CNIL (France) - SAN-2023-023
From GDPRhub
| CNIL - SAN-2023-023 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(1)(e) GDPR Article 12 GDPR Article 13 GDPR Article 32 GDPR Article 82 Informatique et Libertés |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 24.09.2021 |
| Decided: | 29.12.2023 |
| Published: | 11.01.2024 |
| Fine: | 105000 EUR |
| Parties: | NS Cards France |
| National Case Number/Name: | SAN-2023-023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Legifrance.gouv (in FR) |
| Initial Contributor: | R_e_ |
The French DPA fined NS Cards France, an electronic money distributor, €105,000 for keeping personal data longer than necessary, having incomplete privacy policies, failing to sufficiently secure personal data, and failing to seek user consent regarding not strictly necessary cookies.
English Summary
Facts
In the context of its investigations, the French DPA (CNIL) undertook online and an on-the-spot checks of the controller’s website and premises. The controller, NS Cards France, is an electronic money distributor that facilitates online payments.
The CNIL found that when creating a user account on the controller's website, surname, first name, date of birth, postal address, email address, telephone number, and, if applicable, bank details were collected, as well as personal documents, such as proof of identity and residence. While the controller specified a retention period of ten years for this data from the last transaction carried out on the account, in fact, no deletion had been carried out in the databases since the beginning of the controller's activity in 2005. An estimated 70,049 accounts had been inactive for more than ten years. Additionally, 51,735 accounts were kept for no purpose, as they were "unconfirmed", i.e. the email address had not been confirmed when the account was created.
Furthermore, the information provided by the company on the website and its mobile application via the privacy policy was incomplete, not up-to-date and only in English.
The controller also allowed users to create account passwords of six characters, composed of only three categories of characters (uppercase, lowercase and numbers), and the CNIL found that no access restrictions in the event of authentication failure were implemented. 49,214 passwords were also stored in clear text in the company's database and associated with their email address and identifier.
Additionally, the rapporteur noted that thirteen cookies were deposited before any action, including consent, could be taken by the user upon arrival on the home page of the website. The Google reCaptcha module, to block robots on the registration and connection page to the website and mobile application, was also used without asking for user consent.
Holding
On 10 May 2023, under Article 56 GDPR, the CNIL informed all European supervisory authorities of its competence to act as a lead supervisory authority concerning cross-border processing carried out by the controller, as even though the controller processed data of residents of other European Member States, its sole establishment was located in France. Pursuant to Article 60(3) GDPR, the draft decision was shared with the other supervisory authorities concerned.
Recalling the CNIL decision No. SAN-2022-018, the CNIL noted that the retention period of personal data must be determined according to the purpose pursued by the processing. When data are no longer necessary for that purpose, they must either be deleted or subject to intermediate archiving when their retention is necessary for compliance with legal obligations, pre-litigation or contentious purposes. Beyond these retention periods, personal data must, with some exceptions, be deleted or anonymised. Therefore, the CNIL established that the controller breached Article 5(1)(e) GDPR since no deletion or anonymisation occurred of the 70,049 inactive accounts after the ten year retention period.
Additionally, the CNIL noted that since the information on data processing was provided using a privacy policy only in English, despite targeting a French-speaking public, data subjects were not able to assess in advance the scope and consequences of the processing. The controller, therefore, was not complying with the transparency requirements of information set by Article 12 GDPR. Furthermore, the privacy policy did not mention the data retention period or the right to lodge a complaint with the CNIL. Given the information being processed, including bank details, this information was necessary to ensure fair and transparent processing within the meaning of Article 13(2) GDPR.
Fourthly, the controller is required to ensure that the automated data processing it implements is sufficiently secure. The sufficiency of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it entails and, on the other hand, taking into account the state of knowledge and the cost of the measures. Considering this, the CNIL found the controller’s password rules too permissive, leading to insufficiently robust passwords susceptible to attacks. Nor did the clear storage of users' passwords, associated with their identifiers and email address, guarantee the security and confidentiality of personal data. Hence, the CNIL found the controller to have breached Article 32 GDPR.
Regarding placing cookies without user consent, the controller argued that the Google Analytics cookie was an audience measurement tool for internal use exempt from the collection of consent. However, the CNIL noted that Article 82 of the French Data Protection Act, the implementation of Article 5(3) of the ePrivacy Directive, provides that operations to access or register information in a user's terminal can only take place after the latter has expressed his consent, only cookies whose exclusive purpose is to allow or facilitate communication by electronic means or those strictly necessary for the provision of an online communication service at the express request of the user being exempt from this obligation. After considering the available Google documentation, the CNIL held that the deposit of these cookies had to be subject to the user's consent. By failing to grant users a choice regarding the deposit of tracers, together with a choice about using Google ReCaptcha since its mechanism does not have the sole purpose of securing the authentication mechanism but also allows analysis operations to be carried out by Google, as specified in its terms of use, the data controller had breached Article 82 of the French Data Protection Act.
