premises, it is necessary to ensure proportionality relative to the pursued purpose. Therefore, unless there are specific exceptions, it is not tolerated to place employees under constant CCTV surveillance. Finally, the CNIL clearly considers that 15 days is a sufficient maximum retention period for video surveillance recordings. As with any processing of personal data, the individuals concerned must be sufficiently informed about the system that has been put in place. Once again, it is necessary to provide sufficient security for computer workstations and their access.


29/05/2019 – Belgium – APD – Mayor of a Flemish town convicted: 2K€

Origin of the investigation: Complaint to the APD concerning the use by a burgomaster (equivalent to the mayor in the UK) of data obtained during the performance of his duties for the purpose of a political campaign.

Facts: The plaintiffs had, via their architect, contacted the mayor of the municipality about a housing estate modification. In the architect’s e-mail to the mayor, the plaintiffs were all in the “Cc” section.

On the eve of the municipal elections of 14 October 2018, the mayor used the “reply” function to send an electoral message to all the plaintiffs.

Diversion of purpose: On 28 May 2019, both parties were heard by the APD’s Disputes Chamber which concluded that the mayor had indeed committed a breach of GDPR.

Indeed, the APD explains that data collected by a data controller must be collected for specified purposes and that the data must always be processed in such a way which is compatible with these said purposes.

In light of this, the use of e-mail addresses for the purpose of a political campaign when the same e-mail addresses were obtained as part of an urban planning project constitutes a clear violation of GDPRR. The APD explained that this final purpose principle is a crucial part of GDPR but also that “Compliance with GDPR applies to all data controllers, and most certainly to those with a public mandate. »

Penalty: 2K€ – first financial penalty under GDPR in Belgium. The fine remains fairly low due to the relatively small number of data subjects affected.

10/05/2019 – ICO – Her Majesty’s Revenue and Customs served with an enforcement notice

 Origin of the investigation: In January 2017, Her Majesty’s Revenue and Customs (HMRC) decided to implement a voice authentication (Voice ID) system on some of its helplines. The service allows HMRC to identify the caller by the means of their voice alone, which represents biometric data. “Big Brother Watch” issued a complaint to the ICO where they shared call transcripts detailing the experience faced by customers.

Facts: The transcripts shared by Big Brother Watch showed that customers were told that HMRC had a new way of verifying identity and asked to repeat “my voice is my password”. They were not instructed on where they could find further information regarding the service, nor were they given the possibility of not using the Voice ID service.

After collecting a considerable amount of biometric data, HMRC issued a privacy notice relative to the Voice ID service on 27 July 2018 and on the week of 8 October 2018 they made changes in which customers was given the option of signing up or not.

Despite these changes, HMRC had already collected the biometric data of 7 million customers without having obtained their valid consent. They have attempted to contact these customers in order to obtain their retrospective consent. Only 20% of these have responded, of which 260 551 have decided to withhold consent. HMRC has deleted the data of these individuals but still retains biometric data obtained without explicit consent belonging to 5.5 million customers.

Decision: The ICO has determined that HMRC has been contravening GDPR by illegally processing data, as they failed to obtain explicit consent from the data subjects.

The ICO also mention the significant imbalance of power between customers and the HMRC as an aggravating factor.

HMRC has 28 days (starting 9 May 2019) to comply with the following requirements.

  • Delete all biometric data for which no explicit consent has been given
  • Require all suppliers involved in the Voice ID system to delete all biometric data for which they do not have explicit consent.

Failing to do so, the HMRC exposes itself to a maximum fine of 20 million Euros or of 4% of their turnover.

What should be taken out of this case: It will be interesting to observe the extent to which HMRC take the necessary steps to become compliant during the set time-frame, bearing in mind that even the most important governmental organizations have to comply with GDPR, with the case at hand being of even greater significance due to the large volume of particularly sensitive (biometric) data processed.

07/05/2019 – ICO – PPI claims company fined for sending millions of unsolicited text messages: £120 000 (approximately 135K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable.

Origin of investigation: Over 1000 complaints were made via the GSMA’s 7726 service* and 96 complaints made directly to the ICO, all concerning Hall and Hanley Limited (H&H). An initial investigation letter was sent by the ICO to H&H on 12 July 2018.

Facts: H&H admitted to using the services of third parties, which on their behalf, sent 3 560 211 text messages between 1 January 2018 and 26 June 2018. It was later found that this was actually the number of messages received, whereas close to 5 million messages had actually been sent by third parties on behalf of H&H.

The third parties hired by H&H were responsible for obtaining the data (from 4 different websites) and consent of the individuals, before then sending the direct marketing messages; all on behalf of H&H.

Whilst H&H was not itself directly sending the messages, it was clearly the instigator of these via its hired third parties.

Decision: By instigating the transmission (therefore effectively acting as the data controller) of over 3 million unsolicited text messages for which no valid consent had been obtained between 1 January 2018 and 26 June 2018, H&H acted in contravention of PECR (the UK law derived from the EU’s ‘e-privacy directive’ 2002).

As the instigator of the messages, H&H was responsible for making sure that valid consent had been obtained by the third parties acting on the company’s behalf. 2 of the websites from which the phone numbers were obtained did not mention H&H at all, thereby preventing users from giving informed consent. The two other websites did mention H&H but did not allow users to specifically select which third parties they wished to be contacted by nor did it allow them to refuse all communication for third parties whilst still using the website, thereby preventing the users from giving free and specific consent.

The ICO also mentioned that promoting compliance with PECR was an underlying objective in their decision to issue a monetary penalty.

Penalty: £120 000 fine payable by 5 June 2019 at the latest which will be reduced to £96 000 if the payment is received by 4 June 2019

*the GSMA is a worldwide organization serving the interest of mobile phone operators. Its 7726 service allows mobile phone users to report unsolicited text messages.

17/04/2019 – Italy – Garante – First financial penalty in Italy under GDPR with the conviction of a subcontractor, a service provider for the political party “Movimiento 5 Stelle” (5-star movement): 50K€

The facts: Several websites of the Italian political party Movimiento 5 Stelle are managed by a subcontractor, the Rousseau platform. In 2017, following a data breach suffered by this platform, the Italian authority required from them :                                                                                                                               – the implementation of additional security measures                                                                                                    – and the updating of legal notices in order to improve the transparency of the processing operations that were being carried out.

During a follow-up inspection carried out in November 2018 by the Italian authority, the latter noted that the legal notices had been updated but that, contrary to what the authority had demanded, the security measures relative to GDPR had not been sufficiently implemented.

It is important to note that even though the procedure had started in 2017, the authority was able to sanction Rousseau under GDPR after the enforcement notice was issued after 25 May 2018. It is also important to note that the Garante considered it was not the controller Movimiento 5 Stelle that was responsible but rather the subcontractor Rousseau, with a fine of similar amount to that of those imposed on data controllers.

Penalty: 50K€ fine


16/04/2019 – ICO – Funeral planning company is handed an enforcement notice + fine for nuisance calls: £80 000 (approximately 90K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable.

Origin of the investigation: A national newspaper (‘Mail on Sunday’) published an article on 19 November 2017 reporting nuisance calls taking place at a call center in Cheshire run by the company Plan My Funeral Avalon Limited (they have since changed their name to Avalon Direct Limited (hereinafter ADL)). These calls were made mainly to elderly people in order to advertise the company’s services; funerals.

Facts: Upon enquiry with the company, ADL revealed they made a total of 5 413 396 calls between 1 March 2017 and 20 November 2017. It was also revealed that number which did not answer were then called again by a dialler system. ADL explained they had obtained the numbers from third party websites. Upon enquiry, these websites did not identify ADL clearly enough for them to have obtained valid consent.

The ICO then further investigated the calls that were made and found that 134 142 of the calls were successful. 51 917 of these calls were made to numbers registered with the TPS. The TPS is an organization set up by the ICO with which users can register their phone number so as to avoid receiving nuisance calls. Direct marketing companies are then legally bound to make sure they don’t call any number from the TPS list, apart from those which they have obtained valid consent from.

Decision: By making over 50 000 unsolicited calls to numbers registered on the TPS list, ADL acted in violation of PECR (the UK law derived from the EU ‘e-privacy directive’ of 2002). The ICO considers the company was completely aware of its obligations and therefore did so deliberately. The fact the calls were made to vulnerable people (elderly) is an aggravating factor.

Penalty: £80k fine payable by 15 May 2019 which will be reduced to £64k if the payment is received by 14 May 2019, and an enforcement notice giving ADL 35 days to make sure they stop calling numbers which belong to:

  • Individuals who have previously notified ADL they don’t want to be contacted
  • Individuals on the TPS list which haven’t given valid consent to ADL

11/04/2019 – ICO – Data broking of data relative to pregnant women and young parents for the purpose of direct marketing – Bounty fined £400 000 (approximately 450K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable.

Origin of the investigation: During an investigation into the non – compliant practices in the data brokerage industry, Bounty was identified as a major supplier of personal data to third parties for the purpose of direct marketing. Bounty is a company describing itself as a pregnancy and parenting support club. It provides sample “packages” to parents before and after birth, based on the parenting stage at which they are. They also supply a mobile app allowing future mothers to track their pregnancy. Finally, they operate a data broking service with which they provide hosted marketing on behalf of third parties and until 30 April 2018, supplied data to third parties for the purpose of electronic direct marketing.

Facts: As part of their registration process ( either their website, mobile App, “Mother-to-be pack offline claim cards or directly from new mothers at the hospital), Bounty collected personal data which included the following: full name, parents’ data of birth, e-mail address, postal address, postcode, pregnancy status, first time mum, name, gender and date of birth of the child. The mobile app also collected location data. The data was retained indefinitely unless a data subject made a written request asking otherwise.

