CNIL (France) - SAN-2022-022

From GDPRhub
CNIL - Délibération SAN-2022-022
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Article 17(1)(a) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.11.2022
Published: 08.12.2022
Fine: 300,000
Parties: Free
National Case Number/Name: Délibération SAN-2022-022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined a telecommunications provider €300,000 for several GDPR violations. Among other things, the DPA rejected that the controller's sources of personal data were deemed "business secrets" and held that the controller failed to adequately respond to access and erasure requests.

English Summary[edit | edit source]

Facts[edit | edit source]

Between October 2018 and November 2019, the DPA received 41 complaints regarding FREE, a French communications provider (controller), after which the DPA started an investigation based on 10 of these complaints. Some of these complaints concerned access requests for information regarding the data broker from which the controller got personal data. The controller did not respond to these requests in time or provided incomplete answers. According to the controller, the requests were not answered in time due to human error. However, specifically with regard to information regarding the source of the data, the controller stated that it was not obliged to reveal information that was deemed a 'business secret' according to recital 63 and Article 15(4) GDPR (in this case, the identity of the data broker who supplied the data). The controller also stated that it had recently changed its internal procedure, and now asked its data brokers to also provide the identity of the primary source of the data collection, which the controller could then provide to the data subjects.

The data subjects also requested the deletion of their e-mail accounts. However, the DPA confirmed that data subject’s personal data was still present in the controller’s database after they had submitted their erasure requests. Also, these e-mail accounts still had the status of ‘active’ and data subjects were still able to access their e-mails.

On 8 February 2019, the controller also notified the DPA of a personal data breach. The controller had distributed 4.137 refurbished hardware boxes, called FREE-boxes, to new subscribers. The main use of this FREE-box was to store television programmes, but could also be used to store personal photos and personal video’s. The DPA found that these boxes still contained the personal data of subscribers who had used this hardware previously. The controller did not wipe the data from the device. The controller had accidentally deleted a procedure from its security measures, intended to erase the data stored on the boxes before redistribution. Three years after the breach was reported, 322 boxes were still used by subscribers, without the controller knowing if these boxes contained data of previous subscribers. These boxes were only remotely deactivated by the controller on July 2022, also more than three years after the breach.

Holding[edit | edit source]

The DPA determined that the controller violated the following GDPR provisions.

Failure to respect the right of access (Articles 12 and 15 GDPR)

The DPA determined that the controller violated Articles 12 and 15 GDPR, after the DPA confirmed that the controller did not respond to the data subject’s access requests within one month or had provided incomplete answers regarding the source of personal data. The DPA also stated that the controller’s argument for not disclosing the source of the data because of 'business secrecy' was not valid. The DPA specified that the data subject’s requests were requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request a copy of their data, which was not the case here.

The DPA continued that any processing had to comply with Article 5(1)(a) GDPR, and that personal data had to be processed in a transparent manner. The DPA stated that the data subject’s right of access constituted a fundamental guarantee for the transparency of data processing methods by the controller. When the data subject filed an access request, the controller had to communicate the specific source of the data. The controller was only exempt from this obligation when the controller did not have this information. The fact that the controller had not provided the identity of the data broker despite possessing this information, prevented the data subject to verify the lawfulness of the processing carried out. The right of access regarding the primary source of the data was therefore limited by the controller.

Failure to respect the right to erasure

The DPA also determined that the controller violated Articles 12 and 17 GDPR. The DPA stated that the erasure requests of the data subjects were clear. The data subjects had also used a dedicated form provided by the controller. However, the personal data of the data subjects was still in the controller’s database after the erasure requests. Also, the controller only answered the erasure requests after approximately three years, which was in violation of Article 12(3) GDPR. The DPA also determined a violation of Article 17(1)(a) GDPR, because data subject's e-mail accounts were still active and the e-mails were still accessible several years after the requests were submitted.

Failure to ensure the security of personal data (Article 32 GDPR)

The DPA held that the controller violated Article 32 GDPR because of several reasons.

Password requirements: When a new user account was created on the controller’s website, the controller generated a random password of eight characters which could only contain one type of character. This generated password was not strong enough according to the DPA. The DPA determined that use of a short or simple password without imposing specific categories of characters and without additional security measures, such as blocking measures, may lead to successful attacks by unauthorised third parties.

Storing passwords in clear text: All generated passwords were stored in plain text in the controller’s subscriber database until 23 January 2020. The DPA stated that this allowed any person with access to the controller's customer database to collect the passwords of each subscriber, who could then access the user accounts of these data subjects.

Transmitting passwords in clear text: Besides that, the passwords were sent by the controller by e-mail or postal mail, in clear text, to the data subjects who created their account on the website. These passwords were of a permanent nature and without a requirement from the controller that these passwords had to be changed later. The DPA stated that this transmission could allow third parties intercepting transmissions to get unauthorized access to user account, as long as these passwords did not have a limited duration and were not required to be changed when first used.