Considering the aforementioned violations, the CNIL issued a fine of €90,000 for breaches of Articles 5(1)(e), 12, 13 and 32 GDPR, and an additional €15,000 for the controller’s infringement of Article 82 of the French Data Protection Act.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Deliberation of restricted training n°SAN-2023-023 of December 29, 2023 concerning the company NS CARDS FRANCE
The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mr. Alain DRU and Ms. Isabelle LATOURNARIE-WILLEMS, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;
Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;
Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;
Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;
Having regard to decision No. 2021-193C of June 29, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing of personal data carried out implemented by the company or on its behalf;
Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated March 29, 2022;
Having regard to the report of Mr. François PELLEGRINI, commissioner rapporteur, notified to the company NS CARDS FRANCE on July 3, 2023;
Having regard to the written observations submitted by the company NS CARDS FRANCE on August 18, 2023;
Considering the other documents in the file;
Were present during the restricted training session on November 16, 2023:
- Mr. François PELLEGRINI, commissioner, heard in his report;
As representatives of the company NS CARDS FRANCE:
- […];
- […];
- […];
The company NS CARDS FRANCE having spoken last;
The restricted formation adopted the following decision:
I. Facts and procedure
1. The company NS CARDS FRANCE (hereinafter "the company"), whose head office is located at 10, rue Vandrezanne in Paris (75013), was registered in the trade and companies register on November 9, 2010. In 2019 , its turnover amounted to […] euros for a net result of […] euros and in 2020, its turnover amounted to […] euros for a net result of […] euros. In 2023, it had six employees.
2. The company NS CARDS FRANCE is an electronic money distributor which allows you to make online payments. The company offers two forms of payment solutions: on the one hand, it distributes, at approved points of sale, neosurf coupons using which individuals can make online payments on partner websites; on the other hand, the use of neosurf coupons can also be combined with the creation of an electronic wallet, which requires creating a user account on the website www.neosurf.com or the “neosurf” mobile application. and credit it using coupons or a bank card. Creating a user account allows you to make online payments or receive winnings. It is this second activity which is at issue in the present procedure.
3. Two control missions took place in application of decision no. 2021-193C of June 29, 2021 of the president of the CNIL in order to verify compliance by the company with all the provisions of Regulation (EU) 2016/ 679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the GDPR") and Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms as amended (hereinafter " the Data Protection Act"). On September 24, 2021, the CNIL services carried out an online check using the website “www.new.neosurf.com”. On October 13, 2021, the CNIL services carried out an on-site inspection at the premises of the company NS CARDS FRANCE, located in Paris (75013).
4. The online monitoring of the website www.new.neosurf.com (now www.neosurf.com) was mainly intended to verify the methods of informing people and the procedure for creating a user account. It made it possible to note the deposit of cookies and other trackers via the said website. The on-site inspection focused more specifically on the verification of the documentation required by the GDPR, the account creation process on the neosurf mobile application, the retention periods applied to user account data as well as technical and organizational measures. intended to ensure the security of data collected through the website and the mobile application.
5. These two control missions gave rise to the establishment of minutes No. 2021-193/1 and 2021-193/2. By letters of October 8, October 22 and November 15, 2021, the company sent additional information to the Commission services.
6. In accordance with Article 56 of the GDPR, the CNIL informed all European supervisory authorities on May 10, 2023 of its competence to act as lead supervisory authority regarding cross-border processing implemented by the company, resulting from the fact that the sole establishment of the company is in France. After exchange between the CNIL and the European data protection authorities within the framework of the one-stop-shop mechanism, it appears that the German, Austrian, Belgian, Cypriot, Danish, Spanish, Finnish, Greek, Irish, Italian, Luxembourg and Dutch authorities , Norwegian, Polish, Portuguese, Romanian and Swedish are affected by the processing, user accounts having been created by residents of these states.
7. For the purposes of examining these elements, the President of the Commission, on March 29, 2022, appointed Mr. François PELLEGRINI as rapporteur on the basis of article 22 of the Data Protection Act.
8. On July 3, 2023, the rapporteur notified the company of a report detailing the breaches of articles 5-1-e), 12, 13 and 32 of the GDPR as well as article 82 of the Data Protection Act , which he considered constituted in this case.
9. On August 18, 2023, the company produced its observations in response to the sanction report.
10. By letter dated September 29, 2023, the rapporteur informed the company's board that the investigation was closed, pursuant to article 40, III, of amended decree no. 2019-536 of May 29, 2019.
11. By letter of October 2, 2023, the company was informed that the file was included on the agenda for the restricted training of November 16, 2023.
12. The rapporteur and the company presented oral observations during the restricted training session.
II. Reasons for decision
A. On the European cooperation procedure
13. In application of Article 60 paragraph 3 of the GDPR, the draft decision adopted by the restricted committee was transmitted on November 29, 2023 to the European supervisory authorities concerned.
14. As of 28 December 2023, none of the supervisory authorities concerned had raised a relevant and reasoned objection to this draft decision, so that, pursuant to Article 60(6) of the GDPR , the latter are deemed to have approved it.