Bounty told the ICO that from 1 June 2017 to 9 January 2018, it shared 34 267 889 individual data records belonging to 14 315 438 different individuals, with 39 different organizations.

Bounty’s privacy policy only mentioned that personal data would be shared with “carefully selected third parties” but failed to mention any specific names. A “names” list was then made available online on 9 January 2018 (but wasn’t accessible to people registering offline – claim cards, hospital). On 30 April 2018, Bounty ceased all sharing of personal data with third parties.

Decision:  The ICO has found that starting on 1 June 2017 and up until 9 January 2018 for subjects registering online and 30 April 2018 for those registering offline, Bounty did not process the data of the affected data subjects transparently and prevented them from giving their informed consent. Indeed, their lack of transparency with regard to whom the data was destined for made it impossible for the data subjects to give an informed consent.

Focusing on just the 4 main organizations with which Bountry shared data (namely Sky, Acxiom, Indicia and Equifax) the ICO found that Bounty illegally disclosed over 34 million personal data records.

The ICO is satisfied of the seriousness of this contravention because of the extremely large number of data subjects impacted (14 million individuals – unprecedented in ICO data broking investigations) and the fact their investigation only focused on a part of the data shared by Bounty (meaning the total number of impacted data subjects is potentially much higher). The ICO also believes Bounty’s actions were plainly deliberate as the communication between the company and the ICO show company management were aware of the breach and were planning measures to become compliant (these measures were not taken).

Penalty: £400 000 fine payable by 16 May 2019 at the latest which will be reduced to £320 000 pounds if payment is received by 15 May 2019.

10/04/2019 – ICO – True Vision Production fined for unlawful filming: £120K (approximately 135K€)

 Note. Due to the timing of the incidents, GDPR did not yet apply

Origin of investigation: Patients who were distressed by the fact they were being filmed inside examination rooms at Addenbroke’s hospital or who objected to the latter started complaining to the press around 29 November 2017. Filming ceased on 29 November 2017 and the ICO became aware of the issue.

Facts: For the purpose of a documentary focusing on still births, True Vision Production (hereinafter TVP) – a television production company – installed cameras in certain rooms of Clinic 23 of the Maternity Assessment Unit at Addenbroke’s, which is managed by the Cambridge University Hospitals NHS Foundation Trust (hereinafter “The Trust”).

Clinic 23 was especially meant for walk-patients whom were pregnant and were concerned with the wellbeing of their fetus. Because of this, the data captured by the cameras was of a particularly sensitive and personal nature.

Obligation to obtain consent: TVP didn’t directly and specifically inform patients they were being filmed (TVP staff were only present at the clinic 3 to 4 days per week). TVP did leave some filming notices and informative letter close to the cameras and in the waiting room area  but these didn’t explain how patents could avoid being filmed whilst still being examined by doctors (

there was no way to stop the cameras, if the patient did not wish to be filmed and the only room in clinic 23 which didn’t have a camera was already occupied, a carrier big would be placed over the camera). TVP assures no human beings had access to the footage and that whenever the latter didn’t concern a stillbirth or the data subject did not consent, the footage would be deleted after 3 days. A total of 1990 data subjects were affected from 24 July 2017 to 29 November 2017.

After the news was discussed in the press, TVP terminated filming on 29 November 2017 and re-started, this time with hand-held devices

Decision: Although TVP insisted no humans had access to the data, their methods still constitute the processing of personal data.

The ICO has determined the processing of data was illegal as no patient would expect there to be cameras in the examination rooms, especially when one hasn’t received a warning. Considering the stress and anxiety of the patients, relying on notices and generalized letters was insufficient to draw their attention. The ICO therefore confirms it is impossible for the patients to have given their “explicit consent” and is satisfied that the contravention is serious due to the nature of the personal data concerned and the number of subjects affected.

Penalty: A fine of £ 120 000 payable by 9 May 2019 at the latest which will be reduced to £96 000 if the payment is received by 8 May 2019.

05/04/2019 – ICO Former GP practice manager fined: £120 (approximately 135K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable

Origin of investigation: A member of the healthcare facility was, for reasons of business continuity, given access to Sadiq’s NHS account and noticed the breach, the surgery then reported it to the ICO.

Facts: On 3 November 2017, Shamim Sadiq is suspended from Hollybrook Medical Center in Littleover, Derby for unrelated reasons.

Meanwhile on the 4 November 2017, she had forwarded an e-mail from her NHS e-mail account to her personal e-mail account with no valid professional reason for doing so. The e-mail contained applications submitted for a vacancy at the medical center several months earlier and included personal data such as names, personal e-mail addresses, home addresses, national insurance number of the candidates as well as the personal data of their referees.

On the 5 November 2017, she receives an e-mail (on her NHS account) confirming her application to a new medical center.

Sadiq admitted to unlawfully accessing personal data.

Penalty: £120 fine, £364 in costs in addition to a victim surcharge of £30.

04/04/2019 – ICO – London Borough of Newham faces fine: £145 000 (approximately 160K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable

Origin of investigation: In the UK, the Metropolitan Police Service (MPS) compile and use a database of personal data concerning confirmed and suspected gang members. The database is called the Gangs Matrix.

Each database is unique to the MPS of each policing borough. In the London borough of Newham (hereinafter Newham), the MPS has recently become used to sharing their compiled database on a monthly basis with a task force working for Newham, the Young Offednders Team (YOT).

On 16 May 2017 however, a confirmed gang member informed his probation officer that he was now in possession of a picture showing a paper copy of the Newham Gangs Matrix. The photograph showed personal data belonging to approximately 50 alleged gang members.

After being informed of this leak and launching an investigation, it was the MPS which informed the ICO.

Facts: On 23 January 2017, the MPS sent an unredacted version of their updated gang matrix to the Newham council (home address, ethnicity and what they are allegedly known for were not in the redacted database).

On 26 January 2017, a Newham council employee forwarded the unredactedmatrix to 44 recipients, including members of the YOT, but also members of other partner organizations which have an information sharing agreement with Newham council. It was standard to forward data to these other organizations, but when this data was relevant to the YOT, the latter had to make sure the original provider had authorized the sharing of this given data specifically.

The employee shared the entirety of the database, which included personal data relative to 203 individuals.

In this case, it was found during the ICO’s investigation that the MPS had only authorized the sharing to a wider public of a redacted version (excluding certain personal information) of the database only. The MPS insisted on the fact the redacted version was created specifically for sharing the matrix without compromising the personal data of the individuals included.

It was then in May and September 2017 respectively that two gang members informed their probation officers that the matrix was being circulated. In the same year 2017, Newham witnessed a lot a gang-related violence in which many of the victims had appeared on the leaked gang matrix. In particular, a member of the leaked gang matrix was shot and killed on 4 September 2017.

Decision: The ICO did not draw any causal connection between the data breach and the violence, but did find that Newham, as a data controller, contravened the DPA. Specifically, it found that Newham failed to take the appropriate measures to prevent unauthorized or unlawful processing of personal data and accidental loss of personal data.

The ICO especially lamented the fact Newham distributed the unredacted database without a legitimate motive and that it had distributed it to an excessive number of recipients. Additionally, Newham had no written policies relative to the sharing of these particularly sensitive Gang Matrices.

Overall, the ICO considered the breach to be particularly flagrant in this case.

Penalty:  £ 145 000 payable until 8 May 2019 which will be reduced to £116 000 if payment is received on 7 May 2019.

April 2019 – Germany – Berlin – BbfDuI – Conviction of Europe’s largest fintech company, N26: €50k

Origin of the investigation: In 2018, a former customer of the mobile bank N26 discovered that the bank had retained their data when they were no longer a customer.

Facts: The investigation by the Berlin Data Protection Authority* revealed that N26 did indeed keep a “blacklist” containing the data of all its former customers. The bank did so to ensure that no former customers could re-subscribe.

The bank tried to justify itself by explaining that they were obliged to do so in order to comply with the anti-money laundering laws in Germany. More specifically, the mobile bank explained that it was obliged to take action against individuals suspected of money laundering, but that it was currently unable to differentiate “suspicious” ex-clients from those who were not.

Length of data retention: The bank tried to justify itself by explaining that they were obliged to do so in order to comply with the anti-money laundering laws in Germany. More specifically, the mobile bank explained that it was obliged to take action against individuals suspected of money laundering, but that it was currently unable to differentiate “suspicious” ex-clients from those who were not.

It therefore appears that in order to comply with the anti-money laundering regulations, N26 breached GDPR by classifying all its clients as “suspicious”.

The Berlin authority stated that data belonging to former customers should be deleted or – if the company was legally obliged to keep them – at least made inaccessible. The protection authority adds that only individuals actually suspected of money laundering or those for whom there are valid reasons to refuse the creation of a bank account can be included in such a “blacklist”.

Penalty: 50K € fine

*Note that in Germany, there is one authority for each Land (equivalent of a county in the UK). The German federal authority has no power over the decisions taken by the authorities of each Land, but only serves as a link between the 16 German authorities and the protection authorities of other countries (particularly other European countries since the entry into force of GDPR).

28/03/2019 – The CNIL publishes compulsory model Bylaws on biometric data in the workplace

The CNIL has adopted model bylaws, which will be compulsory for all employers setting up biometric access control systems for locations, applications and work tools.

We must remember that biometric data (fingerprints for example) are sensitive data for which the processing is in principle not allowed, with limited exceptions stated in article 9 of GDPR.

In virtue of the CNIL’s model bylaws, the employers which resort / would like to resort to biometric recognition systems with regards to their employees will have to demonstrate the following:

  • Limit their use to the purposes of accessing the premises, the equipment or work-related applications.
  • Justify and document the special circumstances which justify their resorting to this system rather than any other access control system
  • Be subjected to particularly rigorous security measures
  • Justify and document every one of their choices during the setting up of the system
  • Conduct an impact analysis to evaluate the risks relating to the rights and freedoms of individuals to identify them and if needed deal with them appropriately.