FREE-boxes of former customers: The controller also put FREE-boxes in circulation which contained data of previous subscribers. The DPA stated that technical and organisational measures implemented were also not sufficient here, since the controller had no 'alert procedure' to monitor the actual completion of test sequences before the distribution of the boxes to new subscribers. The lack of such a procedure could also allow unauthorised third parties, the new subscribers, to access personal data of former subscribers. These boxes were also only remotely deactivated by the controller three years after the breach was reported.

Failure to comply with the obligation to document a personal data breach (Article 33 GPDR)

The DPA also determined a violation of Article 33 GDPR. The documentation provided by the controller did not allow the DPA to assess of all the measures taken by the controller to resolve the data breach caused by the redistribution of the FREE-boxes.

Fine

After considering several factors, the DPA fined the controller €300,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Deliberation of the restricted formation n°SAN-2022-022 of 30 November 2022 concerning the company FREE

The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, chairman, Ms Christine MAUGÜÉ, Mr Alain DRU and Mr Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data (RGPD);

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to the French Post and Electronic Communications Code;

Having regard to law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms, in particular articles 20 and following;

Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;

Having regard to Decision No. 2019-188C of 26 September 2019 of the President of the Commission nationale de l'informatique et des libertés to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the companies FREE and FREE MOBILE or on their behalf;

Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur before the restricted formation, dated 17 December 2020;

Having regard to the report of Mr. François PELLEGRINI, rapporteur commissioner, notified to the company FREE on 21 April 2022;

Having regard to the written observations submitted by Free on 2 June 2022;

Having regard to the rapporteur's response to these observations, notified to Free on 13 July 2022;

Having regard to the new written observations submitted by FREE on 26 August 2022, as well as the oral observations made during the meeting of the restricted formation;

Having regard to the other documents in the file;

Having regard to the other documents in the file; The following were present at the meeting of the restricted formation on 29 September 2022:

- Mr François PELLEGRINI, commissioner, heard in his report;

In the capacity of representatives of the company FREE :

- [...] ;

- [...] ;

- [...] ;

- [...] ;

- [...] ;

- [...] ;

- [...] ;

- [...].

As representatives of the company [...], joined by videoconference :

- [...] ;

- [...].

FREE having spoken last ;

The restricted formation adopted the following decision:

I. Facts and procedure

1. FREE (hereinafter "the company"), whose registered office is located at 8 rue de la Ville-L'Evêque in Paris (75008), is a subsidiary of the ILIAD group, which is a fixed telecommunications operator. Created in 1999, the company has approximately 179 employees.

2. For the year 2020, the company had a turnover of approximately EUR [...], for a net result of approximately EUR [...]. In 2021, the company had approximately [...] subscribers, [...].

3. Between October 2018 and November 2019, the Commission nationale de l'informatique et des libertés (hereinafter "the CNIL" or "the Commission") received 41 complaints against the company. Of these complaints, 10 were examined in the context of the present sanction procedure. The complainants reported difficulties in exercising their rights of access or deletion. Some of these complaints also concerned the security of the personal data of the company's customers.

4. On 8 February 2019, the company submitted a notification of a personal data breach to the CNIL, followed on 22 February 2019 by a supplementary notification. These notifications indicated that approximately 4,100 Freeboxes had been put back into circulation without being reconditioned, i.e. without the previous subscriber's data being erased from the Freebox's hard drive.

5. Two on-site inspections, at the premises of Free and then Free Mobile, were carried out on January 21 and 22, 2020.

6. The minutes No. 2019-188/1 and No. 2019-188/2, drawn up by the delegation on the day of the inspections, were notified to the company on 23 January 2020. On that occasion, requests for additional information and documents were sent to the company. The Iliad Group's legal department responded by emails dated 3 and 10 February 2020.

7. A document check was also carried out at Free and Free Mobile on 3 June 2020. The Iliad Group's legal department responded by email dated June 29, 2020.

8. For the purpose of investigating these elements, the President of the Commission appointed Mr. François PELLEGRINI as rapporteur on December 17, 2020, on the basis of Article 22 of the amended Act of January 6, 1978.

9. Finally, a request for additional information was sent to the company by letter dated 16 March 2022. The Iliad Group's legal department responded by letter dated March 31, 2022.

10. On 21 April 2022, the rapporteur sent the company a report detailing the breaches of the GDPR that he considered to have occurred in this case.

11. This report proposed that the restricted panel impose an administrative fine and an injunction to bring the processing into compliance with the provisions of Article L.34-5 of the French Post and Electronic Telecommunications Code (CPCE) and Articles 7-1, 15, 17, 32 and 33 of the RGPD, together with a penalty payment for each day of delay at the end of a period of three months following notification of the restricted panel's decision. It also proposed that the decision be made public, but that it should no longer be possible to identify the company by name after two years from its publication.

12. On 2 June 2022, the company submitted its observations in response to the sanction report.

13. On 13 July 2022, the rapporteur sent his reply to the company's observations.

14. On 26 August 2022, the company submitted further observations in response to the rapporteur's comments.

15. On 5 September 2022, the rapporteur informed the company and the chairman of the restricted formation of the closure of the investigation. On the same day, the chairman of the panel sent a notice to attend the meeting of the panel on 29 September 2022.

