CNIL - SAN-2020-014

From GDPRhub
CNIL - SAN-2020-014
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 9 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Decided: 07.12.2020
Published: 17.12.2020
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: SAN-2020-014
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (CNIL) imposed a €3000 fine on a private doctor for failing to comply with the security obligation. His patients' health data were freely accessible on the web in breach of Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that thousands of medical images hosted on servers belonging to a private doctor were freely accessible on the Internet.

Dispute[edit | edit source]

  • Does opening all the ports of its internet box in order to be able to access remotely the health data of its patients constitute a breach of the security obligation of Article 32 GDPR?
  • Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR?
  • Does the fact that the data breach was brought to the doctor's attention by the CNIL's control department relieve the doctor of his obligation to notify a breach, as required by Article 33 GDPR?

Holding[edit | edit source]

During the hearing, the doctor said that in order to remotely access the medical images stored on the hard drive of the home computer, he opened the ports of his home internet box by activating the DMZ mode of the home computer in order to operate the VPN.

The CNIL pronounced an administrative fine of €3000 against a doctor whose patients' health data was freely accessible on the web. To base its decision, the French DPA found two breaches: failure to comply to with the security obligation, and failure to notify the breach to the CNIL.

On the failure to comply to the security obligation[edit | edit source]

After recalling the provisions of Article 32 GDPR, the CNIL retains several things:

  • The doctor had not taken care to limit the network functions to those strictly necessary for the functioning of the treatment.
  • Based on its Personal Data Security guide, the CNIL recommends providing encryption means for mobile workstations and mobile storage media, for example by encrypting the entire hard disk when the operating system offers it, encrypting file by file or creating encrypted containers (a file likely to contain several files). Similarly, the Practical Guide for Physicians encourages physicians to encrypt their patients' data with suitable software. In this case, the French DPA emphasizes that none of the data freely accessible on the Internet was encrypted.
  • The CNIL reminds that the data concerned are so-called sensitive data within the meaning of Article 9 GDPR. The CNIL’s sub-commission thus recalls that the data concerned by the violation included, in addition to the medical images, the patient's surname, first names and date of birth, the date the examination was carried out, the name of the referring practitioner and the practitioner who carried out the examination, and the name of the establishment where the examination took place. In addition, the data were exposed for approximately 4 months.

Based on the evidence, the CNIL therefore concludes that there has been a breach of the obligation of security, as provided for in Article 32 GDPR.

On the failure to comply to the obligation to notify breaches to the DPA[edit | edit source]

In the present case, the doctor is accused of not having declared the data violation to the CNIL services, which the doctor refutes by stating that the need to notify the CNIL of the violation was never indicated to him.

Recalling the provisions of Article 33 GDPR, the CNIL emphasised that the fact that the data breach was brought to the doctor's attention by the CNIL's control department did not relieve him of this obligation to notify. Moreover, the Commission notes that the existence and nature of the obligation to notify appeared in the email of 8 October 2019 informing the doctor of the data breach. It therefore concludes that there has been a breach of Article 33 GDPR.

Comment[edit | edit source]

This decision is linked to decision SAN-2020-015 by which the the French DPA condemns a private doctor to a fine of €6,000 for having insufficiently protected the personal data of their patients and not having notified a data breach to the CNIL.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

National Commission for Computing and Freedoms

    Nature of deliberation: Sanction
    Legal status: In force 

    Publication date on Légifrance: Thursday, December 17, 2020 

Deliberation of restricted formation no SAN-2020-014 of December 7, 2020 concerning Mr. [...]