B. On the failure to comply with the obligation to limit the duration of data retention
15. Under the terms of article 5-1, e) of the GDPR, personal data must be "kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed.
16. The rapporteur noted that when creating a user account on the website www.neosurf.com, the name, first name, date of birth, postal address, email address, phone number telephone number and, where applicable, bank details were collected, as well as personal documents, such as proof of identity and address. However, the rapporteur noted that it emerged from the on-site inspection that if the company had defined a retention period of ten years for this data from the last transaction carried out on the account, in fact, the accounts were only inactivated at the end of this period, while this data was kept in the production base for an indefinite period. He also noted that no purge had been carried out in the company's databases since the start of its activity in 2005. The rapporteur notably estimated that the company's letter of November 15, 2021 showed the retention of 70 049 accounts inactive for more than ten years. In addition, he considered that the company did not justify the application of the new five-year retention period that it defined following CNIL controls for user account data. Finally, he noted that 51,735 accounts were kept without purpose, to the extent that they were "unconfirmed", that is to say that the email address had not been confirmed when the account was created. account.
17. In defense, during the investigation, the company first indicated that it had defined a retention period for user accounts of ten years for the purposes of combating money laundering and the financing of terrorism ("MLB-FT") ) before declaring, in his letter of November 15, 2021, that this duration was now only applied to customer contracts concluded for an amount greater than €120 excluding tax, in application of article D. 213-1 of the code consumption, and that other user account data would now be kept for five years from the last transaction carried out on the account. In its observations in response, the company also corrected the declarations made during the investigation as to the duration applicable to the retention of certain data for AML-FT purposes, which is five years in application of article 561-2 of the monetary and financial code. The company maintains that the query provided regarding the 70,049 inactive accounts would show the presence of these accounts on base for ten years and not for more than ten years. It specifies that this request was only intended to show the effective application of the new five-year retention period that it had defined. In its observations, the company provides a new screenshot which would unambiguously attest to the deletion of accounts inactive for five years.
18. Regarding the 51,735 unconfirmed accounts, the company states that the data associated with these accounts is kept for one year, then deleted if the account is not confirmed. She declares that the purpose pursued by this conservation is to allow users to have adequate time to confirm their account and criticizes the rapporteur for having prejudged excessive conservation of data associated with unconfirmed accounts, without even doing so. ask about the purpose of the processing and the retention period applied to this data.
19. The restricted training recalls, on the one hand, that the duration of retention of personal data must be determined according to the purpose pursued by the processing. When they are no longer necessary for the purpose for which they were collected, the data must either be deleted or be subject to intermediate archiving when their conservation is necessary for compliance with legal or other obligations. pre-litigation or litigation purposes. The data thus placed in intermediate archiving are there for a period not exceeding that necessary for the purposes for which they are kept, in accordance with the provisions in force. Thus, after sorting the relevant data to be archived, the data controller must provide, for this purpose, a dedicated archive database or a logical separation in the active database. This logical separation is ensured by the implementation of technical and organizational measures guaranteeing that only people with an interest in processing the data due to their functions can access it. Beyond these storage periods in an intermediate archive, personal data must, except in exceptional circumstances, be deleted or anonymized (CNIL, FR, September 8, 2022, Sanction, Groupement X, n° SAN-2022-018, published) .
20. On the other hand, under the terms of article L. 213-1 of the Consumer Code: "
When the contract is concluded electronically and it concerns a sum equal to or greater than an amount fixed by decree, the professional contractor ensures the conservation of the writing which notes it for a period determined by the same decree and guarantees it at any time access to its co-contractor if the latter requests it. ". Article D. 213-1 of the same code provides that "[t]he amount mentioned in article L. 213-1 is set at 120 euros" and article D. 213-2 provides that "[ The period mentioned in Article L. 213-1 is set at ten years from the conclusion of the contract when delivery of the goods or performance of the service is immediate. Otherwise, the period runs from the conclusion of the contract until the date of delivery of the goods or performance of the service and for a period of ten years from this date.
21. In this case, the restricted panel firstly notes, with regard to the conservation of 51,735 unconfirmed accounts in the database, that if the company's letter of November 15, 2021 indicated that the data of "inactive prospects " were deleted after one year, the retention period policy attached to this letter paradoxically provided for a three-year retention period for data linked to the "management of non-customer prospect files". During the hearing, the company explained this contradiction by the fact that the three-year retention period was intended solely for conservation for commercial prospecting purposes and that it no longer engaged in this type of activity. In any event, the restricted panel considers that in its defense observations, the company justifies a duration and a purpose for the conservation of data from unconfirmed accounts, namely, a conservation of one year in order to allow those affected to have adequate time to confirm their account. Therefore, it considers that the elements in the file do not make it possible to characterize a breach of article 5-1-e) of the GDPR on this point.
22. Next, the restricted panel notes that on the date of the on-site inspection, the company defined a duration of ten years, which begins to run on the date of activation of the user account. However, it notes that at the end of this period, the user accounts were inactivated but that the company continued to keep the account data in the database for an indefinite period. The restricted panel further notes that according to the company's own statements, no data purge had been carried out since 2005.