16. On 14 September 2022, the company produced a certificate from its service provider, the company [...], relating to the supply of telephone numbers and e-mail addresses for a commercial prospecting campaign for the period from 2 to 6 December 2019.

17. 17. On 21 September 2022, the chairman of the panel notified the company that the hearing would be postponed until Monday 26 September 2022 and asked it to notify the company [...] so that one of its representatives could attend the panel's meeting.

18. 18. FREE and the rapporteur presented oral observations at the meeting of the restricted formation.

19. Mr [...] and Mr [...], whose hearing was deemed useful, were heard pursuant to Article 42 of Decree no. 2019-536 of 29 May 2019.

II. Reasons for the decision

A. On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail and SMS

20. According to Article L.34-5 of the CPCE :

"Direct prospecting by means of an automated electronic communications system [...], a fax machine or electronic mail using the contact details of a natural person [...] who has not previously expressed his or her consent to receive direct prospecting by this means is prohibited. For the purposes of this Article, consent shall mean any free, specific and informed expression of will by which a person agrees that personal data concerning him or her may be used for direct marketing purposes. [...] ".

21. According to Article 4(11) of the GDPR:

"For the purposes of this Regulation, [...] "consent" of the data subject means any freely given, specific, informed and unambiguous indication of his wishes by which the data subject signifies his agreement, by a declaration or by a clear positive act, to personal data relating to him being processed."

22. According to Article 7(1) of the GDPR:

"In cases where processing is based on consent, the controller shall be able to demonstrate that the data subject has given his consent to the processing of personal data relating to him".

23. The rapporteur to propose to the restricted formation to consider that the company has failed to fulfil its obligations resulting from Articles L. 34-5 of the CPCE and 7(1) of the RGPD, as clarified by the provisions of Article 4(11) of the RGPD, is based on the fact that FREE, which carries out commercial prospecting operations by electronic means via a database of personal data collected by its service provider, the company [......], is not able to provide proof of unambiguous, specific, free and informed consent from prospective customers before they were canvassed during a commercial prospecting campaign by electronic means (email and SMS) in December 2019. In order to consider the breach as constituted, the rapporteur relied on the elements gathered during the on-site inspection operations (Official Statements No. 2019-188/1 and No. 2019-188/2) as well as on additional documents transmitted at the end of these verifications, in particular a document indicating that the company had "obtained in December 2019 from this partner files of prospective customers in order to carry out a commercial canvassing campaign by SMS and email" and that "this single campaign [?] was only carried out in December 2019 and was not continued in 2020".

24. In its defence, the company submits that it 'did indeed consider carrying out a canvassing campaign by SMS and email to non-subscribers and signed an estimate with its partner [...] [the company [...]] for this purpose'. However, it indicated that it had expressed itself incorrectly in the document submitted as an exhibit and that it could not be held responsible for any breach because this campaign 'was cancelled before it was even launched'. It added that one of the reasons why the campaign was not carried out was "that it was originally intended to promote Free's fibre-optic services. Because of a shortage, between October 2019 and January 2020, of the user equipment needed for the installation of optical fibre [...], Free ultimately did not wish to promote services for which it could not ensure delivery. At the meeting of the restricted panel, the company reiterated these points.

25. 25. The restricted formation notes that the document on which the rapporteur relies contains erroneous elements and that the company has provided convincing explanations on the circumstances in which the error occurred.

26. In these circumstances, the restricted formation considers that it is not established that the electronic commercial prospecting campaign referred to was carried out and that the elements of the debate do not allow the conclusion to be drawn that there was a breach of the obligations resulting from Article L. 34-5 of the CPCE and Article 7-1 of the GDPR.

B. On the breaches relating to the exercise of rights

27. According to Article 12 of the GDPR:

" 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as any communication under Articles 15 to 22 and Article 34 in relation to the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, in clear and simple language, in particular for any information specifically intended for a child [...].

2. [...].

3. The controller shall provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. Where the data subject submits his or her request in electronic form, the information shall be provided electronically where possible, unless the data subject requests otherwise.

4. If the controller does not comply with the request made by the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for its inaction and of the possibility of lodging a complaint with a supervisory authority and of seeking judicial remedy. [...] ".

28. According to Article 15 of the GDPR:

" 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where such data are being processed, access to such personal data and the following information:

[...]

(g) where the personal data are not obtained from the data subject, any available information as to their source.

[...]

3. The controller shall provide a copy of the personal data being processed. [...].

4. The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others. "

29. According to Article 17 of the GDPR:

" 1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her as soon as possible and the controller shall have an obligation to erase such personal data as soon as possible, where one of the following grounds applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; [...]. "

1. On the breach of the obligation to respect the right of access

30. 30. The rapporteur, in proposing that the restricted panel consider that the company has failed to comply with its obligations under Article 15 of the GDPR with regard to the right of access, bases himself on five referrals to the CNIL, from Messrs [...] (complaint no. 19009149), [...] (complaint no. 19005208), [...] (complaint no. 19014037), [...] (complaint no. 19015831) and [...] (complaint no. 19016618). In these complaints, individuals reported difficulties in exercising this right, even though their requests had been received.