It is especially important to remember that the circumstances under which an employer may resort to processing biometric data are limited. The CNIL cites for example contexts involving the handling of particularly dangerous products or machines and accessing funds, objects of value or highly regulated products (psychotropic, chemical products being used for weapon fabrication).

It must also be noted that, as long as the conditions required to set up the system are met, the consent of employees need not be obtained.
The most delicate issue will undoubtedly be to demonstrate the existence of specific situations which justify the use of biometric data instead of any method of access control.

26/03/2019 – ICO – Kent pensions company receives fine: £40 000 (approximately 46K€)

 Note. Due to the timing of the incidents, GDPR was not yet applicable

Origin of investigation: The ICO was alerted of a potential issue concerning Grove Pension Solutions Limited (hereinafter Grove) by the Financial Conduct Authority, which shared their concerns regarding the company’s use of electronic mail for the purposes of direct marketing. The ICO then noticed that two complaints had been made via the ICO Online Reporting Tool regarding unsolicited e-mails promoting Grove. The ICO decided to launch an investigation on 2 October 2017.

Facts: Grove revealed that they had tasked a marketing intermediary with using third party email providers to conduct hosted marketing campaigns advertising Groves’ services. A total of 1,942 010 emails promoting the services of Grove were received by a variety of individuals. The e-mail providers allegedly obtained consent from the individuals via several websites. Upon verification, the name of Grove did not appear on the websites mentioned by the providers, meaning no valid consent could have been obtained.

Liability: The ICO found that Grove failed to obtain consent from the recipients of the marketing e-mails. This principle also applies to cases such as this one, where the company uses the services of third parties to send the e-mails. The ICO recognized Grove took some steps to ensure their marketing activity was within the law, but that the advice received was poor and that ultimately, it lies with Gove to ensure that the data processing complied with all regulation, as Grove remains the only one responsible for making sure they comply with the law.

Penalty: £40 000 pounds to be paid by 24 April 2019 at the latest, reduced to £32 000 if payment is received by 23 April 2019.

Decision to issue a monetary penalty:  The ICO stated that there were several mitigating factors which could have led to a lower penalty. However, the ICO revealed their objective in this case was to “promote compliance with regulations” and that the sending of unsolicited marketing e-mails is a cause for major public concern. They therefore decided to issue a monetary penalty as it would act as a deterrent against non-compliance with PECR and Grove had the necessary financial resources.

19/03/2019 – ICO – Vote Leave Limited found guilty of sending unlawful text messages: £ 40 000 (approximately 46K€)

 Note: Due to the timing of the incidents, GDPR was not yet applicable

Origin of investigation: The GSMA is a global organization representing the interests of mobile phone operators across the world. Users may report unsolicited marketing text messages to the GSMA’s Spam Reporting Service by simply forwarding the unsolicited messages. The ICO then has access to this data. Between the 1st January 2016 and the 23 June 2016 (during the build up to the UK’s EU referendum), the GSMA received 26 complaints regarding Vote Leave (the campaigning organization in favor of leaving the EU) related messages. Another 6 complaints were made directly to the ICO using the latter’s online reporting tool.

Facts: Although the ICO did not immediately identify Vote Leave as the instigator of these messages, the Commissioner quickly understood that the text messages promoted the aims of Vote Leave as they mostly contained a link to a website operated by Vote Leave themselves:

During the investigation, it was revealed a total of 196 154 text messages were delivered directly by Vote Leave during the period ranging from 1 January 2016 to 23 June 2016.

The ICO requested that Vote Leave provide evidence that the people whom received the messages had given their prior consent.

Obligation to obtain consent:

Vote Leave explained that:

– they had obtained the relevant data via forms on their website and from the participants of a football tournament

– they had deleted all the proofs of consent following the EU referendum. Their legal representatives were therefore unable to provide proof of consent for any of the 196 154 text messages sent by the political organization.

The ICO thus found that Vote Leave clearly contravened the obligation to obtain consent before sending electronic communication of any kind and should have being able to prove that the recipient to have clearly notified the sender that they consent to receiving messages instigated by the latter.

Penalty: £ 40 000 fine payable until 19 April 2019 at the latest, reduced to £ 32 000 if the penalty is received by the ICO before 18 April 2019, unless the decision is appealed by Vote Leave. This can seem rather lenient considering the ICO may impose fines going up to £ 500 000.

15/03/2019 – UK – ICO (Information Commissioner’s Office)/ 2 employees fined for personal data breaches: £1000 & £200

Note: Due to the date of the incidents, GDPR was not yet applicable.

In addition to data controllers, workers can also be sentenced for breaching data protection laws.

In two separate cases, the ICO, the English data protection authority, has just fined two employees.

The first one worked for the Heart of England NHS Foundation Trust (HEFT). She had access to personal data due to the nature of her job but the investigation showed she had accessed personal data which was not needed for her said job. This was a breach of English data protection law.

The second was employed by V12 Sports and Classics Ltd. Before resigning a few weeks later, she had forwarded several professional e-mails containing personal data belonging to clients and other employees to her personal e-mail. The judges considered she as well had breached English data protection law.

Penalty: A £1000 (approximately £1170) fine + £ 50 per victim + £590 prosecution costs for the 1st person.
A £200 (approximately £230) fine + £30 per victim + £590 prosecution costs for the 2nd person.
Data protection laws could be become an additional tool in the event of disputes between employers and workers!

12/03/2019 – UK – ICO (Information Commissioner’s Office) / Searches begin against companies suspected of conducting millions of nuisance calls

Following a year-long investigation, the ICO, the English data protection authority, has executed searched warrants in offices located in Brighton and Birmingham which are suspected of making millions of unsolicited calls (concerning subjects such as road traffic accidents or insurance for household goods) to both UK landlines and mobile phone numbers. Computers and documents were seized by the ICO’s enforcement officers.

Indeed, the ICO received over 600 complaints and the individuals contacted were:

  • unable to identify the person making the call
  • unable to opt out of the call list

Both are against the law.

In the field of direct marketing, the company must always give the individual concerned the possibility to refuse receiving any further calls and that his phone number be deleted from the database.

27/02/2019 – UK – ICO (Information Commissioner’s Ofice) / Sentencing of a former senior council officer: £660

Note. Due to the date of the incidents, GDPR was not yet applicable.

Following a one-year investigation, the ICO, the English data protection authority, has sentenced a former senior council officer for having illegally shared personal data.

The individual was employed at the Nuneaton and Bedworth District Council when his partner applied for an administrative position at the council. The senior officer did not take part in the selection process due to the nature of his relationship with the applicant. However, he did access the council’s recruitment platform and transferred the data belonging to nine shortlisted rival candidates to both his partner’s work and personal e-mail addresses. The data included the shortlisted candidates’ name, address, phone number, CV and the contact details of their referents.

Penalty: A £600 (approximately 771€) fine + £66 per victim. It is important to note that once the breach was uncovered, the individual resigned and his partner – whom had been hired – saw her employment terminated for obvious reasons.

25/02/2019 – CNIL / end of formal enforcement notice targeting the company Vectaury

Facts: The CNIL had given the company Vectaury a 3-month deadline to become compliant with regards to their methods of obtaining consent for which they had detected a major lack of prior information for the people affected by the processing of personal location data with the purpose of targeted advertising. They had also found that data collection was activated by default.

Measures taken to comply with the enforcement notice:

  • development of a banner that appears during the installation of mobile phone applications before the data collection, which allows user to give a free, specific, informed and positive consent with the following information: purpose of the processing (location targeted advertising), the identity of the data controllers (the geomarketing partners) made easily accessible via a link, the nature of the data collected (advertising ID of the phone and location data), the possibility to remove consent at any moment, the exercising of their rights (via a link).
  • absence of data collection in those cases where the users declines that their location data be used for the purpose of targeted advertising and possibility to continue using the application without any alteration to the quality of service provided
  • prior checking of consent validity by the entity transmitting the data and it is ensured that processing only takes places when the consent is valid

Penalty: None, considering Vectaury complied during the set legal time frame, the CNIL has ended this procedure with serving any penalty.

For more information on this case, view our feed of 30/10/2018.

02/12/2019 – TGI Paris – Google condemned for unfair clauses in the terms of use and privacy rules of the Google + social network >> 30K€ damages

Facts: The association “UFC que choisir” sued Google, claiming that the terms of use and privacy policy of Google + did not respect consumers’ privacy. In particular, the association criticised Google, for example, for providing only general information that does not allow the user to be fully aware of the purposes and extent of the use of his or her personal data, for seeking to dissuade users from opposing the systematic placement of cookies, for allowing themselves the possibility, in the absence of express consumer consent, to cross-reference all their data for its entire service offering and for providing that the sole use of Google’s services constitutes acceptance of the terms of use.

Submission to the Data Protection and Consumer Law: insofar as Google sells its users’ personal data to partner companies in exchange for the services it provides to them, these services cannot be considered as free. All the clauses of Google’s terms of use and privacy policy are therefore subject not only to the Data Protection Law but also to consumer law.

Sanction: 38 clauses are considered illegal or unfair and cancelled. However, at the time of the judgment, rendered 5 years after the start of the proceedings, these clauses were no longer included in Google’s terms and conditions. The company is also condemned to pay 30K€ in damages, to publish the judgment on the home page of its website and to pay 20K€ to the UFC, which will be used to reimburse its legal costs.

07/02/2019 – UK – ICO (Information Commissioner’ Office) / Magnacrest limited sentenced to a fine: £300

Note: Considering the data of the incidents, GDPR was not yet applicable

The rights of access for the data subjects is a fundamental right in terms of personal data which was born long before GDPR.

