Decryption of CNIL sanctions: EDF, Free, Discord

The CNIL has definitely not been idle at the end of 2022. 3 decisions have been rendered, and not the least: DISCORD, EDF and FREE were fined 800,000, 600,000 and 300,000 euros respectively.

Our lawyers had the pleasure of delving into the prose of each of these decisions (no, really don't see any irony on our part). If the CNIL makes the effort to be more and more didactic and to explain its decisions as clearly as possible, the fact remains that this remains obscure for the greatest number of people. We have thought of you, bosses of SMEs and ETIs, GDPR referents or other DPO designated as volunteers. You may not have the time or extensive legal knowledge of GDPR to read these decisions.

From initial suspicion to control

The CNIL often takes up files following complaints from data subjects who remain dissatisfied following a request to exercise rights (EDF, FREE) or notifications of data breaches which raise suspicion of lack of conformity (FREE). Hence the importance of GDPR risk management. Applying a procedure for exercising rights is essential! (Psst a word of advice: you can do this very easily with our platform, thanks to its guided and collaborative mode and our dedicated models). The same goes for security issues: complying with the GDPR reduces your chances of suffering a cyber attack by 80%.

In order to verify the suspicions initially raised, the CNIL – before deploying extensive and costly controls – often begins by carrying out incognito remote control (DISCORD, EDF).
We can never repeat it enough, your website is the showcase of your compliance !
Start there, it's essential. In the event of an online inspection, if the CNIL notices any breaches, you are exposed to an inspection on documents or even on site.
You don't know how to do it? With Data Comply One (formerly Mission RGPD), take advantage of our audit dedicated to this subject and all the document models you need.

Commercial prospecting: proof of consent

In the EDF and FREE decisions, the CNIL recalls the obligation to be able to provide proof of consent when this constitutes the legal basis for processing. This was the case here in terms of electronic commercial prospecting. This was an indirect collection hypothesis, with the intervention of a data broker.

Despite using a service provider, there is no question of being satisfied:

Contractual clauses under which the service provider undertakes to obtain consent in the name and on behalf of the data controller,
A model form stating the collection of consent.

It is appropriate to verify the compliance of the service provider through audits, and to ensure that the proof provided of consent is individual (prospect by prospect!).
With Data Comply One (formerly Mission RGPD), easily audit your service providers using our ready-to-use questionnaires.

Also be careful when delegating the collection of consent to the service provider who collects the data, the latter must obtain informed consent showing the completeness of the purposes pursued, as well as the identity of the prospector on whose behalf he carries out the collection (via a hyperlink which refers to a regularly updated list of service providers).

No approximation in informing people

In the event of indirect collection (for example: a service provider collects contacts of prospects that it sends to you to carry out your prospecting operations), the data controller must communicate the source of the data from the first communication. No generality possible, it is appropriate to communicate the exact identity of the source, whether when informing people but also in the event of a request relating to the right of access. No possibility of hiding behind business secrets (FREE tried but without success). Also no more communicating incorrect information when requesting a right of access on the subject (EDF).

There is also no possibility of drowning out the legal basis: the data controller must choose a single legal basis per purpose. The CNIL also notes that it is not possible to generally list the applicable legal bases.

The same goes for the retention periods (EDF and DISCORD), mentions such as " We generally retain personal data for as long as necessary for the purposes defined in this document. To dispose of personal data, we may anonymize it, delete it or take other necessary measures. Data may persist for some time in the form of backup copies or for commercial purposes (DISCORD).

To inform people about retention periods, it is necessary to distinguish the different storage periods, depending on the categories of data and the purposes (in particular archives).

The CNIL, intractable on the exercise of rights

No response by telephone, no acceptable delay in response times. Regardless of the context in which the breach occurs (isolated human error or period of health crisis as at EDF), the CNIL is intractable on the subject.

Also a quick reminder, a request to exercise rights does not necessarily have to refer to the GDPR to be considered as such. FREE made this error by considering that requests to delete a free email account (via a dedicated form) were a termination request in a legal context of data retention obligation. Even if this request did not involve erasing all data , the fact remains that the statuses of the accounts concerned remained active and electronic messaging was still accessible several years after the request.