31. The rapporteur points out that these five referrals concern, inter alia, access to personal data and, of these five, four referrals specifically concern obtaining information on the source of their data.

32. 32. The rapporteur notes that it appears from the findings of the inspection procedure or from the information subsequently provided that the company did not respond within the prescribed time limits to the above-mentioned requests from the complainants to exercise their rights of access or that it gave them an incomplete reply as to the source of their data.

33. 33. In its defence, the company argued that, as regards the lack of a timely response, the procedures implemented had not been respected due to isolated human errors. It also argues that the small number of complaints noted in the report (2) should be compared with the number of requests it handles per year (approximately 600). Finally, the company indicates that these complaints predate the implementation of a new ticketing tool that it has been using since June 2019, which has made it possible to improve the procedure for handling requests to exercise rights. It therefore considers that these one-off malfunctions have now been resolved.

34. With regard to the requests for information on the source of the data, the company considers that, in accordance with the provisions of recital 63 of the GDPR and Article 15(4) of the GDPR, it is not obliged to respond to them if it would be obliged to reveal information that is a matter of business secrecy (the identity of the data broker who supplied the data). It maintains that in reality, the information sought by the applicants is the identity of the primary source of the applicant's data collection. It states that it has changed its procedures in the course of the sanction procedure, since it now asks its data brokers to provide it with the identity of the primary source of this collection, which the company in turn provides to the applicants.

35. 35. With regard to the lack of a response within the time limits, the restricted formation notes that it follows from Article 12 of the RGPD that when a request for the exercise of a right is addressed to him, the controller must provide the data subject with information on the measures taken to respond to his request as soon as possible and in any case within one month. The restricted formation also recalls that when the controller no longer holds all or part of the data on the person exercising his right of access (for example, the data have been deleted or the organisation has no data on the person), it must nevertheless reply to the applicant within a maximum period of one month.

36. As regards the information to be provided on the source of the data under Article 15 of the RGPD, the restricted formation notes firstly that it is clear from the aforementioned articles that the limitation of the right of access by "the rights and freedoms of others", which include business secrecy, applies only to Article 15-4 of the RGPD, relating to persons requesting a copy of their data, and not to Article 15-1 of the RGPD, relating to persons requesting information from a controller who is processing their data. In this case, the panel noted that the complainants were not asking the company to obtain a copy of their data or to give them access to their data, but only to provide them with information about the source of their data. The restricted panel therefore considers that Article 15-4 of the GDPR is inapplicable. In any event, it considers that Article 15-1 of the GDPR could only be limited under the conditions provided for in Article 23 of the GDPR, which is not the case here.

37. 37. Next, the restricted formation notes that any processing of personal data must comply with the principles set out in Article 5(1)(a) of the RGPD, which provides that personal data must be processed in a transparent manner with regard to the data subject. It points out that the transparency guidelines of the Article 29 Working Party, now the European Data Protection Committee, state that "the source from which personal data originate" is to be understood as "the specific source of the data or, failing that, the nature of the sources (i.e. public and private sources) and the types of bodies, companies and sectors". The restricted formation considers that the data subject's right of access constitutes a fundamental guarantee of the transparency of the data processing methods. It deduced that the controller must in principle communicate "the specific source" of the data and that the restriction of the right of access to indications of the "nature of the sources, types of bodies, undertakings and sectors" can only occur when the controller does not hold this information, as the identification of the specific source of the data subject's personal data is impossible.

38. The restricted formation also notes that the purpose of the right of access - Article 15 of the GDPR being clarified by Recital 63 - is to enable the data subject to become aware of the processing of his or her data and to verify its lawfulness. The exercise of this right therefore presupposes that the information provided is as accurate as possible.

39. The restricted formation considers that the refusal to communicate the identity of the data broker from whom the data subject's data were obtained, although the company has this information, and to limit the right of access to the "primary source" of the collection (i.e. the first actor in the chain to have collected the data subject's personal data), which, moreover, was not provided in the present case at the time of the check, amounts to preventing the data subject from being able to verify the lawfulness of the processing carried out by the controller and, in particular, the lawfulness of the data transmissions already made. The restricted formation therefore considers that the right to have the identity of the source of the data is necessary to enable the data subject to give his consent and to exercise the rights conferred on him by the GDPR, in particular the right to object, depending on the type of commercial prospecting carried out by the controller who obtained the data from brokers.

40. The restricted formation considers that a breach of the obligations of Articles 12 and 15 of the RGPD is constituted for all the above-mentioned complaints when the company did not process the access requests addressed to it within the time limit set, thus leaving the individuals in the dark about the data processed by the company concerning them, or when it provided them with an incomplete response regarding the source of their data. Furthermore, the restricted panel considered that the company had not provided, at the date of the end of the investigation, any evidence of compliance specifically with regard to the point concerning the source of the data.