23. Regarding the conservation of 70,049 inactive accounts, the restricted panel notes that the screenshot provided by the company in its letter of November 15, 2021 was intended to illustrate, at the request of the CNIL services, " the number of inactive accounts with a creation date greater than 10 years from October 13, 2021". The restricted panel considers that in view of the explanations provided by the company, the screenshot produced showed the retention of inactive accounts for ten years and not for more than ten years.
24. Nevertheless, the restricted training notes that it follows from the above that when the retention period is reached, the personal data must be deleted or anonymized and that the fact of making an account inactive does not correspond to a deletion of the data personal information it contains, nor to anonymization. Therefore, it appears from the documents in the file that on the date of the on-site inspection, the company retained the data of user accounts, even inactivated, for an indefinite period.
25. In any event, the restricted panel observes that it appears from the above-mentioned screenshot as well as from the other elements of the file that until the checks carried out by the CNIL agents, the data of 70,049 customer accounts were present in the database for ten years without any sorting having been carried out between the data to be kept in accordance with the provisions of Article D. 213-1 of the Consumer Code and those to be deleted. The restricted committee notes that the five-year retention period for data other than those covered by this provision was only defined following the on-site inspection, as confirmed by the company in its letter of November 15. 2021 and that proof of its effective application was only provided as part of its defense observations, on August 18, 2023. Therefore, the restricted panel considers that the company has retained account data not affected by the article D. 213-1 of the Consumer Code for excessive durations.
26. Consequently, the restricted panel considers that the above facts characterize a breach of article 5-1-e) of the GDPR. The restricted training notes that the company complied during the procedure with the establishment and application of adequate retention periods for user account data, with regard to the various purposes pursued. It nevertheless recalls that this compliance cannot exempt the company from its responsibility for the past.
C. On the failure to comply with the obligation to inform individuals
27. Under Article 12 of the Regulation, the data controller must provide the data subjects with the information provided for in Article 13 of the same Regulation "in a concise, transparent, understandable and easily accessible manner, in clear terms and simple […] ".
28. Article 13 of the GDPR lists the information that must be provided to the data subject when personal data is collected directly from them. This information relates in particular to the identity of the data controller and his contact details, the purposes of the processing implemented, its legal basis, the recipients or categories of recipients of the data, the fact that the data controller intends to 'carry out a data transfer to a third country. The article also requires the data controller, when this appears necessary to guarantee "fair and transparent processing" of personal data in this case, to inform individuals about the duration of data retention, the existence of the various rights from which individuals benefit, the existence of the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.
29. The Regulations do not prescribe the form in which this information must be provided. In practice, this information is generally grouped together in a confidentiality policy.
30. In his report, the rapporteur notes in essence that the information provided by the company on the website www.neosurf.com and on its mobile application via the confidentiality policy was incomplete, not up to date and only in English. The rapporteur notes, however, that the company has, since the inspections, engaged in a process of compliance, without this calling into question the shortcomings in the past.
31. In defense, the company does not contest the breach, but indicates that it has complied since the inspections. She criticizes the rapporteur for basing certain complaints in his report on informal checks at the end of which he noted that deficiencies continued on the day the report was sent, apart from any findings recorded contradictorily in a report.
32. The restricted training firstly notes that it appears from the findings made during the checks that with regard to the website www.neosurf.com, a confidentiality policy available at the footer of the site's home page was only available in English. In this regard, it notes, like the rapporteur, that the information provided by means of a confidentiality policy available only in English, relating to data processing mainly targeting a French-speaking public, does not allow the persons concerned to assess in advance the scope and consequences of the processing and is therefore not in compliance with the information transparency requirements set out in Article 12 of the GDPR. The restricted training considers that the same applies to the reference made to the confidentiality policy only in English from the account creation form.
33. Next, the restricted training notes that the home page of the website and the user account creation page both referred to versions of the confidentiality policy from 2018 and 2021, which did not mention the retention period. data nor the right to lodge a complaint with the CNIL. The restricted panel notes that given the data processed by the company, including bank details, this information was necessary to guarantee fair and transparent processing within the meaning of Article 13(2) of the GDPR. It further notes, like the rapporteur, that the coexistence of these two incomplete versions of the confidentiality policy was likely to create confusion among the persons concerned as to the extent of the rights which they had with regard to their data and the consequences of their processing.
34. With regard to the neosurf mobile application, the restricted training notes that on the date of the checks, the account creation page also offered an incomplete confidentiality policy dated 2018, available only in English, ignoring the same manner Articles 12 and 13 of the GDPR for the reasons already explained with regard to the website.
35. Consequently, the restricted panel considers that the company has committed a breach of Articles 12 and 13 of the GDPR. It specifies that the breach taken into account is the one which was crystallized at the time of the controls and that the informal checks by the rapporteur which preceded the notification of his report were only intended to draw the attention of the company to the fact that its compliance was not was not yet reached. The restricted training takes note of the fact that the company has brought itself into compliance.
