CNIL (France) - SAN-2022-020: Difference between revisions

From GDPRhub
(minor rewrite and changes)
No edit summary
Line 88: Line 88:
The French CNIL (DPA) started an investigation into a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online, including an option for instant messaging and options to create servers and communication rooms, with options for text, voice - and video rooms.   
The French CNIL (DPA) started an investigation into a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online, including an option for instant messaging and options to create servers and communication rooms, with options for text, voice - and video rooms.   


The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete data subject accounts after two years of inactivity.  
The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete user accounts after two years of inactivity.  


The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also fixed this during the procedure.  
The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also changed this during the procedure.  


The investigation service also found an issue with the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the software by the data subject. The data subject was not informed about this background minimization.  
The investigation service also commented on the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the controller's software. The data subject was not informed about this background minimization.  
During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the window is closed for the first time. The controller also informed the data subject that this setting (remain logged in after closure of investigation) could be changed in the settings.
During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the application window was closed for the first time. The controller also informed data subjects that this setting (remain logged in after closure of application) could be changed in the settings.


At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.  
At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.  


The investigation service also determined that the controller had previously considered that it was not necessary to carry out a data protection impact assessment (DPIA).  
The investigation service also determined that the controller had previously deemed it unnecessary to carry out a data protection impact assessment (DPIA).  
During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.
During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.


Line 105: Line 105:
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]]. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation.   
The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of [[Article 3 GDPR#2a|Article 3(2)(a) GDPR]]. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation.   


The DPA determined that it was competent to handle this case because the one-stop shop" mechanism ([[Article 56 GDPR]]) did not apply in this case, since the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state ([[Article 55 GDPR]]).   
The DPA determined that it was competent to handle this case because the one-stop shop" mechanism ([[Article 56 GDPR]]) did not apply in this case, because the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state ([[Article 55 GDPR]]).   


<u>Failure to define and respect a data retention period appropriate to the purpose ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]])</u>
<u>Failure to define and respect a data retention period appropriate to the purpose ([[Article 5 GDPR#1e|Article 5(1)(e) GDPR]])</u>


The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new data subject account.  
The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new account.  


<u>Failure to comply with the obligation to provide information ([[Article 13 GDPR]])</u>  
<u>Failure to comply with the obligation to provide information ([[Article 13 GDPR]])</u>  


The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete: there were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR]], because retention periods were stated in a generic manner and were not sufficiently explicit.
The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete. There were no specific periods or criteria for determining these periods. The DPA held that this was a violation of [[Article 13 GDPR]], because retention periods were stated in a generic manner and were not sufficiently explicit.


<u>Failure to ensure data protection by default ([[Article 25 GDPR#2|Article 25(2) GDPR]])</u>
<u>Failure to ensure data protection by default ([[Article 25 GDPR#2|Article 25(2) GDPR]])</u>


The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] when it was analysing the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the controller’s behaviour was different in comparison with other Windows applications and was different in computing in general. The DPA considered that the fact that data subjects would click the “X” button in the controller’s application, but not actually close the application, could lead to a situation where this data subject could be heard by other members in the voice room, when the data subject actually thought he/she had closed the application.  
The DPA also found a violation of [[Article 25 GDPR#2|Article 25(2) GDPR]] regarding the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the behaviour of the controller's application was different in comparison with other Windows applications. The DPA considered that the fact that data subjects would click the “X” icon in the controller’s application, without actually closing the application, could lead to a situation where this data subject could still be heard by other members in the voice room, when the data subject actually thought he/she had left the voice room.  


The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data was communicated to third parties without the data subject necessarily being aware of this. The DPA noted this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for the intrusion into their private life.   
The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about this 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data could be communicated to third parties without the data subject necessarily being aware of this. The DPA noted that this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for intrusion into their private life.   


<u>Failure to ensure the security of personal data ([[Article 32 GDPR]])</u>
<u>Failure to ensure the security of personal data ([[Article 32 GDPR]])</u>


At the time of the online investigation, a password of six characters including letters and numbers was accepted by the controller for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller, which resulted in a risk of compromise for the user accounts in question, including the personal data these contained. The DPA referred to its own recommendations (in deliberation No. 2017-012 of 19 January 2017), which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login.  
At the time of the online investigation, the controller accepted a password of six characters including letters and numbers for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller. This resulted in a risk of compromise for the user accounts in question, including the personal data these accounts contained. The DPA referred to its own recommendations for passwords ([https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033928007 in deliberation No. 2017-012 of 19 January 2017)], which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login.  


<u>Failure to carry out a data protection impact assessment ([[Article 35 GDPR]])</u>
<u>Failure to carry out a data protection impact assessment ([[Article 35 GDPR]])</u>

Revision as of 09:08, 6 December 2022

CNIL - Délibération SAN-2022-020
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 3(2)(a) GDPR
Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 21 GDPR
Article 25(2) GDPR
Article 32 GDPR
Article 35(1) GDPR
Article 55(1) GDPR
Article 56 GDPR
Type: Investigation
Outcome: Violation Found
Started: 17.11.2020
Decided: 10.11.2022
Published:
Fine: 800,000 EUR
Parties: Discord
National Case Number/Name: Délibération SAN-2022-020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined an online communication platform €800,000 for several GDPR violations. Among other things, the controller did not have a data retention period in its privacy policy, provided incomplete information and failed to ensure data protection by default.

English Summary

Facts

The French CNIL (DPA) started an investigation into a company based in the United States (controller). This controller provided a free of charge online service that allowed data subjects to communicate online, including an option for instant messaging and options to create servers and communication rooms, with options for text, voice - and video rooms.