2. On the failure to respect the right to erasure

41. 41. The rapporteur, in proposing that the restricted panel consider that the company has failed to comply with its obligations under Article 17 of the GDPR, relies on two referrals to the CNIL, from Messrs [...] (complaint no. 19009870) and [...] (complaint no. 19012463), in which the complainants mentioned their difficulties in exercising their right to erasure.

42. The rapporteur states that the parties concerned requested the deletion of their "Free.fr" e-mail account by sending, on February 10 and 3, 2019 respectively, a form dedicated to the "deletion of a main Free access account" on which it is specified that "the actual deletion of the accounts requires a period of 48 hours after receipt of the letter".

43. 43. The rapporteur notes that it is clear from the findings of the inspection procedure and the information subsequently provided that the complainants did not receive a response to their requests for deletion made by registered letter and that the measures to satisfy their requests for deletion were not implemented, since the "SIEBEL" customer database contained various personal data specific to the complainants, such as their connection identifier, surname, first name and postal address. In addition, the status of the complainants' "free.fr" e-mail account was indicated as "active".

44. In its defence, the company argued that requests for "deletion of a 'free access' account are not requests for deletion within the meaning of the GDPR and are not subject to any legal time limit [...]" but are "similar to a request for termination of a contract". The company concludes that "it would be totally disproportionate to consider that [these requests] fall within the scope of Article 17 of the RGPD and the time limits set by Article 12.3 of the RGPD". The company specifies that it is only required to "respect the principle of limiting the retention of the data concerned, without this requiring the immediate deletion of all the data concerned". In this sense, it indicates that it has a "legal obligation to keep data associated with e-mail accounts for a period of 1 year", in accordance with Article L. 34-1 of the CPCE.

45. On this point, the restricted panel first considers that the complainants' requests are clear, in that each of them was a request for the general deletion of an e-mail account, addressed to the company by the dedicated form implemented by it. This request necessarily implied a request for the deletion of personal data related to the use of the account. The company cannot therefore rely on the fact that this deletion request was not clear and processed as a deletion request within the meaning of the GDPR.

46. Secondly, the restricted formation considers that it follows from Article 12.3 of the GDPR that the controller must provide applicants with information on the measures taken following a request made pursuant to Article 17 of the GDPR within a maximum period of one month, which may be extended for a reasonable period in certain cases. However, it noted that the company did not respond to the complainants until 23 May 2022, i.e. approximately three years after Mr [...] and Mr [...] had exercised their rights. This delay in responding violates Article 12.3 of the GDPR.

47. 47. Finally, the restricted formation considers that although the request for deletion of an e-mail account does not necessarily imply the deletion of all the data relating to that account (some data may be kept with an intermediate archive status), a breach of Article 17(1)(a) of the RGPD is in any event characterised in the present case since the status of the account was active and the e-mail was still accessible to the data subjects several years after they made their requests.

48. The restricted formation considers that a breach of the obligations arising from Articles 12 and 17 of the GDPR is constituted since it was incumbent on the company to process the request for deletion of the complainants' personal data within the time limits set.

49. The Commission notes that, in the context of the present procedure, the company has demonstrated that it has taken measures to comply with the obligations arising from Article 17 of the GDPR.

C. On the breach of the obligation to ensure the security of personal data

50. According to Article 32(1) of the GDPR:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, varying in likelihood and severity, to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia, as necessary:

a) [...] ;

(b) means to ensure the continuing confidentiality, integrity, availability and resilience of processing systems and services;

c) [...] ;

(d) a procedure to regularly test, analyse and evaluate the effectiveness of the technical and organisational measures to ensure the security of processing. "

1. On passwords for access to customer accounts

51. 51. The rapporteur, in proposing that the restricted formation consider that the company failed to comply with its obligations under Article 32 of the RGPD, bases himself firstly on the fact that the password generated randomly by the company when a user account is created on the company's website, during a recovery procedure or when the password is renewed, is eight characters long and may only contain one type of character. Secondly, the rapporteur notes that all the passwords generated when a user account was created on the company's website were stored in the clear in the company's subscriber database until 23 January 2020. Finally, the rapporteur notes that the delegation was informed that the password that is generated when a user account is created on the company's website is sent by e-mail or post to the user and is indicated in clear text in the body of the message. Similarly, the rapporteur notes that three referrals from Messrs [...] (complaint no. 19018181), [...] (complaint no. 18023964) and [...] (complaint no. 19013170) show that the password associated with the 'free.fr' e-mail account is sent to the user by e-mail or post and indicated in plain text in the body of the message.

52. In its defence, the company argues that, as a data controller, it is free to choose the security measures to be put in place. In this regard, it argued that the recommendations of the CNIL or the Agence nationale de la sécurité des systèmes d'information (ANSSI) cited in the report were not mandatory. Consequently, the company considers that no breach can be retained in the absence of a "data breach that affected access to the subscriber's area".