D. On breaches of the obligation to ensure data security
36. Under the terms of Article 32 of the GDPR, “1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks , the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk, including including, among other things, as needed:
a) pseudonymization and encryption of personal data;
(b) means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
c) means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident;
d) a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing".
1. On user account passwords
37. To propose to the restricted panel to consider that the company had failed to comply with its obligations resulting from Article 32 of the GDPR, the rapporteur noted that during the online check, the delegation had first noted that when creating of a user account on the company's website, six-character passwords composed of three categories of characters (uppercase, lowercase and numbers) were accepted and no access restrictions in case of failure authentication was not implemented. In addition, he noted that 49,214 passwords were registered in plain text in the company's database and associated with their email address as well as their identifier. Finally, the rapporteur noted that passwords which were not kept in clear text were stored in hashed and salted form using the SHA-1 function, deemed obsolete.
38. In defense, the company does not dispute the breaches, but declares that it has taken corrective action. First of all, it announces that it has adapted its password policy in order to achieve the minimum entropy rate of 50 bits recommended by the CNIL when this password is accompanied by an access restriction measure and indicates that the implementation of these new measures was finalized in August 2023. She also criticizes the rapporteur for relying on informal verifications which would have allowed her to note that entropy was still insufficient at the date of sending the report. Then, the company specifies that access to clear passwords was due to technical constraints linked to the implementation of encryption measures for the passwords of old accounts created at the start of its activity and that day of his defense observations, all passwords are encrypted within the database. Finally, the company takes note of the rapporteur's conclusions concerning the use of the SHA-1 hashing algorithm and announces that it has opted for a switch to the SHA-512 standard, effective since July 2023.
39. First of all, the restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures.
40. The restricted training considers first of all that overly permissive password complexity rules, which authorize the use of insufficiently strong passwords, can lead to attacks by unauthorized third parties, such as attacks by “brute force” or “by dictionary”, which consist of successively and systematically testing numerous passwords and thus lead to a compromise of associated accounts and the personal data they contain.
41. It notes, in this regard, that the need for a strong password is recommended both by the National Information Systems Security Agency (ANSSI) and by the Commission in its deliberation no. 2017-012 of January 19, 2017 adopting a recommendation relating to passwords, requirement confirmed in its deliberation no. 2022-100 of July 21, 2022.
42. By way of illustration, the rapporteur recalls that the Commission considers in its deliberation no. 2017-012 of January 19, 2017 – which is certainly not of an imperative nature but which provides relevant insight into the appropriate measures to take in terms of security – that, to ensure a sufficient level of security and confidentiality, in the event that authentication is based solely on an identifier and a password, the latter must be composed of at least twelve characters including uppercase, lowercase, numbers and special characters.
43. Failing this, the Commission considers that authentication based on a password of a minimum length of eight characters, made up of three different categories of characters but accompanied by a complementary measure such as, for example, delaying access to the account after several failures (temporary suspension of access whose duration increases with each attempt), the establishment of a mechanism to protect against submissions automated and intensive attempts (e.g. “captcha”) and/or blocking of the account after several unsuccessful authentication attempts (maximum ten).
44. The restricted panel emphasizes that it has, on several occasions, adopted financial sanctions where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. Deliberations No. SAN-2019-006 of June 13, 2019, No. SAN-2019-007 of July 18, 2019 and No. SAN-2022-018 of September 8, 2022 target in particular the insufficient robustness of passwords.
45. Next, the restricted training recalls that storing passwords securely constitutes a basic precaution in terms of the protection of personal data. As early as 2013, ANSSI alerted and recalled good practices regarding the conservation of passwords by indicating that they must "be stored in a form transformed by a one-way cryptographic function (hash function) and slow to calculate such as PBKDF2" and that "the transformation of passwords must involve a random salt to prevent an attack by precalculated tables" (ANSSI, "News Bulletin CERTA-2013-ACT-046", November 15, 2013, https ://www.cert.ssi.gouv.fr/actualite/CERTA-2013-ACT-046/).
46. Likewise, in its deliberation no. 2017-012 of January 19, 2017, the CNIL already indicated that it "recommends [that the password] be transformed by means of a non-reversible and secure cryptographic function (this that is to say using a public algorithm deemed strong whose software implementation is free of known vulnerabilities), integrating the use of a salt or a key". Indeed, non-robust hash functions present known vulnerabilities which do not guarantee the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers which host them.
47. The restricted panel notes that in this case, the passwords of users of the website www.neosurf.com must have been, at the time of the checks, composed of six characters of three types and devoid of security measures complementary.
48. It considers that such a construction did not ensure the security of the data and prevent unauthorized third parties from having access to it. The restricted training recalls that, as the rapporteur pointed out, on the day of the on-site inspection the company was processing the data of nearly 700,000 user accounts, such as surname, first name, date of birth and email address, postal address, telephone number, but also bank details (when the user decides to use an electronic wallet) or even proof of identity and address (when a payment exceeds a certain amount). However, authentication based on the use of such a password, short and lacking additional security measures, can lead to attacks by unauthorized third parties and thus to a compromise of user accounts and numerous personal data. staff they contain.
