CNIL (France) - SAN-2022-020: Difference between revisions
No edit summary |
(minor rewrite and changes) |
||
Line 92: | Line 92: | ||
The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure. | The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure. | ||
The investigation service also found an issue with the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. | The investigation service also found an issue with the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the software by the data subject. The data subject was not informed about this background minimization. | ||
During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the window is closed for the first time. The controller also informed the data subject that this setting (remain logged in after closure of investigation) could be changed in the settings. | During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the window is closed for the first time. The controller also informed the data subject that this setting (remain logged in after closure of investigation) could be changed in the settings. | ||
Line 103: | Line 103: | ||
<u>Competence of the DPA</u> | <u>Competence of the DPA</u> | ||
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]] by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French | The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]]. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation. | ||
The DPA determined that it was competent to handle this case because the one-stop shop" mechanism ([[Article 56 GDPR]]) did not apply in this case, since the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state ([[Article 55 GDPR]]) | The DPA determined that it was competent to handle this case because the one-stop shop" mechanism ([[Article 56 GDPR]]) did not apply in this case, since the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state ([[Article 55 GDPR]]). | ||
<u>Failure to define and respect a data retention period appropriate to the purpose ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]])</u> | <u>Failure to define and respect a data retention period appropriate to the purpose ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]])</u> | ||
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely on the contractual relationship to indefinitely keep accounts of data subjects who were | The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new data subject account. | ||
<u>Failure to comply with the obligation to provide information ([[Article 13 GDPR]])</u> | <u>Failure to comply with the obligation to provide information ([[Article 13 GDPR]])</u> | ||
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR]], because retention periods were stated in a generic manner | The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR]], because retention periods were stated in a generic manner and were not sufficiently explicit. | ||
<u>Failure to ensure data protection by default ([[Article 25 GDPR#2|Article 25(2) GDPR]])</u> | <u>Failure to ensure data protection by default ([[Article 25 GDPR#2|Article 25(2) GDPR]])</u> | ||
The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] when it was | The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] when it was analysing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behaviour was different in comparison with other Windows applications and was different in computing in general. The DPA considered that the fact that data subjects would click the “X” button in the controller’s application, but not actually close the application, could lead to a situation where this data subject could be heard by other members in the voice room, when the data subject actually thought he/she had closed the application. | ||
The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data was communicated to third parties without the data subject necessarily being aware of this. The DPA noted this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for the intrusion into their private life. | |||
<u>Failure to ensure the security of personal data ([[Article 32 GDPR]])</u> | <u>Failure to ensure the security of personal data ([[Article 32 GDPR]])</u> | ||
At the time of the online investigation, a password of six characters including letters and numbers was accepted for creating a user account. The DPA considered that the controller's password | At the time of the online investigation, a password of six characters including letters and numbers was accepted by the controller for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller, which resulted in a risk of compromise for the user accounts in question, including the personal data these contained. The DPA referred to its own recommendations (in deliberation No. 2017-012 of 19 January 2017), which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login. | ||
<u>Failure to carry out a data protection impact assessment ([[Article 35 GDPR]])</u> | <u>Failure to carry out a data protection impact assessment ([[Article 35 GDPR]])</u> | ||
The controller previously considered that it was not necessary to carry out a DPIA. | The controller previously considered that it was not necessary to carry out a DPIA. | ||
The DPA considered that the controller should have done so, looking at the | The DPA considered that the controller should have done so, looking at the large scale of personal data processed and the fact that the controller's service was also intended used by children aged fifteen, of which the controller was fully aware, according to the DPA. | ||
<u>Fine</u> | <u>Fine</u> | ||
The DPA imposed a fine of 800,000 euros on the controller. | The DPA imposed a fine of 800,000 euros on the controller. | ||
The amount of the fine was based on several factors, such | The amount of the fine was based on several factors, such the efforts made by the controller throughout the procedure to become GDPR compliant. | ||
== Comment == | == Comment == |
Revision as of 23:55, 5 December 2022
CNIL - Délibération SAN-2022-020 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 3(2)(a) GDPR Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 13(2)(a) GDPR Article 21 GDPR Article 25(2) GDPR Article 32 GDPR Article 35(1) GDPR Article 55(1) GDPR Article 56 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 17.11.2020 |
Decided: | 10.11.2022 |
Published: | |
Fine: | 800,000 EUR |
Parties: | Discord |
National Case Number/Name: | Délibération SAN-2022-020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | n/a |
The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.
English Summary
Facts
The French CNIL (DPA) started an investigation into a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online, including an option for instant messaging and options to create servers and communication rooms, with options for text, voice - and video rooms.
The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete data subject accounts after two years of inactivity.
The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure.
The investigation service also found an issue with the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the software by the data subject. The data subject was not informed about this background minimization. During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the window is closed for the first time. The controller also informed the data subject that this setting (remain logged in after closure of investigation) could be changed in the settings.
At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.
The investigation service also determined that the controller had previously considered that it was not necessary to carry out a data protection impact assessment (DPIA). During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.
Holding
Competence of the DPA
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation.
The DPA determined that it was competent to handle this case because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, since the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR).
Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new data subject account.
Failure to comply with the obligation to provide information (Article 13 GDPR)
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner and were not sufficiently explicit.
Failure to ensure data protection by default (Article 25(2) GDPR)
The DPA also found a violation of Article 25(2) GDPR when it was analysing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behaviour was different in comparison with other Windows applications and was different in computing in general. The DPA considered that the fact that data subjects would click the “X” button in the controller’s application, but not actually close the application, could lead to a situation where this data subject could be heard by other members in the voice room, when the data subject actually thought he/she had closed the application.
The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data was communicated to third parties without the data subject necessarily being aware of this. The DPA noted this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for the intrusion into their private life.
Failure to ensure the security of personal data (Article 32 GDPR)
At the time of the online investigation, a password of six characters including letters and numbers was accepted by the controller for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller, which resulted in a risk of compromise for the user accounts in question, including the personal data these contained. The DPA referred to its own recommendations (in deliberation No. 2017-012 of 19 January 2017), which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login.
Failure to carry out a data protection impact assessment (Article 35 GDPR)
The controller previously considered that it was not necessary to carry out a DPIA. The DPA considered that the controller should have done so, looking at the large scale of personal data processed and the fact that the controller's service was also intended used by children aged fifteen, of which the controller was fully aware, according to the DPA.
Fine
The DPA imposed a fine of 800,000 euros on the controller. The amount of the fine was based on several factors, such the efforts made by the controller throughout the procedure to become GDPR compliant.
Comment
The DPA also investigated breaches of Articles 12 and 21 GDPR, which were determined by the investigation service. However, the DPA did not follow its investigation service in these instances and held that the controller did not violate these articles.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.