53. The company then argues that, at the time of the inspection, subscribers were encouraged to change their password on their subscriber area. The company also stated that the initial password it had assigned was very strong and that the subscriber area only allowed access to "basic" information and not to sensitive information. Finally, the company announced that it has taken several steps to comply with the obligations arising from Article 32 of the RGPD with regard to password security by strengthening the robustness of passwords generated or created by the company and by making it compulsory to renew passwords when recovering them or when logging in for the first time. The company also indicated that it had stopped storing passwords in clear text in the database and that it had stopped communicating passwords in clear text (in particular, by stopping the transmission of new subscribers' passwords in clear text by e-mail, and by requiring new subscribers to create their own passwords), which must comply with the CNIL's recommendations on the subject, and the elimination of paper forms that must be filled out and sent by post to obtain the deletion of a "Free Access" account in which the communication of the password in clear text was required beforehand).

54. The restricted formation considers that in this case, the authentication procedure and the methods of storing and transmitting passwords implemented by the company are not adapted to the risk that the data subject would be exposed to if a third party were to capture their identifier and password.

55. It follows from the provisions of Article 32 of the GDPR that the controller is required to ensure that the automated data processing that it implements is sufficiently secure. The adequacy of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it entails, and on the other hand, taking into account the state of knowledge and the cost of the measures. The implementation of a robust authentication policy is a basic security measure which generally contributes to compliance with the obligations of Article 32 of the RGPD. Despite the non-mandatory nature of Deliberation No. 2017-012 of 19 January 2017, the purpose of which is to provide recommendations on passwords, the CNIL guide on the security of personal data and the ANSSI technical note on passwords cited in the report, they set out basic security precautions corresponding to the state of the art and thus provide relevant information for assessing the sufficiency of the measures put in place by a data controller

56. In this case, with regard to the authentication procedure, the restricted formation considers that the use of a short or simple password without imposing specific categories of characters and without additional security measures may lead to attacks by unauthorised third parties such as "brute force" or "dictionary" attacks, which consist in successively and systematically testing numerous passwords and thus lead to a compromise of the associated accounts and the personal data they contain. Blocking measures are intended to limit these types of attacks.

57. The restricted formation notes that the Commission recommends in its Deliberation No. 2017-012 of 19 January 2017 - which is certainly not imperative but which provides relevant information on the measures that should be taken in terms of security - that, in order to meet the requirements of robustness of passwords and ensure a sufficient level of security where authentication is based, as in the present case, on a user ID and a password, without any additional security measure, the password must be at least 12 characters long and contain at least one upper case letter, one lower case letter, one number and one special character. Where the password is eight characters long, containing three of the four categories of characters (upper case letters, lower case letters, numbers and special characters), it must be accompanied by an additional security measure to ensure a sufficient level of security and confidentiality.

58. The restricted formation notes that the need for a strong password is also underlined by the ANSSI, which specifies that "a good password is above all a strong password, i.e. one that is difficult to find even with the help of automated tools. The strength of a password depends on its length and the number of possibilities for each character in it. A password made up of lower case letters, upper case letters, special characters and numbers is technically more difficult to discover than a password made up of lower case letters only.

59. Therefore, in the present case, the Panel considers that, in view of the volume and nature of the personal data that may be contained in the millions of subscriber accounts (in particular surname, first name, fixed line number, mobile phone number, e-mail address and invoices), the imposition by the latter of log-in passwords for customer accounts The imposition by the company of login passwords for the customers' accounts, consisting of only eight characters, which may be of a single character category, without any additional security measures, and the acceptance of their renewal in accordance with the same procedures, does not ensure the security of the personal data processed by the company, nor does it prevent unauthorised third parties from having access to the customers' personal data.

60. With regard to the procedure for storing passwords in clear text, the restricted panel notes that any person with access to FREE's customer database - whether it be information system administrators within the company or an attacker in the event of its compromise - could directly collect the clear text identifiers and passwords of each subscriber and thus access the information contained in their accounts, then possibly modify them, attempt to access other service accounts using these credentials (the same credentials and passwords are often used on several services) or resell them to other attackers.

61. With regard to the transmission of the password in clear text, the fact that these elements are transmitted in clear text via a simple e-mail or post makes them easily and immediately usable by a third party who would intercept them or have undue access to the user's e-mail, as long as these passwords are not time-limited or do not require modification when first used. This third party could then not only access all the personal data present in the Free user account of the person concerned (surname, first name, Freebox telephone number, postal address and e-mail address) but also download the invoices and the statement of consumption, proceed to the modification of the password, the e-mail address or the account options. In view of these potential consequences for the protection of personal data and the privacy of individuals, the restricted formation considers that the measures deployed to guarantee data security in this case are insufficient.

62. The restricted formation considers that breaches of the obligations arising from Article 32 of the RGPD are thus constituted because of the insufficient robustness of the passwords and their storage and transmission in clear text to the company's subscribers.

63. 63. The Commission notes that, in the context of the present procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the RGPD.

2. On the repackaging of Freeboxes

64. 64. The rapporteur, in proposing that the restricted formation consider that the company has failed to fulfil its obligations under Article 32 of the GDPR, relies on the fact that 4,137 boxes "were put back into circulation without their reconditioning being perfect", due in particular to an error that led to the deletion of a procedure (also known as a "test sequence") intended to erase the data stored on the hard disks of these "Freebox" boxes.