An individual attempted, on the 17/04/2017, to exercise his rights to access his personal data held by Magnacrest Limited, a housing developer. He received no response during the 40-day legal timeframe, and therefore filed a complaint to the ICO, the English data protection authority.

The ICO took charge of the case and served Magnacrest Limited with a formal enforcement notice to comply with its legal obligations and provide the individual with the requested information.

As the enforcement notice had no effect, the ICO issued a criminal prosecution against the company.

Penalty: A £300 fine (approximately 350€) + £30 per victim + £1133.75 in prosecution costs.

21/01/2019 – France – CNIL – Sentencing of Google LLC, 1st French fine under GDPR >> 50 million €

Facts:  The American company Google LLC processes personal data via its Android operating system and the services they provide in relation to the creation of a Google user account when configurating a mobile phone.

On the 25th and 28th May 2018, following the recent entering into force of GDPR, the Austrian non-profit organization None of Your Business(“NOYB”) and the French one La Quadrature du Net (“LQDN”) issued collective complaints to the CNIL, blaming Google for not having the required legal basis to process personal data of its users, especially in the purpose of targeted advertising.

Competence of the CNIL: The “one stop shop” mechanism set up by GDPR defines that an organization established within the EU must have a single point of contact; the leading data protection authority of the country in which its “main establishment” is located, which is then required to communicate with other national data protection authorities.

In this case, considering that at the time when the complaints were filed, Google Ireland did not have any decision-making power over the concerned data processing (with the Android operating system, during the creation of a user account when configurating a mobile phone), the European data protection authorities considered that the Google LLC did not have a main establishment in the EU. The CNIL, as well as the other national authorities in the EU being competent in this case.

Inspection method: In September 2018, the CNIL undertook an online inspection and analysis of both the user’s journey and document/information made available to them when creating a Google account as part of the mobile phone configuration under Android.

Obligation of transparency and information towards the people impacted: The CNIL has retained the difficulty of accessing the information meant for the people impacted, especially due to the fact that key information (purpose, length of data retention, data categories) is shown on several different documents and require numerous (5 or 6) actions from the user in order to reach them (enough to discourage the users…). The CNIL has also considered that the information made available

  • was lacking understandability for the user who could not be warned that the legal basis of the data processing was his consent (which he was not obliged to give) nor measure the extent and potential consequences of the processing carried out by Google (quantity and type of data that is processed, cross referencing of data by Google).
  • was too vague, especially concerning the purpose and nature of the impacted data
  • was not complete as the length of data retention was not systematically indicated

Obligation to obtain an informed, specific and unequivocal consent: Google stated they conducted their data processing on the legal basis of consent. However, the CNIL has considered their processing was illicit in the sense that the consent was not obtained in a way which, based on three criteria, was not compliant with the regulations:

  • the consent was not informed: this requirement is directly linked to the lack of information mentioned above: if the person concerned doesn’t have easy access to the information relating to the processing of data and if this information is too vague or incomplete, the person can obviously not give his consent in full knowledge
  • the consent was not unequivocal: this supposes that the user gives his consent by means of a positive action, whereas in this case the choice to view personalized adverts was ticked by default (the only possibility was to opt out).
  • the consent was not specific: this requires that the purposes be clearly defined (whereas here they were too vague) and that the user give his consent to each purpose separately instead of in a global manner such as a general statement of agreement, the same way in which the acceptance of Googles T&C’s took place.

Penalty: A 50 million euro fine (to be paid to the national treasury), with the first-time application of the fine ceilings defined in GDPR and the publication of the decision

On this occasion, the CNIL reminds that it has the power to set a fine without having previously served a formal enforcement notice to the data controller and given him time to comply. The CNIL further explains that the litigious processing is still being carried out and Google has not used the time during the investigation period of this case to modify their behavior.

This decision is especially based on:

  •  the seriousness of the acts which directly concern essential principles of privacy
  • the fact Google’s activity is predominantly oriented towards processing personal data (with targeted advertising) make them even more responsible and requires even more vigilance on their part with regards to respecting privacy.
  • the volume of the impacted data and the almost infinite cross referencing

The amount of the fine may seem high, but it is in reality fairly low considering Google’s annual turnover exceeds 110 billion euros. Indeed, the allegations facing Google concern fundamental principles of privacy and are liable to a fine which can go up to 4% of company’s worldwide turnover.

What should be taken out from this case: It is essential:

  • to identify within a global corporation, which entity has the decision-making power over the processing of personal data, this element is key in determining both the identity of the data controller and the competence of European authorities
  • to provide complete, clear, understandable and easily accessible information to the user: 1 click should be enough!
  • to make sure that a positive action of the user takes place for the consent to be valid… there are still too many pre-ticked boxes or presumed consents (for example when the user simply continues to browse, especially in terms of cookie preferences)
  • to enable consent to be given separately for each purpose, which must be defined in a sufficiently precise manner
  • to react rapidly and modify data processing conditions to make sure they are compliant whenever the CNIL issues even the slightest warning.

12/01/2019 – Germany – Baden Württemberg – LfDI – Most significant financial penalty in Germany since the entry into force of GDPR – 80K€

On 15 January 2019, Dr. Stefan Brink, Director of the Data Protection Authority of Baden Württemberg, revealed that in addition to the 20K€ fine imposed on, an €80,000 fine had been imposed by the LfDI on a company which’s name he refused to disclose. Nevertheless, the LfDI revealed that this case concerned health data that had inadvertently been made available on the Internet. For the record, according to Article 9(1) of the DGPS, health data fall into the category of “sensitive data” and therefore can only be processed in exceptional cases and with stricter than normal security measures (including doing so via specifically authorized health data hosts).

We also know that this financial penalty is the largest of all those imposed by German authorities since the entry into force of the GDPR.


29/12/2018 – International / Brazil – Provisional measure on the application of LGPD

On the 29th December, a provisional measure (n°869/18) was adopted, thus creating the Brazilian data protection authority: the ANPD.

The measure also delays by 6 months the coming into force of the new protection of privacy law: initially supposed to come into force on the 15th February 2020, it has been moved to the 15th August 2020.

As a reminder, this new regulation will also concern non-Brazilian companies as it will apply to:

  • data processing taking place in Brazil
  • data processing taking place outside of Brazil if the activities related to the processing consist in offering products or services to people located in Brazil or if the data was collected in Brazil

28/12/2018 – France – CNIL Principles to be met before transmitting data to third parties

Consent, information to be communicated to the relevant people, the CNIL reminds the steps that have to be followed, not to mention that the relationship with the third party and what the latter has the right to do with the data must be set up within a legal framework.

26/12/18 – France – CNIL – Sentencing of the company Bouygues Telecom: 250K€

NB. Considering the date of the incidents, GDPR was not yet applicable

Origin of the investigation: On the 2nd March 2018, the CNIL received a report informing them of a security incident concerning the personal data of clients of the brand B&You, which is owned by the company Bouygues Telecom. On the 6th March 2018, Bouygues Telecom, after being informed of the data breach via a message on the company’s Twitter account, informed the CNIL of this breach.

Facts: A vulnerability was detected, which gave access to contract and invoices belonging to B&You customers (therefore their name, surname, date of birth, e-mail address, postal address, mobile phone number) by simply modifying a URL on Bouygues Telecom’s website. This impacted the data of more than 2 million B&You customers over the course of 2 years and 3 months. An inspection led by CNIL took place on the premises of Bouygues Telecom on the 9th March 2018 which prompted Bouygues Telecom to rapidly fix the vulnerability such that the customers’ personal data was no longer freely accessible at the time of the inspection.

Obligation to ensure security and confidentiality: The security issue arose from the omission to reactivate the authentication function of the online customer area, which had been de-activated for the purpose of a testing phase following the merging of the databases and IT systems of both Bouygues Telecom and B&You. It therefore appears to be a human error. Despite this, the CNIL considered that because of Bouygues Telecom’s choice to set up a single security measure and no complementary measures, it was their responsibility to be particularly vigilant with regards to the effectiveness of this single security measure. The CNIL also considered that even though Bouygues Telecom proved they had set up regular intrusion tests, whether directly or via service providers, these tests were not adapted to the specifics of the database and were therefore ineffective. Bouygues Telecom should have set up a manual review of the code focused on the critical authentication mechanism. This was possible considering the Bouygues Telecom’s resources and was necessary due to the amount of people impacted by this risk. The CNIL recognizes that Bouygues Telecom cannot be totally immune to human errors but considered they should have set up measures allowing them to detect this said human error.

Penalty: A 250K€ fine. The rapporteur had first suggested a 500K€ fine to the CNIL, but after being made aware of Bouygues Telecom’s observations, he suggested to bring the fine down to 250K€. The seriousness of the breach was taken into account (amount of both data and people impacted, duration of the vulnerability) as well as the reactivity shown by Bouygues Telecom in terms of resolving the security incident and the numerous measures set up to limit the impacts of the vulnerability (e.g. reminders of good practices and advice sheets distributed to their clients, fighting against phishing, dark web surveillance, training of employees).

Publication of the decision: Considering the large number of both data and people affected, the duration of the vulnerability, the current context in which security incidents are repeating themselves and the necessity to raise awareness amongst both data controllers and web users.

19/12/2018 – France – CNIL – Uber France SAS sentenced: 400K€

NB.Considering to the date of the incidents, GDPR was not yet applicable

Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media…with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016, including those of 600 000 drivers.

Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Uber had kept this incident a secret for 8 months, which represents a breach of the American law on computer security and resulted in a very poor publicity for Uber in late 2017, especially considering Uber allegedly transferred 100 000 dollars to the hackers for them to not divulge the incidents to the public and destroy the information they had collected. All computer experts have recommended such a practice be banned.