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ladies Dominique CASTERA, Anne DEBET and Christine MAUGÜE, members;

Considering the Convention n o 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Considering the decree n o 2019-536 of May 29, 2019 taken for the application of the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n o 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Having regard to the decision n o 2019-152C of September 20, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing operations particularly accessible from the 'IP address with the number [...];

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated July 27, 2020;

Having regard to the report by Mr. François PELLEGRINI, commissioner rapporteur, notified to Mr. [...] on September 23, 2020;

Having regard to the oral observations made during the session of the restricted formation;

Having regard to the other documents in the file;

The following were present during the restricted training session on December 3, 2020:

    Mr François PELLEGRINI, commissioner, heard in his report; 

As representative of Mr. [...]:

    [...] ; 

The advice of Mr. [...] who had the floor last;

The restricted committee adopted the following decision:

I. Facts and procedure

    Mr. [...] exercises a liberal activity [...] in Paris [...].
    On […], the […] website, reported free access to medical imaging computer servers located […] allowing consultation and downloading […] of medical images (MRI, radios, scanners, etc…) followed in particular by surname, first name, date of birth and date of consultation of patients.
    In application of the decision n ° 2019-152C of September 20, 2019 of the President of the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission), the services of the CNIL carried out a control in line, September 20 and 24, 2019, which confirmed the freely accessible nature of this data, which can be used through a simple medical image consultation software. The check also made it possible to establish the list of IP addresses of these servers which are located in France.
    The purpose of this control was in particular to verify that the beneficiaries of these IP addresses complied with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the Regulation or the RGPD) and law n o 78-17 of 6 January 1978 relating to computers, files and liberties (hereinafter the data Protection Act).
    After asking the various Internet service providers to provide them with the identity and contact details of the data controllers using these French IP addresses, the CNIL services were informed that one of these addresses, bearing the number [ ...], was awarded Mr. [...].
    By e-mail of October 8, 2019, the control delegation notified Mr. [...] of the online control, after having informed him of the freely accessible nature of the medical images of his patients from the IP address from his server.
    By e-mail of October 9, Mr. [...] replied that he had taken the necessary steps to put an end to the violation.
    On December 6, 2019, Mr. [...] was interviewed by the control delegation on the premises of the CNIL. He indicated that in order to be able to remotely access the medical images stored in the hard drive of the fixed computer at his home, he opened the ports of the LiveBox used at his home by activating the DMZ mode of the latter, in the goal of making the VPN work .
    For the purposes of examining these elements, the President of the Commission appointed Mr. François PELLEGRINI as rapporteur, on July 27, 2020, on the basis of article 22 of the Data Protection Act.
    At the end of his investigation, the rapporteur had Mr. [...] personally delivered, on September 23, 2020, a report detailing the breaches of the GDPR that he considered constituted in this case. The same day, the services of the CNIL notified him of an invitation to the restricted training session of December 3, 2020.
    This report proposed to the restricted formation of the Commission to pronounce an administrative fine against Mr. [...] for breaches of Articles 32 and 33 of the Rules.
    On November 20, 2020, Mr. [...] requested, through his counsel, the postponement of the session of the restricted formation. This request was rejected on November 26, 2020 by the president of the restricted formation.
    The counsel for Mr. [...] and the rapporteur presented oral observations during the session of the restricted formation. 

II.Reasons for the decision

A. On the failure to ensure the security of the data processed

14. Pursuant to Article 32 (1) of the GDPR, the controller implements the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk .

15. The a) and b) of this same paragraph 1 provide that depending in particular on the scope, context and purposes of the processing as well as the risks for the data subjects, the data controller implements the encryption of the data. personal nature and the means to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services .

16. The rapporteur argues that the vulnerability of the medical imaging device at the origin of the data breach is attributable to Mr. [...] who did not implement the appropriate technical measures to guarantee security processing.

17. The counsel for M. [...] replied that his client had no desire to allow free access to these medical images and that the violation was only the unfortunate consequence of the connection to his Internet box on the hard drive. external connected to his home computer.

18. The restricted committee notes that, in application of article 32 of the GDPR, it was up to M. [...], as data controller, to ensure the security of the data that he processed in the context of of his professional activity.

19. First of all , the restricted panel emphasizes that it is not disputed that the data breach was caused by the opening of the network ports of the Internet box used at Mr.'s home [...] coupled with the configuration of the imaging software server function [...].