65. 65. In its defence, the company argues that the security obligation provided for in Article 32 of the GDPR is an obligation of means, which only requires it to implement security measures appropriate to the risks of the processing it is carrying out. It considers that in this case, the measures implemented were sufficient, given that this incident was the result of two successive human errors, that there was an "anecdotal risk that the Freeboxes could be misused to store sensitive data" and that the fact that only one subscriber reported these facts meant that only one "effective access to the privacy of a former subscriber was made", which "reflects the limited likelihood of this risk materialising in practice". The company also considers that the "seriousness of this incident must be qualified given the nature of the data usually stored on Freeboxes" - which is mainly limited to the recording of TV programmes and marginally to the storage of personal photos or videos. Finally, the company reminds that following the campaign to recall the boxes concerned, it sent a replacement Freebox to the 322 subscribers who did not return their Freeboxes, and that in any case, these were deactivated in July 2022.

66. The restricted formation considers first of all that the technical and organisational measures implemented were not sufficient with regard to the risk of data breach in the present case, since no alert process was implemented to monitor the effective completion of the test sequences including the deletion of data. This failure made it possible for unauthorised third parties, in this case the new owners of the 4,137 incorrectly reconfigured "Freebox" boxes, to access the data of former subscribers that would have been stored on the hard drives of these boxes. This data could be photos, personal videos or recordings of television programmes by the user. The restricted panel also recalled that it was not the data breach that was at issue, but the inadequacy of the security measures that made it possible for such a breach to occur.

67. Next, on the limited likelihood of the risk being realised due to the receipt of a single alert by the company, the restricted formation notes that this alert is indicative of the inadequacy of the technical and organisational measures implemented, which led to the discovery of the incident.

68. In addition, with regard to the nature of the data stored in the Freeboxes, the limited panel notes that the main and common use of Freeboxes is the recording of television programmes by the user, but considers that this common use does not rule out the possibility that some of the poorly reconditioned Freeboxes may contain personal photos or videos, which are highly personal.

69. Finally, the restricted formation considers that the fact that a replacement Freebox was sent to the 322 subscribers who did not return their old boxes does not make it possible to rule out the risk that the latter may have had access to the data of former subscribers. Indeed, on 31 March 2022 - more than three years after the incident was reported - the company indicated that this risk had still not been eliminated, since "322 [boxes] are still being used by subscribers without us [the company] knowing whether the data recorded is that of the previous subscriber or the subscriber using it". Furthermore, only the deactivation of the 322 unreturned Freeboxes eliminated this risk, and this deactivation took place in July 2022, more than three years after the incident was reported.

70. The restricted panel considers that there has been a breach of the obligations arising from Article 32 of the GDPR due to the inadequacy of the technical and organisational measures taken in the process of reconditioning the Freeboxes to ensure the security of the personal data of the company's subscribers.

71. 71. The Commission notes that, in the context of the present procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the GDPR.

D. On the failure to document any personal data breach

72. According to Article 33(5) of the GDPR:

"The controller shall document any personal data breach, indicating the facts concerning the personal data breach, its effects and the measures taken to remedy it. The documentation thus established shall enable the supervisory authority to verify compliance with this Article. "

73. 73. The rapporteur, in proposing that the panel consider that the company has failed to fulfil its obligations under Article 33 of the RGPD, argues that the data breach was not documented in accordance with the provisions of the aforementioned article.

74. In its defence, the company argues that Article 33 of the GDPR does not impose any formalism and that the documentation of a security incident does not have to be included in a data breach register. It considers that the documentation provided following the audit complies with the requirements of the aforementioned article and that it is not required to specify "the result of the measures taken", i.e., as requested by the rapporteur, "the number of Freeboxes recovered by Free after the incident and the date of their recovery".

75. The restricted panel notes that, at the end of the two-day on-site inspection, the company had not documented the data breach constituted by the return to circulation of 4,137 incorrectly repackaged boxes in a data breach register. The documentation subsequently provided in response to the inspection delegation's requests did not make it possible to determine whether all the Freeboxes that had not been repackaged had been repatriated and, if so, on what date. However, the restricted panel noted that the principle of responsibility laid down by the RGPD states that the data controller must sufficiently document its practices to be able to demonstrate its compliance. In this case, the restricted panel considers that the above-mentioned elements - namely whether all the Freebox boxes whose repackaging had not been effective had been repatriated and, if so, on what date - are part of the information that must be communicated in order to know the factual elements that make it possible to assess the effectiveness of the measure taken to deal with the breach.

76. The restricted panel considered that there was a failure to comply with the obligations arising from Article 33 of the RGPD since the documentation drawn up at the end of the two-day on-site inspection and subsequently in response to requests from the CNIL delegation did not make it possible to take note of all the measures taken to remedy the personal data breach and its effects.

77. The Commission notes that, in the context of the present procedure, the company has justified having taken measures to comply with the obligations arising from Article 33 of the GDPR.

