CE - N° 433311

From GDPRhub
CE - N° 433311
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 83 GDPR
Loi Informatique & Libertés
Code de justice administrative
Decided: 04.11.2020
Published:
Parties: SERGIC SAS
National Case Number/Name: N° 433311
European Case Law Identifier: ECLI:FR:CECHR:2020:433311.20201104
Appeal from: CNIL
[[{{{Appeal_From_Link}}}|CNIL - SAN-2019-005]]
Appeal to: Not appealed
Original Language(s): French
Original Source: Legifrance (in French)
Initial Contributor: Roka

The French highest administrative court confirmed a €400000 fine pronounced by the DPA against a real estate company for faulty website security (article 32 GDPR) and violation of the storage limitation principle (article 5(1)(e) GDPR).

English Summary[edit | edit source]

Facts[edit | edit source]

After a complaint in 2018, the CNIL conducted both online and on-site investigations of the company resulting in a €400,000 fine for lack of appropriate security which allowed the public display of personal information on the web and for violation of Article 5 GDPR due to a conservation of personal data after the goal of the processing had been achieved.

The company appealed the sanction to the Conseil d'Etat, making several arguments against it.

First of all, the company argued that the CNIL investigating delegation was not allowed to download files made available online due to a faulty security.

Secondly, the company pleaded that the CNIL should have given a formal notice to comply with the Law prior to imposing a penalty, giving the company a chance to rectify its wrongdoings.

Thirdly, the company argued that the decision did not sufficiently motivated in what way the company violated the storage limitation principle.

Lastly, the company said that the €400000 fine was disproportionate.

Dispute[edit | edit source]

Is the french DPA allowed to download files made available on the web due to a faulty security in order to conduct online investigations ?

Can the french DPA impose a fine without giving first a formal notice to rectify the deficiencies identified to the company ?

Did the CNIL sufficiently motivate its decision regarding storage limitation ?

Is the €400000 fine disproportionate ?

Holding[edit | edit source]

The Conseil d'Etat confirmed the CNIL's sanction on all counts.

It stated that section 19 of the Law Informatique & Libertés allowed the DPA to conduct online investigations and to download any document made publicly available, even by mistake or due to a faulty security.

The Conseil d'Etat also stated that the CNIL could impose a sanction without giving prior formal notice to the company.

Thirdly, the Conseil d'Etat decided that the CNIL was right in concluding that the company violated the storage limitation principle by not having an intermediary storage system and a data deletion system in place.

Finally, the Conseil d'Etat noted that the security weaknesses of the website could have been prevented by implementing simple measures, that the data exposed was information related to private life and that the data was kept for a longer time than necessary. It thus concluded that the fine was proportionate to the gravity of the wrongdoings of the company, adding that it represented less than 1% of the company's turnover and 4% of the maximum fine the CNIL could have imposed.

Comment[edit | edit source]

This Decision is an appeal confirming the sanction CNIL - SAN-2019-005.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Council of State, 10th - 9th chambers combined, 04/11/2020, 433311

Having regard to the following procedure :

By a summary application, an additional brief and two reply briefs, registered on 5 August 2019, 5 November 2019, 5 August 2020 and 3 September 2020 at the Secretariat for Litigation of the Council of State, the company SERGIC (Société d'Etude et de Réalisation de Gestion Immobilière de Construction) applied to the Council of State:

1°) to annul deliberation no. SAN-2019-005 of 28 May 2019 by which the restricted section of the National Commission for Information Technology and Civil Liberties (CNIL) imposed a financial penalty of 400,000 euros and ordered the publication of its deliberation for a period of two years, before anonymisation;

2°) to enjoin the CNIL to publish the forthcoming decision of the Council of State in the same form as the contested deliberation;

3°) to charge the CNIL with the sum of 5,000 euros pursuant to Article L. 761-1 of the Code of Administrative Justice.

Having regard to the other documents in the case;

Having regard to :
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
- Law No. 78-17 of 6 January 1978;
- the code of administrative justice ;

Having heard in public session :

- the report of Mrs Isabelle Lemesle, State Councillor,

- the conclusions of Mr Alexandre Lallet, public rapporteur ;

The floor having been given, before and after the conclusions, to SCP Baraduc, Duhamel, Rameix, lawyer of the Sergic Company;

Considering the following:

1. It results from the instruction that the National Commission for Data Processing and Liberties (CNIL), following a report stating the existence of a security flaw allowing unauthorised third parties to access the personal data of applicants for the rental of a property having downloaded documents from the site www.sergic. com, on 7 September 2018, carried out an online control mission on the processing implemented by SERGIC, a company specialising in the study and implementation of real estate management in the construction industry, during which a breach of the provisions of the law of 6 January 2018 relating to information technology was noted, files and freedoms and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, GDPR, of which the company was informed on the same day. During an on-site inspection carried out on 13 September 2018, the CNIL delegation noted that this security flaw had not been remedied. The Chairman of the CNIL then initiated sanction proceedings against SERGIC. By decision no. 2019-995 of 28 May 2019, the restricted formation of the CNIL imposed a fine of 400,000 euros on SERGIC and decided to make this sanction public for a period of two years from the date of its publication before it was made anonymous.