20. It notes that in his email of 9 December 2019, Mr. [...] indicated: it so happens that this software [the imaging software [...]] includes a server function, that the mac is behind a LiveBox connected to the Internet and that (…) I think the 11112 port of the LiveBox is open to all winds. In addition, during his hearing on December 6, 2019, the latter specified that he had not had recourse to a service provider for the installation and configuration of the software [...] and had himself opened the ports of the LiveBox used at home (…) with the aim of making the VPN work .

21. It therefore emerges from these elements that Mr. [...] did not take care to limit the network functions to those which were strictly necessary for the processing to function.

22. However, the restricted training emphasizes that the protection of the internal computer network and the encryption of personal data are part of the elementary requirements in terms of computer security, which are incumbent on any data controller.

23. In this regard, in the guide The security of personal data, which provides useful information to data controllers as to the measures to be implemented in order to guarantee the security of their processing, the Commission recommends authorizing only network functions. necessary for the treatments implemented. Likewise, the Practical Guide for physicians , published by the CNIL in consultation with the National Council of the Order of Physicians, invites physicians to limit as much as possible the connection of non-professional devices to the network within which are treated. patient data, as well as using strong authentication means to access this network.

24. Next, the restricted panel stresses that it also emerges from the hearing of 6 December 2019 that Mr. [...] had not taken care to encrypt the data contained in his three laptops and in his desktop.

25. However, in the absence of encryption, the medical data contained in the hard disk of these computers were readable in clear by any person taking possession of these devices (for example, following their loss or their theft) or by any person breaking into the network to which these devices were connected.

26. In this regard, in its guide The security of personal data, the CNIL recommends providing means of encryption for nomadic workstations and mobile storage media (laptop computer, USB keys, external hard drive, CD-R, DVD-RW , etc.), for example via encryption of the entire hard disk when the operating system offers it, file-by-file encryption or the creation of encrypted containers (file that may contain several files). Likewise, the Practical Guide for Physicians invites physicians to encrypt their patient data with appropriate software.

27. Finally , the restricted committee notes that the processing in question concerns medical data, which constitute special categories of personal data, within the meaning of Article 9 of the Regulation. The nature of this information therefore called for special vigilance in order to avoid a data breach.

28. The restricted committee recalls that among the data concerned by the violation, there were, in addition to the medical images, the surname, first names and date of birth of the patient, the date of the examination, the name of the referring practitioner and of the patient. practitioner who performed the examination and the name of the establishment in which it took place.

29. She stresses that it emerges from Mr. [...] 's own statements in the context of his hearing on 6 December 2019 that more than five thousand three hundred sets of medical images are concerned.

30. Finally, it notes that the file shows that these data were disclosed for approximately four months.

31. In view of all of these elements, the restricted committee considers that a breach of article 32 of the GDPR has occurred.

B. On the failure to notify the data breach to the CNIL

32. Pursuant to Article 33 (1) of the GDPR, in the event of a personal data breach, the controller shall notify the breach in question to the competent supervisory authority in accordance with Article 55, as soon as possible and, if possible, 72 hours at the latest after becoming aware of it.

33. The rapporteur argues that Mr [...] did not report the data breach to the relevant Commission services.

34. Mr [...] replied that the need to notify the data breach to the Commission was never made known to him. He also invokes the artificial nature of such an obligation once he has been made aware of the free access to his medical imaging server by the CNIL control delegation.

35. The restricted committee considers that the data controller must comply with the notification requirement provided for in article 33 of the Regulation unless the violation in question is not likely to create a risk for the rights and freedoms of natural persons. . The fact that the data breach was brought to the knowledge of M. [...] by the CNIL control service did not release him from this obligation.

36. In fact, following the control, the data controller may become aware of additional elements relating to the data breach which deserve to be communicated to the competent services of the CNIL, whose role is in particular to centralize the various breaches of the data. data and monitor it in order to prevent the compromise of personal data. A teleservice is available on the CNIL website to make these notifications.

37. In the present case, the restricted panel recalls that the existence and the nature of the notification obligation appeared in the email of October 8, 2019 which informed Mr. [...] of said data breach.