49. Consequently, the restricted panel considers that the password policy deployed was not sufficiently robust to guarantee the security of the data processed, which disregards Article 32 of the GDPR.
50. Secondly, the restricted training notes that keeping user passwords in plain text, associated with their identifiers and their email address, does not guarantee their security. This retention method implies that anyone with access to the company's customer database can consult and collect them. These user passwords, associated with their identifiers, allow access to all the personal data contained in their neosurf accounts, or even to other service accounts, the same identifiers and passwords being, as underlined the rapporteur, often used to access several services.
51. Under these conditions, the restricted panel considers that the methods of storing passwords did not make it possible, at the time of the findings, to guarantee the security and confidentiality of the personal data of Neosurf account holders, which ignores the Article 32 of the GDPR.
52. Thirdly, the restricted committee recalls that the use of the SHA-1 function for hashing passwords is no longer considered to be in accordance with the state of the art, as is apparent in particular from cryptographic algorithm selection guide published by ANSSI, dated March 8, 2021, which indicates that it is “prohibited for general use”. The restricted training further notes that in the current state of the art, the CNIL has established specific recommendations in its guide for the benefit of developers, recommending storing passwords "in hash form using from a proven library, such as Argon2, yescrypt, scrypt, balloon, bcrypt and, to a lesser extent, PBKDF2 "(https://lincnil.github.io/Guide-RGPD-du-developpeur/).
53. Consequently, the restricted panel considers that the aforementioned facts, not contested by the company, constitute breaches of the obligations of Article 32 of the GDPR. It notes that since the controls, the company has remedied the shortcomings noted by implementing a password policy presenting an adequate level of security, by encrypting all passwords and justifying the implementation. implementation of a satisfactory hashing system for said passwords, in SHA-512.
2. On sharing access to the customer database
54. The rapporteur notes that, during the on-site inspection, the delegation was informed that the account used for access to the customer database was shared by the development team.
55. In defense, the company contests the existence of the breach. She argues that only one employee has restricted access to the database to carry out his missions as a developer, and that a second person is authorized to access this database as part of his mission as administrator of the database. database. It specifies that the connection procedure is carried out by bastion, that is to say via an intermediate connection server which then allows access to the base, and that only access to the bastion is shared. Once connected to the bastion, connection to the database would be allowed by an identifier and a complex password of sixteen characters: the company indicates that the database administrator and the developer have identifiers and passwords separate channels to connect to the database and that the connection is filtered by IP address, which would preserve the traceability of access to the database.
56. The restricted training notes that it appears from the explanations provided by the company that the development team is made up of a single employee and that, therefore, only two people are authorized to access the customer database, namely , on the one hand, the database administrator and, on the other hand, the developer who has restricted access to this database. The restricted training also notes that the developer, like the administrator, has an individual access account to this database.
57. Consequently, the restricted panel considers that the breach is not constituted.
E. On the failure to comply with the obligations of article 82 of the Data Protection Act
58. Article 82 of the Data Protection Act provides that: “any subscriber or user of an electronic communications service must be informed clearly and completely, unless they have been informed in advance, by the person responsible of the processing or its representative:
1° The purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment;
2° The means available to him to oppose it.
These accesses or registrations can only take place on condition that the subscriber or user has expressed, after having received this information, their consent which may result from appropriate parameters of their connection device or any other device placed under their control. control.
These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment:
1° Either, has the exclusive purpose of enabling or facilitating communication by electronic means;
2° Either, is strictly necessary for the provision of an online communication service at the express request of the user.
59. These provisions transpose into French law Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector (known as the “e-Privacy directive”).
1. On the deposit of Google Analytics cookies on the user's terminal without obtaining their consent
60. The rapporteur notes that during the online check, the delegation noted the deposit of thirteen cookies before any action by the user upon arrival on the home page of the website www.neosurf.com, including audience measurement cookies from Google Analytics, which should have been subject to the user's prior consent.
61. In defense, the company first maintained during the investigation that the Google Analytics cookie was an audience measurement tool for internal use exempt from the collection of consent, before recognizing the facts in its observations in defense and to announce that you no longer use this tool. It communicates a document attesting that as of August 16, 2023, Google Analytics cookies are no longer placed on the terminals of users of the neosurf site and application.
62. The restricted training recalls that article 82 of the Data Protection Act provides that operations of access or registration of information in a user's terminal can only take place after the latter has expressed his or her consent. consent, only cookies whose exclusive purpose is to enable or facilitate communication by electronic means or those strictly necessary for the provision of an online communication service at the express request of the user being exempt from this obligation.
63. The restricted panel considers that it appears from the documentation posted online by the company GOOGLE that, on the one hand, depending on the settings chosen by the publisher of the site concerned, Google Analytics cookies may include advertising and functionalities. that, on the other hand, whatever the setting chosen concerning the aforementioned advertising functionalities, the data collected via Google Analytics cookies can be reused to maintain and protect the Analytics service.