III. On the corrective measures and their publicity

78. Under the terms of Article 20 III of the amended Act of 6 January 1978 :

"When the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, the president of the Commission nationale de l'informatique et des libertés may also, where appropriate after having sent it the warning provided for in I of this article or, where appropriate, in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures: (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine that may not exceed 10 million euros or, in the case of a company, 2% of the total annual worldwide turnover for the previous financial year, whichever is higher. In the cases referred to in Articles 5 and 6 of Regulation (EU) 2016/679 of 27 April 2016, these ceilings shall be increased to EUR 20 million and 4% of the said turnover respectively. In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83."

79. According to Article 83 of the GDPR:

"1. Each supervisory authority shall ensure that administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. "The Commission shall adopt a proposal for a Directive on the imposition of administrative fines in accordance with Article 6(2) of the Treaty, before specifying the factors to be taken into account in deciding whether to impose an administrative fine and the amount of that fine.

80. Firstly, on the principle of imposing a fine, the company maintains that such a measure is not necessary and would not be proportionate to the facts of which it is accused.

81. The restricted formation recalls that it must take into account, for the pronouncement of an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, gravity and duration of the breach, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data concerned by the breach.

82. The panel considers firstly that the company has shown a certain negligence with regard to the fundamental principles of the GDPR, since several breaches have been established, in particular concerning the rights of individuals and security. The panel added that three breaches had given rise to complaints.

83. The restricted panel then notes that the company is a particularly important player in the Internet access provider sector since, in 2021, it had approximately 6.9 million subscribers, which ranked it among the main Internet access providers in France. It therefore has significant resources to deal with personal data protection issues.

84. Accordingly, the Panel considers that an administrative fine should be imposed for the breaches of Articles 12, 15, 17, 32 and 33 of the GDPR.

85. Secondly, with regard to the amount of the fine, the restricted formation recalls that administrative fines must be both dissuasive and proportionate. In the present case, the panel considers that the company failed to fulfil its obligations under Articles 12, 15, 17, 32 and 33 of the GDPR, relating in particular to the rights of individuals and to basic measures relating to the security of personal data. The panel added that several breaches had given rise to complaints, although it noted that the number of complaints revealing the existence of breaches appeared to be small - indeed, their number, ten, should be compared with the number of subscribers, which is approximately 6.9 million - so that these breaches cannot be considered to be of a systemic nature.

86. The restricted formation also recalls that the activity of the company and its financial situation must be taken into account for the determination of the penalty and in particular, in the case of an administrative fine, of its amount. It notes in this respect that the company reports a turnover of EUR [...] in 2020 for a net result of approximately EUR [...].

87. 87. Consequently, in view of these elements, the restricted formation considers that the imposition of an administrative fine of EUR 300,000 (three hundred thousand) appears justified.

88. Thirdly, an injunction to bring the processing into compliance with the provisions of Article L. 34-5 of the CPCE and Articles 7-1, 15, 17, 32 and 33 of the RGPD was proposed by the rapporteur when the report was notified.

89. The company maintains that the actions it has taken with regard to all the breaches identified should lead to the rapporteur's proposal for an injunction not being followed up.

90. As indicated above, the restricted panel notes that the company has taken measures to bring its processing operations into line with the provisions of Articles 17, 32 and 33 of the GDPR. However, the restricted formation considers that the company has not provided, at the date of the closure of the investigation, elements enabling it to attest to the compliance of its processing operations with the provisions of Article 15 of the RGPD, insofar as it intends to provide only information relating to the identity of the "primary source" of the collection of the data subject's data (i.e. the first actor in the chain to have collected the data subject's personal data). Consequently, the restricted formation considers that an injunction should be issued on this point.

91. Lastly, with regard to the publication of the decision to impose a penalty, the company maintains that such a measure would be neither necessary nor proportionate in view of the alleged breaches that it refutes and its compliance.

92. The restricted panel considers that the publicity of the sanction is justified in view of the plurality of breaches committed and the need to bring to the attention of individuals, and in particular the customers concerned, the failings related to the processing of personal data implemented by the company. It also considers that this measure will make it possible to inform the persons concerned of the past existence of the breaches sanctioned, particularly insofar as these facts have been the subject of several complaints.

FOR THESE REASONS

The CNIL's restricted formation, after deliberation, decides to :

- to impose an administrative fine on FREE in the amount of 300,000 (three hundred thousand) euros for breaches of Articles 12, 15, 17, 32 and 33 of the GDPR;

- pronounce against the company FREE an injunction to provide an exhaustive response to the requests of Messrs [...] (complaint no. 19014037), [...] (complaint no. 19015831), [...] (complaint no. 19016618) and [...] (complaint no. 19005208) which specifies the identity of the data broker from which it obtained the data of the persons concerned;

- 500 (five hundred) euros per day of delay at the end of a period of one month following notification of this decision, with proof of compliance to be sent to the restricted formation within this period;

- make its decision public on the CNIL website and on the Légifrance website, which will no longer identify the company by name at the end of a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed to the Council of State within two months of its notification.