To coordinate the investigations procedures led by European data protection authorities, the G29 created a work group which has allowed for a better understanding of the attack:

  • The hackers accessed logins which were stored in plain text on the collaborative development platform “Github”.
  • They used these logins to access a data storing server
  • They downloaded information concerning 57 million users, of which 1.4 million were located on French soil

Liability: The liability of Uber B.V. was not contested. On the other hand, Uber Inc. invoked their role as a simple subcontractor based on a signed contract with Uber B.V., stating this position limits their role with regards to data processing. The CNIL rejected this argument considering it was indeed Uber Inc. which determined the essential aspects of data processing.

In particular, the CNIL has identified the following:

  •  the data controller cannot be withdrawn from the management of the consequences that follow a breach of data
  •  Uber Inc.’s broad scope of action (drafting of guidelines regarding data management which are applied by all subsidiary companies, training of new employees, signing contracts with third parties which supply essential tools for the service) confirms their key role in determining the means and purposes of data processing.

Uber B.V. and Uber Inc. are considered to share joint liability.

The CNIL decided the fine would be directed at Uber France SAS, treated as an establishment of the data controllers Uber B.V. and Uber Inc., considering that via the Uber France SAS, Uber has the benefit of having stable premises in France and of conducting their activities in France (supporting customers/drivers and undertaking marketing campaigns in France).

Obligation to ensure security and confidentiality: This hack would not have succeeded if certain basic security measures had been set up. These especially include:

  • although this does not correspond with the recommendations (despite being a possibility) made by the collaborative development platform “Github”, Uber should have planned for their engineers to login to “Github” via strong authentication measures (for example, a login and password followed by a code sent by text message). In practice, they logged in to “Github” with nothing more than their personal e-mail and a password which they had configured themselves. In addition, no removal of authorizations procedure was in place for the cases where an engineer left the company;
  • Uber shouldn’t have stored unencrypted logins enabling server access in the source code of the “Github” platform
  • with regards to accessing the servers which held user data, the company should have set up a system which filtered IP addresses

In these conditions, the CNIL restricted committee considered that the company had breached its obligation to secure personal data. It sentenced Uber France SAS, the establishment of the companies Uber Technologies Inc. and Uber B.V., to a 400 000 euro fine.

Penalty: 400K€ fine

Publication of the decision: Due the very large number of people affected and the necessity to raise awareness amongst operators

NB. On the 06/11/18 the Dutch data protection authority served Uber with 600K€ fine for failing to meet their obligation to inform of a data breach. The 26/11/18, the British data protection authority, served Uber with a 385 000 £ fine for failing to meet their obligation of securing data.

NB. Reminder that the use of the “Github” platform had already been linked to the sentencing of the company Dailymotion for failing to meet their security obligations (see Infra in this thread).

19/12/18 – Court of Cassation – Mediapost – Location tracking of employees

Facts: Mediapost, a subsidiary of La Poste, distributes targeted adverts in letter boxes. It has set up a system called “Distrio” which saves the location of its couriers every ten seconds and tracks their eventual lack of movement or complete motionlessness. This system functions via a tracker worn by the couriers during their journey and which they activate themselves. The purpose sook by Mediapost is to supervise the effective working time of the couriers. Considering this system illegal, the Sud PTT trade union took Mediapost to court. The Lyon court of appeal has deemed this location tracking system in order to determine the effective working time of the couriers as being legal as it is justified by the work which needs to be accomplished and proportionate to the purpose sook by Mediapost.

Decision: On the 19th December 2018, the Court of Cassation quashed the judgement made by the Lyon court of appeal and sent the parties back to the latter so that case could be re-examined. The Court of Cassation blamed the Court of appeal for taking its decision without “considering if this location tracking system set up by the employer was the only way to supervise the working time of employees”.

The article L1121-1 of the French employment code plans for two cumulative conditions in which the rights to privacy of employees, including that of having their location tracked, may be restricted:

  • The restrictions must be justified by the nature of the task the employee is required to accomplish
  • They must also be proportionate to the purpose sook by the employer

The Court of Cassation state that in this case the location tracking system set up to supervise effective working time must be the only way supervise the latter for it to be considered legal. It also adds that whenever the employee has large enough freedom in the organization of his work, this type of system cannot be justified.

What must be taken out of this case: Before setting up a location tracking system for employees (which by nature undermines their freedom), in the aim of supervising their working hours, a company must imperatively research if any other means of doing so could be used (even if those may be less effective) and, depending on the freedom the employees concerned by the measure possess in terms of organizing their work, whether or not it is justified to implement this supervision.

19/12/2018 – ECJ – Advocate general’s conclusions in the fashion ID case

Facts: the fashion accessories online retailer Fashion ID GmbH & CO.KG has integrated a “plug in” on their website: Facebook’s “like” button. Therefore, when an internet user visits the Fashion ID website, information concerning their IP address and their browser’s character string are transmitted to Facebook. This transmission takes place automatically as soon as the Fashion ID web site is loaded, regardless of whether the user has clicked on Facebook’s “like” button and whether he does or does not possess a Facebook account.

A German consumer protection organization launched injunctive relief proceedings against Fashion ID on the motive that the use of this plug-in was against the laws on the protection of personal data.

Several prejudicial questions are asked by the German court to the ECJ. In substance these are:

  • When a company inserts a program code in its website which allows the user’s browser to request third party content thereby enabling it to transmit personal data to this third party, should the company be considered a data controller.
  • If in this context the consent of the internet user is required, to whom should it be given (the company or the third party)?

Position of the advocate general: It is genuinely not in favor of those web site editors which are offering third party plug-ins.
Indeed, the advocate general has proposed to conclude that any person inserting a third party plug-in on their website which collects and transmits personal data should be considered a joint data controller insofar as his liability is limited to those operations for which he is effectively a co-decider of the means and purposes of the processing of personal data. In the case of Fashion ID, this would be the stages at which they collect and transmit personal data to Facebook. Although the purpose for Fashion ID and Facebook is different, it is unitary: commercial and advertising related in both cases, as Fashion ID’s choice to insert Facebook’s plug-in on their website is based on a desire to improve the visibility of their products via Facebook.

Consequently, the consent of the internet user must be given to the manager of the web site that inserted the third-party content, and that before the collection and transfer of the data takes place.

Conclusion: We all remember the ECJ’s judgement on 5th June 2018 confirming that the administrator of a fan page is a joint controller of data together with the social network, which in this case was Facebook (you may view our comments on this matter further below). If the position of the advocate general is followed by the court, these questions will place even further responsibility on companies operating on the web, which will need to modify their confidentiality policies and the information provided to web users.

18/12/2018 – Controversy surrounding Facebook granting tech giants access to some of their users’ personal data

14/12/2018 – Facebook announces another security breach:

The social network has just announced a security breach which concerns the sharing of Facebook profiles with 1500 applications, involving images uploaded (whether they were posted or not) by 6.8 million users of the platform, during a period going from 13th to 25th September of this year.
The Irish data protection authority is investigating the conformity of the data processing done by Facebook.

29/11/2018 – CNIL – end of formal enforcement notices targeting Fidzup and Singlespot

Facts: Formal notices sent on the 25th June 2019 and the 8th October 2018 by the CNIL, with a compliance period of 3 months given in both cases

Measures taken to comply with the enforcement notices: the two companies have taken the following measures

  • Displaying banners during the installation of the mobile applications, which allowed people to receive prior communication of the compulsory information concerning processing
  • Possibility for individuals involved to either accept or refuse that their location data be processed in the purpose of targeted advertising, prior to the collection of the data and without a refusal leading to altered service quality

Singlespot has also taken the following measures:

  • Set up a system of automated data purging when the retention period ends
  • Set up a restrictive password policy for database access

Penalty: none

To complement this brief, you may consult in this same rubric our briefs from the 25/06/18 on the Fidzup case and that of the 30/10/18 on the Singlespot case.

26/11/18 – UK – ICO (Information Commissioner’s Office) / Joint sentencing of companies Uber BV and Uber establishments in the UK (Uber London Ltd, Uber Britannia Ltd, Uber Scot Ltd, Uber NIR Ltd): £385 000

NB. Considering the date of the incidents, GDPR was not yet applicable

Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media… with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016. Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Data from approximately 82 000 British drivers and 2.7 British users was impacted.

Liabilities: The ICO considers that Uber BV is a joint data controller together with its British affiliates, insofar as these affiliated companies are established in the United Kingdom, direct their activities (sales and marketing operations) towards a British public and Uber B.V. carries out a genuine and stable activity in the United Kingdom via these establishments, leading to the processing of data which is the matter of this case. On the other hand, the ICO does not questions the subcontractor status of Uber Technologies Inc in the United States.
Obligation to ensure security and confidentiality:
The ICO has determined that Uber did not set up adequate security measures:

  • Uber engineers may access the collaborative development platform “Github”, with nothing but their personal e-mail address and a password configured by themselves;
  • No removal of authorizations procedure is set up for cases where an engineer leaves the company;
  • Unencrypted storage of logins enabling server access within the “Github” platform’s source code.

The ICO also blames Uber for having treated the breach as a “bug bounty” (reward for those who had detected and reported a vulnerability) whilst it was clearly a hack, as the hackers stole personal data.

Although applicable British law at the time (as opposed to GDPR which became applicable in May 2018) did not include the obligation to notify authorities or the people impacted of a security breach, the ICO blames Uber for not having done so and see it as an aggravating factor.

Penalty: A £385 000 (434 341€) fine which must be paid by 03/01/19 at the latest, which will be reduced to £308 000 if the payment is received by 02/01/2019, unless the decision is appealed.

22/11/2018 – Amazon: client names and e-mails divulged by mistake

Amazon has revealed that a computer glitch has accidentally divulged the names and e-mail addresses of certain clients directly on the company’s website. The e-commerce giant has assured the issue has been fixed and that the impacted clients have been informed.