64. Therefore, the restricted training considers that the deposit of these cookies is subject to the prior collection of the user's consent, since they do not have the exclusive purpose of allowing or facilitating communication by electronic means and do not are also not strictly necessary for the provision of a service expressly requested by the user.
65. Consequently, the restricted panel considers that by allowing the placement and reading of the Google Analytics cookie on the terminal of people when they arrive on the website www.neosurf.com, without first obtaining their consent, the company has deprived them of the possibility, which is granted to them by article 82 of the Data Protection Act, to exercise a choice regarding the placement of tracers on their terminal equipment.
66. The restricted panel notes that the company demonstrated during the procedure that since August 16, 2023, no Google Analytics cookies are placed on user terminals. It nevertheless recalls that the compliance measures adopted cannot exempt the company from its responsibility for the past.
2. On the use of the Google reCaptcha mechanism without obtaining user consent
67. The rapporteur notes that the company used the Google reCaptcha module, with the aim of blocking robots on the registration and connection page to the website and the neosurf mobile application. It considers that the use of a module without prior collection of the user's consent is contrary to article 82 of the Data Protection Act, to the extent that it does not fall under any of the exemptions provided for by this article.
68. In defense, the company does not dispute the facts described by the rapporteur, but indicates that it has remedied the deficiencies noted in the report, by subjecting the use of reCaptcha to the prior consent of the user and by not depositing any cookies or trackers on their terminal in case of refusal. The company adds that GOOGLE's reCaptcha was definitively replaced by another solution at the end of October 2023. However, it considers that in view of the difficult to read and inaccessible information provided by the GOOGLE company regarding consequences linked to the use of the reCaptcha service, it would be unfair to impose breaches of article 82 of the Data Protection Act on its client companies, without taking into account the lack of transparency and accessibility of the contractual information provided by the company GOOGLE, already condemned by the CNIL for these reasons (CNIL n°SAN-2019-001 of January 21, 2019 and n°SAN-2021-023 of December 31, 2021). Consequently, it requests a downward revision of the proposed fine amount.
69. In this case, the restricted panel notes that a reCaptcha mechanism, provided by the company GOOGLE, is used when creating an account and connecting to the website and the neosurf mobile application. She considers that it is indeed the publisher of the site - in this case NS CARDS FRANCE - who chose to use the reCaptcha mechanism and therefore allowed the actions of reading and writing information present on users' terminals. .
70. In view of these elements, the restricted panel considers that the company is not justified in maintaining that it would be unfair to impose on GOOGLE's client companies, of which it is a part, breaches of article 82 of the Data Protection Act, citing the lack of transparency and accessibility of GOOGLE's contractual conditions. Indeed, the restricted training considers that in its capacity as a company user of Google's reCaptcha service, the company is also responsible for compliance with the provisions of the Data Protection Act when using this mechanism.
71. Secondly, the restricted training considers that if a data controller can rely on an exemption from information and collection of consent when the read/write operations carried out in a user's terminal have the sole purpose of purpose of securing an authentication mechanism for the benefit of users (see in this sense, CNIL, FR, Deliberation no. SAN-2021-013, cited above), it is different when these operations also pursue other purposes which are not strictly necessary for the provision of a service. However, the Google reCaptcha mechanism does not have the sole purpose of securing the authentication mechanism for the benefit of users but also allows analysis operations on the part of Google, which the company GOOGLE itself specifies in its general conditions of use.
72. The restricted training notes that the company GOOGLE informs companies using reCaptcha technology, in general conditions of use available online, that the operation of the reCAPTCHA API is based on the collection of hardware and software information ( such as device and application data) and that this data is transmitted to Google for analysis. GOOGLE also specifies that it is the responsibility of these companies to inform users and request their authorization for the collection and sharing of data with GOOGLE.
73. It appears from these elements that the company NS CARDS FRANCE should have obtained users' consent to the use of reCaptcha, which was not the case in this case.
74. In view of the above, the restricted panel considers that by using the reCaptcha mechanism provided by the company GOOGLE without obtaining their consent, the company disregarded the provisions of article 82 of the Data Protection Act. The restricted panel takes note, as was confirmed during the hearing, that the company NS CARDS FRANCE has no longer used this technology since the end of October 2023. However, at the date of the controls, this mechanism was indeed used, without prior consent of users.
III. On corrective measures and their publicity
75. Under the terms of III of article 20 of the law of January 6, 1978 as amended:
"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after adversarial procedure, one or more of the following measures: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of of a company, 2% of the total global annual turnover of the previous financial year, whichever is higher. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 from April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.
76. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that the administrative fines imposed […] are, in each case, effective, proportionate and dissuasive”, before specifying the elements to be taken into account for decide whether to impose an administrative fine and to decide the amount of this fine.