38. The restricted panel therefore considers that there has been a breach of article 33 of the Rules.

III.On corrective measures and publicity

39. Under the terms of III of article 20 of the Data Protection Act:

When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous fiscal year, whichever is greater. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

40. Article 83 of the GDPR provides:

1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:

a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;

(b) whether the violation was committed willfully or negligently;

c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;

e) any relevant breach previously committed by the controller or processor;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any negative effects thereof;

g) the categories of personal data affected by the breach;

(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;

(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;

(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and

k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.

41. Concerning the imposition of an administrative fine , counsel for Mr. [...] considers in particular that the corrective measure proposed by the rapporteur is disproportionate in view of his responsibility for the data breach and that the pronouncement of a call to order would be more justified.

42. He also claims that he reacted very quickly to put an end to the violation, as soon as he became aware of it by the delegation, and asserts his full cooperation with the Commission services.

43. The restricted committee recalls that in order to assess the advisability of pronouncing an administrative fine, it is necessary to refer to the relevant criteria specified by article 83, paragraph 2, of the GDPR.

44. In the present case, it considers that it is appropriate to first apply the criterion provided for in subparagraph f) of Article 83, paragraph 2, of the Regulations relating to the degree of cooperation established with the authority of monitoring to remedy the violation and mitigate any negative effects.

45. The restricted committee notes that as soon as he learned of the violation, Mr. [...] immediately took the necessary measures to put an end to it immediately.

46. ​​She thus recalls that in her email of October 9, 2019 in response to the delegation of control, Mr. [...] indicated that he had disabled the server function of the software and blocked the unnecessary ports on the Livebox .

47. However, the restricted committee underlines that the criteria provided for in subparagraphs a) and g) of article 83, paragraph 2, of the Rules relating, on the one hand, to the nature and seriousness and the duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and on the other hand, the categories of personal data affected by the breach.

48. It thus notes that Mr. [...] has failed in two elementary principles in terms of computer security, namely the protection of the internal computer network by limiting network flows to what is strictly necessary and the encryption of personal data. .

49. The restricted formation again underlines that the seriousness of the breach of article 32 of the GDPR is all the more characterized as health data is concerned and that this particular category of personal data must benefit from reinforced security measures. , in accordance with recital 75 of the GDPR.

50. It repeats that the non-respect of these elementary practices had the direct consequence of making accessible more than five thousand three hundred series of health images comprising, for each of these series, in addition to the medical image, the names, first names and date of birth of each patient, the date of the examination, the name of the referring practitioner and of the practitioner who performed the examination and the name of the establishment in which it took place.

51. It recalls that the personal data housed on the hard drive of the fixed computer at Mr's home [...] remained accessible without any authentication for a period of approximately four months.

52. Finally, the restricted committee underlines that it is also appropriate to apply the criterion provided for in subparagraph h) of article 83, paragraph 2 of the Regulation relating to the manner in which the supervisory authority became aware of the violation, including whether and to what extent the controller notified the violation.

53. It recalls in this case that the Commission learned of the data breach through a press article and that Mr ... never notified it to the competent Commission services, even after the delegation of control has drawn its attention to this point.

54. In view of these elements, the restricted committee considers it necessary to pronounce an administrative fine against Mr. [...].

55. Regarding the determination of the amount of this fine , the restricted committee considers that the breach of Article 32 of the GDPR is of certain seriousness, that, on the other hand, the breach of Article 33 is of a formal nature in this case.

56. She noted that according to the statements of her counsel at the meeting of December 3, 2020, Mr. [...] received € 97,000 in income in 2018 and that pursuant to the provisions of Article 83, paragraph 4, of the GDPR, it incurs a financial penalty of a maximum amount of 10 million euros.

57. Consequently, having regard to Mr [...] financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules, the Restricted Panel considers that the pronouncement of a fine of € 3,000 appears both effective, proportionate and dissuasive, in accordance with the requirements of Article 83, paragraph 1, of this Regulation.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

    pronounce against Mr. [...] an administrative fine in the amount of € 3,000 (three thousand euros) for breaches of Articles 32 and 33 of the GDPR; 

    make this decision public on the CNIL website and on the Légifrance website without identifying the data controller. 

President

Alexandre LINDEN