2. Firstly, article 44 of the law of 6 January 1978 relating to information technology, files and liberties, in the wording applicable to the dispute, which became article 19 of the same law, provides that: "I. - The members of the Commission nationale de l'informatique et des libertés and the agents of its departments empowered (... )/ Apart from on-the-spot checks and upon convocation, they may make any useful findings; in particular, they may, from an online public communication service, consult data that are freely accessible or made accessible, including by imprudence, negligence or the actions of a third party, if necessary by accessing and remaining in automated data processing systems for the time necessary to make their findings; they may transcribe the data by any appropriate processing into documents that can be directly used for the purposes of the check (...)". It follows from these provisions that in order to retranscribe data from an online public communication service, the members of the CNIL and its authorised agents, in the context of their inspection missions, may download files made accessible by a security flaw. As a result, the CNIL's restricted panel rightly rejected SERGIC's request to have the findings made online by CNIL agents on 7 September 2018 declared null and void.

3. In the second place, under the terms of Article 45 of the Law of 6 January 1978, in its wording applicable to the dispute, which became Article 20 of the same Law: "I. - The President of the National Commission for Data Processing and Liberties may warn a data controller or its processor of the fact that the envisaged processing operations are likely to violate the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 mentioned above or of the present law./ II. - Where the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or this Law, the President of the National Commission for Data Processing and Liberties may, if the breach is likely to be remedied, issue a formal notice to the data controller or its processor, within the time limit he sets: (...)./ III. - Where the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or this Act, the President of the National Commission for Data Processing and Liberties may also, (...)./ III. ) if necessary in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures:/ (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of an undertaking, 2% of the total annual worldwide turnover of the previous financial year, whichever is the higher. In the cases referred to in Article 83(5) and (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, these ceilings are increased to 20 million euros and 4% of said revenues, respectively. In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83 (...)". It clearly results from these provisions that the pronouncement of a sanction by the restricted formation of the CNIL is not subordinated to the prior intervention of a formal notice from the person in charge of the treatment or its subcontractor by the president of the CNIL. It follows that the plea alleging that the president of the CNIL has disregarded the provisions of article 45, paragraph III of the law of January 6, 1978 by seizing the restricted formation without sending the requesting company a prior formal notice can only be dismissed.

4. Thirdly, under the terms of Article 5 of the GDPR: "1. Personal data must be : (... )/ e) kept in a form which permits identification of the persons concerned for no longer than is necessary for the purposes for which they are processed; personal data may be kept for longer periods insofar as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organisational measures required by this Regulation are implemented in order to safeguard the rights and freedoms of the data subject (limitation of storage) (. ..) ". It results from the instruction, on the one hand, that the purpose for which the personal data of applicants for rental are kept and processed by the company SERGIC is the follow-up of applications to rent a property and, on the other hand, that the control missions of the CNIL revealed that the documents transmitted by persons wishing to rent a property were kept, without intermediate archiving, to take into account the six-year statute of limitations of discrimination actions. Therefore, by considering that the duration of data retention exceeded in significant proportions that necessary to achieve the purpose of the processing, without any intermediate archiving solution, which would have made it possible to retain the data necessary for the management of a possible dispute, has not been established, the restricted formation of the CNIL has not disregarded the provisions of e) of 1° of Article 5 of the GDPR, nor tainted its deliberation of manifest error of assessment or insufficient motivation.

5. Finally, under Article 83 of the GDPR: "1. each enforcement authority shall ensure that administrative fines imposed under this Article for violations of these Regulations referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. / 2. (... ) In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements : a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them; b) whether the breach was committed deliberately or through negligence; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32; (e) any relevant previous breach by the controller or processor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects; (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach; (...) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects; (...) the categories of personal data concerned by the breach ..)/3. If a controller or processor intentionally or negligently infringes several provisions of this Regulation, in the course of the same or related processing operations, the total amount of the administrative fine may not exceed the amount set for the most serious infringement. /(...) 5. Violations of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher:/ a) the basic principles of a processing operation, including the conditions applicable to consent under Articles 5, 6, 7 and 9 (...)".

6. It results from the instruction that the breaches noted by the restricted training of the CNIL consisted on the one hand, a defect of security of the site www.sergic. com allowing, as it was said in point 1, to unauthorized third parties to access, by means of a simple modification of URL links, to several hundreds of thousands of documents downloaded by several tens of thousands of applicants for housing rental, such as pay slips, tax notices, proofs of identity or marriage or divorce certificates, which contain personal data which, without necessarily being sensitive data within the meaning of the GDR, concern the private life of individuals, and on the other hand, by retaining such data for a period of time excessive in relation to the purpose for which they are processed. Having regard to the nature and seriousness of the breaches observed, which could have been prevented by simple security measures, such as the authentication of users of the processing, as well as by archiving measures, to the means available to the company to remedy them and the length of time with which it took the necessary corrective measures, the restricted formation of the CNIL did not inflict a disproportionate sanction on the company SERGIC by pronouncing against it a pecuniary sanction in the amount of 400,000 euros, representing less than 1% of its turnover for the year 2017 and 4% of the ceiling of the sanctions, accompanied, to ensure its dissuasive character and to inform the users of the processing concerned of the risks they have been confronted with, by an additional sanction consisting of its publication for a period of two years before its anonymization.

7. It results from all the above that the company SERGIC is not entitled to request the cancellation of the deliberation it is attacking. Its request must be rejected, including its conclusions tending to the application of Article L. 761-1 of the Code of Administrative Justice.

D E C I D E S :
--------------

Article 1: The request of the company of study and realization of real estate management of construction is rejected.

Article 2: The present decision will be notified to the company of study and realization of real estate management of construction and to the National Commission of Data processing and Liberties.

ECLI:FR:CECHR:2020:433311.20201104