**Security: your passwords?!*$**

This is something the three decisions have in common, the lack of password security with the following shortcomings:

Passwords considered too simple and insufficiently complex at DISCORD,
On the EDF side: the residual use on around 25,000 accounts of a hash function obsolete since 2004, leading to insecure retention of passwords! The CNIL takes advantage of its recommendations, those of ANSSI and even some of its decisions on the subject. Hence the importance of keeping up to date with news from the supervisory authority. I admit it is tedious work, which is why MISSION RGPD does it for you with its legal monitoring and the regular updating of its documentary resources.
At FREE these are the conditions for creating 1^er problematic password it is:
- Automatically generated with insufficient complexity rules,
- Communicated in plain text to the user (by email or post),
- Stored unencrypted in the database (directly accessible by administrators within the company or by a hacker in the event of an attack).

These measures were clearly insufficient in view of the risk incurred in the event of illegitimate access to the user's account (surname, first name, telephone number, emails, invoices, consumption statements, modification of options or password).

The CNIL recalls that although its recommendations are not imperative, the fact remains that they correspond to the state of the art in this area.

We would like to take this opportunity to remind you that a new recommendation regarding passwords was published by the CNIL in autumn 2022 in particular to replace the 2017 version and integrate the latest developments from ANSSI in this area.
Some notable changes:

Regularly changing passwords is no longer recommended (except for administrator accounts),

An increased level of password complexity (conditions vary depending on whether the password is combined with additional technical measures such as access restrictions).

Want to know more? It's by here it happens.

Security: Document your security incidents

At FREE, the CNIL recalls the obligation to document data breaches. Even if an incident register is not an obligation in itself, the fact remains that specific documentation dedicated to the subject is essential in order to assess the risk and measure the effectiveness of the measures taken to remedy the incident.

 As a reminder, the incident in question gave rise to a notification of a data breach at the origin of the control procedure which was the subject of the decision.  " 4100 Freeboxes had been put back into circulation without their reconditioning being effective (due to double human error), that is to say without the data of the previous subscriber being erased from the Freebox hard drive ".

Breaches of principles hitherto little noted

Beyond the classic breaches of security or personal rights, the CNIL notes breaches of the principle of privacy by design (you no longer remember this notion? Don't panic, find our 1 minute to understand everything on the subject as well as our dedicated article to refresh your memory).

For DISCORD, the CNIL criticized that using a cross to put the application in the background misled users who could believe that they had closed the solution while it continued to record their voice.

She recommends:

To inform people of this specificity, or

To modify the default setting of the application (that it is not exited when the main window is closed) so that by default the background reduction behavior is not activated and it is up to the user to configure it manually.

Still at DISCORD, the CNIL notes the absence of drafting an impact analysis despite the two risk criteria (vulnerable people, namely minors even over 15 years old, and large-scale treatment).

With Data Comply One (formerly Mission RGPD) and its intelligent register, you no longer miss out on your obligations in terms of impact analysis (PIA or AIPD for short).

A listening but uncompromising supervisory authority

In these three decisions, the CNIL appears to listen to the companies inspected and the comments they have made, following communication of the report of breaches sent to them at the end of the inspection.

It recognizes and dismisses shortcomings noted by the rapporteur by retaining some of the explanations provided, for example:

An erroneous document basing a failure to prove consent on an EDF commercial prospecting campaign,
A technical error at DISCORD temporarily preventing the translation into French of the confidentiality policy on the website (failure identified during the online check).

It also concedes the non-systemic nature of the breaches to assess the amount of the sanction by taking into account in particular the human errors occurring in the exercise of rights (Free 2 out of 600) or the number of complaints in relation to the number of users (still at Free, 10 out of around 6.9 million). However, it notes the shortcomings observed in this respect.

Likewise, the CNIL takes into consideration the cooperation of companies and the efforts they have made to comply during the procedure. However, this effort only makes it possible to abandon the issuance of compliance injunctions within a fixed period, accompanied by the payment of a penalty. But be careful, in the case of FREE, the CNIL noted that the latter had not complied with just one of the breaches noted. It therefore issued an order for compliance within one month regarding the said breach, punishable by a penalty of 500 euros per day of delay.

This behavior is part of the desire to impose dissuasive but proportionate fines, taking into account:

From the turnover of the structure,
The important nature of the actor in his field of activity, as well as
Of the nature, seriousness and duration of the breach, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data concerned by the violation. "

The CNIL appears in these decisions precise and clear in its reasoning, attentive and measured, while remaining uncompromising in the application of the principles of protection of personal data.

See you soon for a next session to decipher the CNIL's decisions.

Additional resources to the article

Privacy by Design

Read the article: GDPR: How to implement privacy by default and privacy by design?

The sanctions imposed by the CNIL in detail

Ready to start your GDPR compliance?