A. On the imposition of an administrative fine and its amount
1. On the imposition of an administrative fine
77. In defense, the company considers that the proposed administrative fine is disproportionate in relation to the alleged breaches and its conduct since it has implemented several corrective measures, in particular, the effective application of its data retention policy of user accounts, the establishment of a password policy presenting an adequate level of security, the use of a password hashing algorithm compliant with the state of the art and the collection of consent to the storage of cookies and trackers when required. Regarding this last breach, it considers it unfair to seek the responsibility of publishers alone when in reality, the repressive policy of the CNIL seeks to obstruct the use of certain tools such as those offered by the company GOOGLE. In addition, it emphasizes having fully cooperated with the services of the CNIL. Finally, it considers that the fine of 200,000 euros proposed by the rapporteur is equivalent to 1.8% of its 2020 turnover and is therefore excessive.
78. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the scope or the purpose of the processing concerned, the number of data subjects affected, the measures taken by the controller to mitigate the damage suffered by the data subjects, the fact that the violation was committed negligently, the degree of cooperation with the data processing authority control and in certain cases, the level of damage suffered by people.
79. The restricted training first notes that the failings alleged against the company infringe fundamental principles provided for by the GDPR and concern many people.
80. Concerning the breach of the principle of limiting the duration of retention of personal data, the company was negligent, by limiting itself to inactivating the user accounts it retained instead of anonymizing or deleting the data they contained. In any case, assuming it were applied, the ten-year retention period declared during the controls was not accompanied by any sorting between the data to be kept and those to be deleted, as the company confirmed during the audience. The restricted training notes that this breach potentially concerns a significant number of people, the company claiming around 700,000 users had an account on the date of the checks.
81. Regarding the failure to comply with the obligation to inform the persons concerned and to provide transparency, the restricted panel notes that the company failed to fulfill the requirement to provide complete and transparent information to the persons concerned, which constitutes yet an essential prerequisite for this type of processing of personal data.
82. With regard to the failure to comply with the obligation to ensure the security of personal data, the restricted training highlights the number of failures observed to comply with basic security obligations, namely the use of an insufficiently robust password to user accounts containing, for some, bank details and password hashing using an obsolete function. The restricted panel considers, like the rapporteur, that the accumulation of these security defects by a company offering online payment solutions and collecting categories of highly personal data, has contributed to accentuating the fact that said data is not have not sufficiently benefited from the protection offered by the GDPR.
83. Regarding the breach relating to cookies placed on the user's terminal when visiting the company's website, the restricted panel considers that the lack of collection of consent concerned each of the people who visited the website in question, necessarily several hundred thousand people, taking into account the fact that the company claimed approximately 328,186 unique visitors to its website between the months of September 2020 and September 2021. It also notes that the use of the reCaptcha module of Google without prior collection of user consent concerned at least potentially 700,000 account holders on the date of the checks.
84. Finally, while taking into account that the company has implemented measures following notification of the sanction report, the restricted panel notes that these actions do not exempt the company from its liability for the breaches constituted for the past.
85. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine for breaches of articles 5-1-e), 12, 13 and 32 of the GDPR and 82 of the Data Protection Act.
2. On the amount of the administrative fine
86. The restricted training first notes that breaches of Articles 5-1-e), 12 and 13 of the GDPR constitute breaches of key principles of the GDPR likely to be subject to, under Article 83 of the GDPR. GDPR, an administrative fine of up to 20,000,000 euros and up to 4% of annual turnover, whichever is higher.
87. The restricted panel then recalls that administrative fines must be effective, proportionate and dissuasive. She underlines that the company NS CARDS FRANCE achieved, in 2020, a turnover of around […] euros for a net result of […] euros. The restricted panel notes that the rapporteur has ruled out the breach relating to the sharing of access accounts to the database and that the company does not contest the other breaches referred to in the report.
88. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83 of the Regulation, the restricted panel considers that an administrative fine in the amount of 90,000 (eighty -ten thousand) euros for breaches of articles 5-1-e), 12, 13 and 32 of the GDPR and an administrative fine in the amount of 15,000 (fifteen thousand) euros for breaches of article 82 of the GDPR Data Protection Act, appear justified.
B. On advertising
89. The company contests the rapporteur's proposal to make this deliberation public, in particular invoking the protection of business secrets to which its contractual obligations would relate under the contract concluded with the establishment issuing electronic money.
90. The restricted panel considers that the publicity of this decision is justified in view of the seriousness of the breaches in question and the number of people concerned. It also considers that publicizing the sanction will notably make it possible to inform all those affected by the breaches. Finally, with regard to the argument linked to the disclosure of business secrets, it recalls that information relating to business secrets is hidden from its published decisions.
91. Finally, the measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.
FOR THESE REASONS
The restricted formation of the CNIL, after having deliberated, decides to:
• impose an administrative fine against the company NS CARDS FRANCE in the amount of ninety thousand euros (€90,000) for breaches of articles 5-1-e), 12, 13 and 32 of the regulations (EU) No. 2016/679 of April 27, 2016 relating to data protection;
• impose an administrative fine against the company NS CARDS FRANCE in the amount of fifteen thousand euros (€15,000) for breach of article 82 of the law of January 6, 1978 as amended;
• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.
President
Alexandre LINDEN
This decision may be the subject of an appeal before the Council of State within two months of its notification.