21/11/2018 – Germany – Baden-Württemberg Data Protection Authority (BWDPA) – Another GDPR related fine – Sentencing of the social network >> 20K€

Facts: On the 8th of September 2018, the social network sent a data breach notification to the land of Baden-Württemberg’s ICO equivalent. The company had just noticed that a cyberattack having occurred back in July 2018 had enabled the theft of personal data belonging to the social network’s users: over 800 000 e-mail addresses and close to 2 million usernames and passwords. In a bid to be perfectly transparent with regards to the data protection authority, the company revealed the users’ passwords were stored in plain text (not encrypted or modified in any way).

Breach of personal data principles: Breach of the obligation to ensure the security and confidentiality of the data. The encryption of website data is one of the minimum requirements in terms of security.

Penalty: A 20K€ fine for having stored their users’ passwords in plain text. This can seem like a rather lenient penalty considering the maximum fines defined in GDPR (up to 20 million euros or 4% of turnover). This leniency can be explained by the cooperation and transparency that was demonstrated by, which immediately notified the data protection authority as soon as they became aware of the breach, provided precise details and did not hesitate to reveal the fact they didn’t encrypt passwords. The data protection authority also considered the great diligence shown by the company when taking corrective measures.

06/11/2018 – Netherlands – AP (Autoriteit Persoonsgegevens) – joint sentence for Uber BV and Uber Technologies, Inc: 600K

NB. Due to the date of these incidents, GDPR was not yet applicable

Facts: In November 2017, the American company Uber Technologies Inc. (hereinafter Uber Inc.) revealed to the media… with a year’s delay… that two individuals had successfully hacked personal data from 57 million of its users back in late 2016. Amongst the stolen data were the names and surnames of users but also their e-mail addresses, cities and countries of residence, mobile phone numbers and status (driver / passenger). Data from approximately 174 000 Dutch users was affected.

Liabilities: The liability of Uber B.V. was not contested. However, Uber Inc argued they were a mere subtractor based on a signed contract with Uber B.V. on the 31/03/2016 which defined the role of both entities as follows: Uber B.V. as the data controller and Uber Inc. as the subcontractor. The AP rejected this claim as they considered Uber Inc. and Uber B.V. jointly determined essential aspects of data processing means, data security policy, data retention decisions, the development of the service offering, and the Uber application and the fact Uber Inc. was the one providing the application to the Apple App store and Google Play Store. The AP charged them with joint liability.

Obligation to inform of the data breach: AP are blaming Uber for not having informed the users concerned during the 72 hours that followed the leak, but only on the 21/11/2017, despite the fact the breach took place in late 2016 and Uber was informed of it by the hackers themselves on the 14/11/2016.

Penalty: A 600K€ fine (considering fines cannot exceed 800K€ under current Dutch law), payable in the next six weeks, unless the decisions is appealed.

06/11/2018 – Microsoft becomes certified host of healthcare data in France

During the 2018 Microsoft Experiences in Paris, Microsoft has announced that it has recently obtained the “healthcare data host” certification (granted by the specialized organization BSI) in France.
This certification applies to all cloud services offered by the editor in France: Azure and Office 365.
If Microsoft is the first amongst the major public cloud providers to obtain this certification, it is mainly to reward the company’s ability to manage security incidents rapidly and efficiently. Indeed, amongst the conditions that must be met to obtain such a certification, it is necessary to meet certain standards:

  • ISO 27001 for information systems security·
  • ISO 27018 in terms of privacy policy
  • ISO 20000, which defines the organizational expectations required to ensure the quality of information processing services

In practical terms, this certification will enable the development of personalized healthcare solutions, which will decompartmentalize patients’ pathway to healthcare (secured sharing of sensitive data), thereby opening the door to telemedicine.

Microsoft will thus be able to develop collaborative healthcare solutions with healthcare facilities.

06/11/2018 – FIFA’s computer systems hacked

After experiencing another hacking of their computer systems, FIFA leaders have assured they are progressively setting up preventive measures such as encouraging staff to be extremely vigilant with regards to phishing by informing them of the different techniques and methods used.

Despite this, it is clear the cybersecurity measures must be reviewed, and more sensitization action must be taken to avoid this kind of hacking.

The strict application of GDPR rules could have allowed for faster detection of the data leakage and increased vigilance in the ranks of FIFA.

06/11/18 – France – CNIL – Publication of a non-exhaustive list of data processing which requires an impact analysis

To remember:

  • the criteria used to determine whether a processing requires an impact analysis: collection of sensitive data, concerns “vulnerable” individuals (employees, children, elderly people, patients, asylum seekers, etc.), evaluation or grading, systematic surveillance, cross-referencing or combining several data sets, automated decision taking leading to legal effects or other similarly significative effects, innovative usage or application of new technological solutions, data processing at a large scale.
  • examples of processing concerned: processing to detect payment fraud (used on many online shopping websites), combining data sets operated by data brokers, processing aimed at personalizing online advertising, mobile application enabling the large scale collection of location data.

30/10/18 – France – CNIL – Application of GDPR – Formal enforcement notice for company Vectaury

Facts: CNIL has inspected the company Vectaury, which uses technologies enabling personal data collection via smartphones and the carrying out of advertising campaigns on mobile phones.

This company relies on technological tools known as Software Development Kits (SDK) which are integrated in the application code of the company’s partners. The tools allow the company to collect data (mobile phones’ advertising ID’s and location data) from mobile phone users even when the relevant applications are closed.

This data is then cross-referenced with points of interest determined by partners (retail stores) in order to display the targeted advert on the user’s terminal depending on the places they visited.

Vectaury also processes, in the aim of user profiling and target advertising, location data it obtains from real-time bids it initially received so it could purchase advertising space. Vectaury has received a formal enforcement notice that it must obtain effective consent from all the users concerned and delete the data it wrongfully acquired.

Legal basis and compulsory information

# Breach of the obligation to obtain user consent for the data acquired from SDKs

  • when downloading mobile phone applications, users are not systematically informed that an SDK is collecting their location data
  • during installation, the user is not informed that the final purpose is target advertising, nor is he of the identity of the data processor
  • the information in the T&C’s of the apps is not prior to the processing of data
  • it is not always possible for the user to download the mobile application without activating the SDK and in these cases the use of the applications leads to data being automatically transmitted to Vectaury
  • the Consent Management Provider (CMP) set up to reinforce the information is not systematically implanted within the applications and the information it gives to the users is insufficient
  • the collection of location data is activated by default

# Breach of the obligation to obtain consent on data coming from real-time bids for advertising space

  • consent is not obtained before the processing of data for user profiling
  • the information given to the user does not explain the final purpose of the processing (real-time bidding system, followed by the retention of data in order to define a commercial profile)
  • the collection of data is activated by default

Risks for individuals: particular risk for their privacy as the data reveals their physical movements and daily habits
Exercising of rights: the processing takes place without the people concerned being aware of it, and without them being able to exercise their rights defined by GDPR.
Compliance deadline: 3 months
Publication of the decision: considering the nature of the breaches, the number of people concerned, (over 5 million via SDKs and more than 42 million via the real-time bidding system) and the need to raise awareness amongst professionals of the sector regarding the stakes associated to the use of this type of technology

24/10/18 – France- CNIL – end of formal notice targeting Direct Energie

Facts: Formal enforcement notice served on 5th of March 2018 by the CNIL, with a 3-month compliance period

Measures taken to terminate the breach

  • Commercial offers allowing the consumer to choose what data he agrees to share (detailed monitoring, standard monitoring, no monitoring)
  • No default data collection
  • Information provided to consumers clear and unambiguous: possibility of accepting daily or half hourly electricity consumption readings without believing it is a mandatory consequence of installing the smart meter; possibility of removing consent at any moment via the online customer area; set up of a specific method for informing clients when contracting with them on the phone: general conditions of use communicated orally and then with an SMS or e-mail sent during the call with the agent.

Penalties: none

16/10/2018 – International / Turkey – Marketing communications via e-mail, SMS or phone call

On the 15th of August 2018, the Turkish personal data protect authority (Kişisel Verileri Koruma Kurulu) has ruled over marketing communications taking place via e-mail, SMS or phone calls, stating that the data controllers as well as their subcontractors are to cease this type of communication immediately unless they have obtained explicit consent from the recipient or they are able to justify the data processing in question is exempted from the legal obligation to obtain prior consent.  The authority also reminds that the data controllers are to take all the technical measures necessary in order to ensure an adequate level of security for the data as well as guaranteeing its protection and that the subcontractors are jointly responsible with regards to making sure the measures are well implemented.

11/10/2018 – France – CNIL – Adoption of two certification frameworks relating to DPO competences

A certification is not mandatory to practice as a Data Protection Officer (DPO), nor is it to be registered as one with the CNIL. It only enables one to prove his skills and know-how.

The CNIL has thus adopted:

  • a certification framework setting the conditions of admissibility as well as the list of expected skills/know-how to be certified as a DPO
  • a framework of approval setting the applicable criteria for organizations wishing to be authorized by the CNIL to deliver DPO certifications: indeed, the CNIL itself will not be the entity granting DPO certifications

As of now, the CNIL is yet to approve a certifying organization.

Certification des DPO : la Cnil pose les règles

11/10/2018 – PORTUGAL – CNPD (Comissão Nacional de Proteção de Dados) – 1st GDPR related fine in Europe– Sentencing of Barreiro-Montijo >> 400K€

Facts: In June 2018, the CNPD (ICO equivalent in Portugal) proceed to an inspection of the Barreiro-Montijo hospital following a warning from a doctors’ organization. On this occasion, the CNPD discover that 9 members of the hospital’s administrative staff have access to the patients’ clinical files, whilst they should be accessible by doctors exclusively. Following this, the CNPD notice that 958 doctors have an account allowing them to access patients’ clinical files, despite the hospital staff only having 296 doctors. This gap is attributed to the fact an account is created for every temporary doctor, considering the accounts are not deleted nor deactivated at the end of their respective assignments (sometimes 2 years back).  Several other flaws are detected in the creation and the management of accounts. Strikingly, when creating a simple trial account, the CNPD experts were able to access sensitive data relating to patients which were no longer treated by the Barreiro-Montijo hospital.