The investigation service of the DPA (investigation service) determined several shortcomings at the side of the controller. During the investigation, the controller stated that it did not have a written data retention policy. The investigation service confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. During the procedure, the controller added a data retention policy, which described that the controller would delete user accounts after two years of inactivity.

The investigation service found that the information the controller provided regarding data retention periods was incomplete. There were no specific periods or criteria for determining these retention periods. The controller also changed this during the procedure.

The investigation service also commented on the controller's application on Microsoft Windows, an operating system for desktop - and laptop computers. When a data subject, logged in to a voice room, closed the controller’s application window by clicking on the "X" icon at the top right of the application, the application would continue to run in the background and the data subject would remain logged in. However, in the majority of Microsoft Windows applications, clicking on the "X" will close the application. This 'background minimization' was activated after the first install of the controller's software. The data subject was not informed about this background minimization. During the procedure, the controller implemented a pop-up window to alert data subjects that the application was still running, when the application window was closed for the first time. The controller also informed data subjects that this setting (remain logged in after closure of application) could be changed in the settings.

At the time of the online investigation, when creating an account, the controller accepted a password of six characters including letters and numbers. The controller also adjusted this during the proceedings: it now required data subjects to use a password of at least eight characters, with at least three of the four different character types. Also, after ten unsuccessful login attempts, the controller now required a captcha prompt to be solved, which was previously not the case.

The investigation service also determined that the controller had previously deemed it unnecessary to carry out a data protection impact assessment (DPIA). During the procedure, the controller carried out two impact assessments, in which the controller concluded that its processing was not likely to result in a high risk to individuals' rights and freedoms.

Holding

Competence of the DPA

The DPA determined that the controller processed personal data of French data subject and held that the GDPR was applicable pursuant of Article 3(2)(a) GDPR. The DPA determined that the controller offered services intended for data subjects in the European Union by considering several factors. Among other factors, The DPA considered for example that almost all pages on the controller’s website and in the controller’s application were available in French at the time of the investigation.

The DPA determined that it was competent to handle this case because the one-stop shop" mechanism (Article 56 GDPR) did not apply in this case, because the controller did not have an establishment on the territory of any EU Member State. Therefore, each national supervisory authority was competent to monitor GDPR compliance on the territory of this member state (Article 55 GDPR).

Failure to define and respect a data retention period appropriate to the purpose (Article 5(1)(e) GDPR)

The DPA confirmed that the controller did not have a written date retention policy at the time of the investigation. The DPA also confirmed that there were 2,474,000 French data subject accounts in the controller’s database that had not been used for more than three years and 58,000 accounts that had not been used for more than five years. The DPA held that this was a violation of Article 5(1)(e) GDPR, because the controller could not rely on the contractual relationship to indefinitely keep storing accounts of data subjects who were inactive, but had not unsubscribed. The reason for this was because a new account could be created free of charge. Therefore, an inactive data subject who wished to use the service again, could do so by recreating a new account.

Failure to comply with the obligation to provide information (Article 13 GDPR)

The DPA stated that at the time of the investigation, the information regarding data retention periods was incomplete. There were no specific periods or criteria for determining these periods. The DPA held that this was a violation of Article 13 GDPR, because retention periods were stated in a generic manner and were not sufficiently explicit.

Failure to ensure data protection by default (Article 25(2) GDPR)

The DPA also found a violation of Article 25(2) GDPR regarding the controllers “X” icon at the top right corner of its Windows application. The DPA determined that the behaviour of the controller's application was different in comparison with other Windows applications. The DPA considered that the fact that data subjects would click the “X” icon in the controller’s application, without actually closing the application, could lead to a situation where this data subject could still be heard by other members in the voice room, when the data subject actually thought he/she had left the voice room.

The DPA stated that data subjects could not reasonably expect the application to keep running after clicking the 'X' icon, because communication apps in general either inform the data subject about this 'background minimization' or provide the option to data subjects to enable it themselves. The DPA stated that because of this situation, the data subject's personal data could be communicated to third parties without the data subject necessarily being aware of this. The DPA noted that this setting, without sufficiently clear and visible information, could present significant risks for data subjects, in particular for intrusion into their private life.

Failure to ensure the security of personal data (Article 32 GDPR)

At the time of the online investigation, the controller accepted a password of six characters including letters and numbers for creating a user account. The DPA considered that the controller's passwords were not strong enough, taking into account the undemanding password policy and the volume of personal data processed by the controller. This resulted in a risk of compromise for the user accounts in question, including the personal data these accounts contained. The DPA referred to its own recommendations for passwords (in deliberation No. 2017-012 of 19 January 2017), which entailed that passwords should compromise at least eight characters, containing at least three or four categories of characters (upper case, lower case, numbers and special characters) and that authentication should include a limitation on access of the user account, such as a timeout of access after several failed requests to login.

Failure to carry out a data protection impact assessment (Article 35 GDPR)

The controller previously considered that it was not necessary to carry out a DPIA. The DPA considered that the controller should have done so, looking at the large scale of personal data processed and the fact that the controller's service was also intended used by children aged fifteen, of which the controller was fully aware, according to the DPA.

Fine

The DPA imposed a fine of 800,000 euros on the controller. The amount of the fine was based on several factors, such the efforts made by the controller throughout the procedure to become GDPR compliant.

Comment

The DPA also investigated breaches of Articles 12 and 21 GDPR, which were determined by the investigation service. However, the DPA did not follow its investigation service in these instances and held that the controller did not violate these articles.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.