Breach of personal data principles: the CNPD retains 3 GDPR violations:

  • not respecting data integrity and confidentiality principles
  • failure to respect the obligation of limiting access to data (not taking into account the profile of each employee)
  • person responsible for the data processing incapable of guaranteeing the integrity of the data

Defense of the hospital: the healthcare center called upon the fact the Portugese ministry of health manages the authorizations enabling access to patient data and their lack of necessary computing resources to manage the data effectively

Penalties: The Hospital was sentenced to a 400K€ fine, 150K€ for each of the first two violations and 100K€ for the third violation.

Bearing in mind that GDPR plans for fines that can reach 20 million euros for this type of breach, this fine seems relatively lenient, especially considering the sensitive nature of the data in question, which relates to the medical field.

09/10/2018 – Belgian data protection authority wishes for a globally reaching right to oblivion

In July 2016, the Belgian Commission for the Protection of Privacy (CPP) (has since become Data Protection authority or DPA) received a complaint regarding URLs available on a search engine which included calumnious and defamatory information that associated the plaintiffs with serious cases in which they had not been involved and for which they were never prosecuted.

The plaintiffs had therefore filed requests to be delisted with the search engine concerned. These attempts were eventually useless as new links with slightly modified URLs yet identical content seemed to re-appear endlessly.

The delisting process was also revealed as being partial and ineffective for the following reasons:

  • it didn’t affect all the search engine’s various extensions from all the regions in which it is accessible
  • it was limited to search keys which included the name and first name of the plaintiffs; as a result, adding a specific term associated to the name and first name caused the previously de-listed results to re-appear.

The plaintiffs therefore requested the CPP that the delisting process concern all the versions of the said search engine, that it no longer be limited in geographical scope and that the modalities for exercising their right to be delisted be adapted to include , for example, the introduction of a filtering system.

This complaint was positively welcomed by the CPP which believe that the various extensions of a search engine can be considered as nothing but various technical pathways to a single search engine, allowing for one single processing. The search engine’s URLs can then be targeted by differentiated blockage decisions depending on the origins of their artificial territorial location.
According the CPP, the limited territorial scope results in preventing any useful effects to arise from exercising one’s right to privacy.
A similar case concerning the territorial scope of the right to be delisted recognized by the 14th May 2014 “Google Spain” judgement around three prejudicial questions is currently pending before the ECJ and the Court’s decision is expected during the coming months.
On the 10th of January, the advocate general presented his conclusion in which he explained not being in favor of such wide-reaching interpretation of Union rights, as this would imply the latter to have effects beyond the borders of the 28 member states.

Despite this, he doesn’t rule out the possibility of obliging search engines to proceed to worldwide delisting in certain cases.


08/10/2018 – Security vulnerability on social network Google+

The Wall Street Journal revealed on the 8th October that a security vulnerability on Google +’s program interface had been putting the users’ personal data at risk during a 3-year period from 2015 to 2018, when Google noticed the vulnerability during an internal audit. Google is said to have hesitated before disclosing this discovery to the public, but eventually did so soon after. Google estimates 500 00 accounts were concerned by this vulnerability and 438 third party applications (API) potentially had access to this data. Amongst the data concerned were name, e-mail address, job, age and the gender of the users.
Google soon announced the imminent closing of Google + to the public, largely due to this issue. Despite this, Google state no collection or wrongful utilization of the data has been noted. Google has since corrected this vulnerability and has limited the accessibility of personal data via APIs.

08/10/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Heathrow Airport Limited (HAL): £120,000

Facts: On the 16th of October 2017, a USB memory stick lost by a HAL employee was found by a member of the public, who later viewed the material it contained (76 folders and over 1000 files containing employees’ personal data, not encrypted or password protected). It was viewed and passed to a national newspaper which took copies of the data. The ICO became aware of the incident via the media.

Data Security: Companies must ensure that proper corporate standards, training and procedures are being put in place to minimise the vulnerability of personal data. At HAL, only 2% of staff members had been trained in data protection, and staff members were using removable media in contravention of HAL’s policies. Controls and policies were inefficient. Appropriate technical and organisational measures shall be taken against unlawful/unauthorised processing and loss of personal data.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts. That being so, the HAL was fined £120000 (approximatively 136K€) in accordance with the Data Protection Act 1998 considering the seriousness of the contravention (sensitive data involved, inefficient measures, and size of HAL), and to promote compliance with privacy legislation.

28/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Bupa Insurance Services Limited (Bupa) : £175,000

Facts: An employee was able to extract 547 000 customers’ information (such as name, date of birth, email address, nationality) and offered it to sell on the dark web. The ICO was notified through complaints from Bupa’s customers.

Data security: Bupa failed to assess the risk and to have effective security measures in place to protect customers’ information. The data controller must take appropriate technical and organisational measures against unauthorised and unlawful processing.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Bupa was fined £175000 (approximatively 197K€) in accordance with the Data Protection Act 1998 given the seriousness of the breach and to promote compliance with privacy legislation.

20/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Equifax Ltd : £500000

Facts: The US parent company of Equifax Ltd was subject to a cyber-attack back in 2017 which affected 146 million customers globally, including 15 million UK citizens.

Data security: The UK branch was responsible for the personal data of its UK customers and failed to take appropriate measures to ensure that the processor, i.e. the US branch, was protecting the information (names, dates of birth, addresses, passwords, driving licence and financial details).

Data principles breached: failure to secure personal data, poor retention practices (data retained much longer than needed), general lack of lawful purpose, and lack of legal basis for international transfers of UK citizens’ data.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Equifax Ltd was fined £500000 (approximatively 562K€) in accordance with the Data Protection Act 1998, which is the highest level of fine under this law (considering the number of victims, type of data at risk and Equifax’s inexcusable behaviour), in order to promote compliance with privacy legislation.

04/09/2018 – UK – ICO (Information Commissioner’s Office) / Enforcement notice served to the London Borough of Lewisham

Facts: Data subjects access requests to the London Borough of Lewisham are not handled in due time, owing to its inefficient internal systems, procedures and policies for dealing with subject access requests.

Exercise of the right of access: When a request of access is made, the data controller must respond to subject access requests without undue delay. In addition, the means to respond to such requests must be adequate.

Notice: The ICO set a deadline on the 15th of October, for the London Borough of Lewisham to respond to the 19 individuals who submitted a subject access request to their personal data before last 25th of May, with a weekly reporting on actions taken.

31/08/2018- Data breach at Abbyy’s

Facts: Failure of a server that has made nearly 200 000 scanned documents from a single client of the Russian company accessible.

Information through a press release (probably to avoid the possible bad buzz and to reassure).

28/08/2018 – Data breach at System U (car rental website)

Facts: hacking resulting in a data breach (identification, contact information, booking information, no payment date)

Notification of the violation to the CNIL et through a press release.


27/08/2018 – Data breach at T-Mobile US

Facts: Potential security breach detected and quickly corrected, potentially resulting in data breaches of possibly more than 2 million potential victims (name; billing postcode, phone number, email address, account number and type of account, no payment data).

Notification though a press release.


03/08/2018 – Publication of Decree No. 2005-1309 supplementing the LIL.

Fixation of deadlines and procedures applicable to CNIL’s missions and clarification of certain provisions of the law (medical data, means of information of the persons concerned, etc.)


24/07/2018- CNIL- Sanction for Dailymotion : 50 K€

Facts: Violation of encrypted data during an attack by accessing the identifiers of an administrator account stored clearly on the collaborative development platform “Github” and exploitation of a vulnerability in the code of the platform Dailymotion on “Github”: 82.5 million email addresses and 18.3 million passwords concerned.

Obligation of security of the personal data: elementary measures could have avoided the violation: to not store clearly in the source code identifiers related to an administrator account; Set up an IP address filtering system or a VPN (Virtual Private Network) when outsiders can connect remotely to an internal computer network.

Sanction: it would certainly have been higher if the data breach had not been encrypted.

Publication of the decision: to make accountable the responsible and given the huge amount of data involved.


24/07/2018 CNIL – Sanction for the Public Housing Office of Rennes Métropole Archipel Habitat : 30K€

Facts: Complaint received concerning the use of the President of the DPO (also Mayor of Rennes) of the file of the tenants of social housing to send them a politicized letter about the APL and the position of the government.

Lawful processing: the personal data collected cannot be processed for purposes other than those that justified the collect (here the management of application for social housing and for the real estate park). If a purpose of external communication was possible, it was not here a newsletter because of the controversial content of the mail (critique of a government announcement).

Publication of the decision: to remind all the actors of the social sector the prohibition to use the data out of the initial purpose and because of the lack of knowledge of the OPH of a fundamental principle of the LIL.



17/07/2018- CNIL – Closing of the formal notice against Genesis Industries Limited

Following the CNIL’s formal notice, the answers provided by Genesis and the subsequent controls from the CNIL, allowed to verify that the voice recognition, necessary for the toys to respond to the questions asked by the children, is no longer used. The discussions with the toys are no longer transferred to the servers of a third-party company outside the EU and the use of the toys no longer leads to the processing of data.


10/07/2018 CJUE- The data protection regulation applies to religious communities

Co-responsibility of a religious community (Jehovah’s witnesses) and its preaching member: preaching by door-to-door is not an exclusively personal and domestic activity of each preacher, which would allow them to escape from the regulation, since it goes beyond their private sphere. The joint responsibility does not necessarily presuppose that each actor has access to personal data: the community organizing, coordinating et encouraging preaching by its members participates in determining the purpose and the means of the treatment.


02/07/2018 CNIL press release – What controls for 2018?

The CNIL’s controls in 2018 will follow the same lines as before, with investigations based on complaints and reports sent to the CNIL, verifications carried out following closures, formal notices or sanctions, missions carried out on the basis of current topics and the annual program of controls on the specific themes selected. For 2018, it concerns the processing of personal data related to recruitment (including evaluation tools), rental real estate (on the vouchers requested by the agencies) and paid parking carried out with connected tools.


02/07/2018 CNIL- Formal notice against the Institute of informatic and commercial techniques- CCTV: The constant surveillance of employees or students is excluded.

Is excessive any systems that constantly monitors employees or students, that is to say, to film both access to the establishment, the traffic and the places of life during business hours of the establishment, except in exceptional circumstances.

The obligation of information of the filmed person can be filled by mentioning it in the general conditions of inscription, a posting and the diffusion to the employees (note of information/ employment contract).

When the final purpose of the treatment is to protect goods and people (thefts, aggression, damage) and to avoid overflowing students, an adequate conservation period would be of one month.


01/07/2018- International/ Brazil – the LGPD should come into force within 18 months.

After 8 years of work and inspired by the 1995 European Directive, the 1st Brazilian law on the protection of personal data (LGPD) will come into force. It creates and standardizes a comprehensive system of protection with 10 legal bases to justify the processing of personal data (including consent), enhanced protection for so-called sensitive data (eg ethnic origin, political and religious opinions, sexual preferences and genetical data), the creation of a dedicated authority (ANPD), the establishment of a function of leader of privacy within public and private entities, data breach notification obligations, fines that can escalate up to 50 million Brazilian reals (about 10 millions euros) with a possible prohibition of the incriminated treatments.


28/06/2018 CEDH- When convicted criminals more than 20 years ago are denied anonymity in the media à The right to be forgotten is not absolute.

In order to identify whether the right to be forgotten has to be implemented, a balance must be struck between respect of privacy and public’s freedom of expression and information.


28/06/2018 CNIL press release- The most common negligence in the security of websites.

The pitfalls quite easy to avoid and yet most often encountered concerning the security of the web sites are in particular: an authentication by a password too flexible, the absence of authentication rules to an account (the only incremental URL enough to access), the lack of encrypted data, the indexing of data in a search engine.


21/06/2018 CNIL- Sanction for the association for the development of fireplaces : 75K€.

Facts: Notification sent to the CNIL, which carries out an online check and warns the ADEF of a personal data breach (modification of the path of the URL displayed in the browser allowed access to documents registered by other applicants: taxi notices, passports, identity cards, residence permits, pay slips, CAF payment certificates, NIR, IBAN, etc. housing applicants who have made a registration process on the website of the association) and asks him to fix it. A few days later, the CNIL notes that, although the ADEF asked the company that developed its website to intervene, the data is still accessible.

Obligation of security and confidentiality of the personal data: basic measures upstream of the development of the site could have avoided the violation: to set up a device allowing to avoid the predictability of the URL and the procedure of authentication of the users of the web site.

Sanction: it would certainly have been higher if the ZDEF had not cooperated with the CNIL.

Publication of the decision: in view of the gravity of the situation related to the open access and the volume of documents (42652) and having in mind the intimate and complete nature of the data concerned.


21/06/2018- The age of the numerical majority in France is set at 15 years old.

A minor may consent to the processing of his personal data from the age of fifteen. Before this age, additional parental consent is required. 5Ar. 20 Law No 2018-493 of June 20, 2018, on the protection of personal data).


21/06/2018 – Promulgation of Law No. 2018-493 of June 20, 2018 amending the LIL.

Update of certain provisions regarding the Data Protection Regulation, exercise of the national maneuvers foreseen in the Data Protection Regulation (eg age of numerical majority) and transposition of the Directive 2016/680 “Police Justice”.

According to the CNIL, an order for a complete rewriting of the law “Data processing and liberty” is planned within a period of six months, to allow a legibility of the current legal framework (The current LIL still contains provisions which, according to the Data protection regulation, are no longer applicable or do not mention certain new rights and obligations provided by the Data Protection Regulation.


13/06/18 – Supreme Court – No conviction for Air France

Compliance: the tracking software of the activity of the pilots complies with the LIL (except for a few minor failures reported): fair collection of data (information of person concerned about the existence of the treatment, its purposes, the recipients and their rights by means of a paper memo and on the dedicated intranet), no diversion of the final purpose of the processing (the data contained in this software are not crossed with those taken into account for the monitoring or the pilots career).

Nature of the data: information about sick leaves are not sensitive data because the reason of the leave is not indicated, and therefore is not data on the health.


06/06/18 State Council- Conviction for : 25K€

Legal basis of the treatment: The advertising cookies even if they would be necessary for the economic viability of the web site, require a consent of the web user prior to their deposit.

Obligation of information: It is essential to inform the web user of the cookies that can be deposited by specifying those that are obligatory or subject to his consent, as well as the consequences of a possible opposition on his part. The only proposal to the web user to configure his browser is not a valid mode of opposition.

Shelf life: Cookies/ 13 months.

Obligation to cooperate with the CNIL: it is up to the company which has been subject of a notice from the CNIL to show that it has done what is necessary to rectify its infringement.


05/06/18 CJUE – Joint responsibility of the treatmentà Deactivation of a fan page on the social network Facebook.

Responsibility: Although the Social network is primarily responsible, the administrator of a fan page is jointly responsible for the processing: He brings an active and voluntary contribution (setting action) to the collection by RS of the personal data of the visitors of his page and profits from statistics resulting, for the purposes of management of the promotion of his activity (knowledge of the profile of the visitors who appreciate the fan page or use its applications, in order to propose them a more relevant content and to develop functionalities most likely to interest them more…). Even if their statistics are received by the administrator in an anonymized form, the processing itself is not, and it is not necessary in practice for the user to have an account on the RS for his data to be processed.


25/05/2018- The entry into force of the long awaited GDPR … and so dreaded

The week of entry into force of the new European regulation on personal data will have seen many companies rush around this deadline to assail their contacts and clients with e-mails.

  • Several observations: the majority of these e-mails aimed to ask for a (new) consent to the people; the majority of people did not read these e-mails, received in shambles and even less confirmed a consent.
  • Several reflections: it seems that in most cases, the legal basis of data processing did not have to be the consent (remember that a company can on the basis of a legitimate interest send offers to its customers naturally interested by its products and services); by massively addressing this demand, the companies themselves have had to obtain a consent; even if a consent was necessary, it is far from certain that is really was necessary for the 25th of May; the result of this precipitation is most certainly a massive loss of business data and the value that goes with it.

The CNIL has announced that it will remain fairly flexible as part of its controls until the end of 2018. So it is still time to reflect on the legal part and to verify on a case-by-case basis what are the obligations of the company and the steps to take regarding the compliance that needs to be implemented.


07/05/18 CNIL- Conviction for Optical Center : 250K€

Control online and then on the spot.

Security requirement: Default when placing online orders on its website: access to hundreds of customer invoices containing personal data (surname, first name, postal address, health data and sometimes date of birth and social security numbers).

Sanction: 250K€ despite the active collaboration of Optical Center to solve the flaw, because: the restriction of access to documents present on the personal spaces is a precaution of essential use; the company knew the risks of computer security, having already been condemned in 2015 (to 50K €).

Publication of the decision: because the data made available were particularly sensitive and numerous (334,769 documents) ant the number of customers affected important.


09/03/2018 State Council – Confirmation of the non-dismissal by the CNIL of a Correspondent Informatique and Liberty (CIL).

The information of the customers of a banking institution on the financial risk that they take by contracting a loan is not part of the duties of the CIL who did not therefore fail in its obligations.


14/02/2018 TGI Paris- Invasion of privacy and malice : 2K€ D&I, 2K€ art. 700, removal of the web page.

If court decisions are published in full, the freely accessible databases that reproduce them must anonymize them.

To identify on a web page a convicted person (for illegal practice of pharmacy, marketing of drugs without a MA, non-compliance with the rules of advertisement on drugs and tax evasion) by publishing the anonymized court decisions, by highlighting the facts that are very old and without fueling the debate with new elements is a malicious lift of anonymity and reprehensible.


20/02/2018 Referred Council of State- Implementation of an automated treatment of personal data “Parcoursup”.

Several students’ unions were calling for the suspension of an order authorizing the implementation of an automated processing of personal data “Parcoursup” considered illegal. After balancing the interests in question, the Stat Council considered that the suspension of “Parcoursup” would cause an infringement on the general interest (good progress of the procedures of pre-registration for the higher education) exceeding the inconvenient invoked by the claiming unions in view of the limited nature of the processing. The severity and urgency were not retained.


20/11/2017 CNIL – Notice against Genesis Industries Limited

Notice to proceed within two months to secure the connected toys the doll “My Friend Cayla” and the robot “I-QUE”, which answers the questions asked by children, who are equipped with a microphone and a speaker and associated with a mobile application, so the company collects a lot of personal information about children and their entourage (voice, conversation content, information entered in the application “My Friend Cayla App).

Failure of security: anyone located 9 meters away from the toys with a Bluetooth communication system can connect to the doll, without having to authenticate, and thus hear and record the words exchanged between the child and the toy or any conversation near the toy and also communicate with the child.

Default of information for the users of the toys: while personal information are processed by the company, toy users are not informed of the company’s data processing of informed that the company is transferring content from conversation to a service provider locates outside the European Union.

Première sanction contre Google suite à nos plaintes collectives