Last month the French data protection regulator, CNIL announced that it had imposed a €30,000 penalty on the fashion, beauty and home retailer, BrandAlley. BrandAlley is reportedly in the top 15 e-commerce sites in France with a claimed catalogue of more than 60,000 items. It also has a presence in other countries including Germany, Italy, the Netherlands and Spain.
The case is perhaps an illustration of some of the themes that we can expect from data protection regulators in the run up to GDPR. We use some technical data protection terms in this alert which are explained in our glossary here.
How did this action come about?
CNIL currently has a campaign to reduce identity fraud. As part of that campaign CNIL conducted a spot check in January 2015 on a number of retailers including BrandAlley. The inspection identified a number of breaches of French data protection law and a formal notice was sent by CNIL to BrandAlley.
What did Brand Alley do next?
BrandAlley sent CNIL what CNIL regarded as “an incomplete response”. As a result CNIL carried out a second check in early 2016 which again revealed breaches including:
- The correct prior notifications had not been made to CNIL including to notify CNIL of the transferring of data to sub-contractors in Morocco and Tunisia;
- No data retention periods had been set for holding on to the data of customers and prospects and as a result older details had not been deleted;
- Cookies were not properly notified to users; and
- Adequate security measures were not put in place to secure personal data.
What does this case tell us?
The case illustrates the concentration that some regulators have at the moment on data transfer. We have written extensively about the collapse of Safe Harbor, the doubts over the replacement Privacy Shield scheme and the ongoing legal challenge to model terms. You can see our earlier alerts and films on these topics here. Despite the complexities with data transfer the BrandAlley case shows that doing nothing is not an option either. Proper contractual arrangements need to be in place with sub-contractors and proper due diligence must be done.
Once GDPR is in force in May 2018 we can expect similar pro-active enforcement from Regulators. GDPR will oblige companies to assess the security of the data they hold including conducting data privacy impact assessments. Similarly, measures will still have to be put in place to secure any data transferred out of the EEA.
In addition under Article 58 of GDPR data protection authorities like CNIL will have new investigative powers including the right to conduct data protection audits. They would also be allowed to gain access to any premises of the data controller and data processors “in accordance with [EU] or Member State procedural law”.
Additionally under GDPR the level of fines will increase. BrandAlley were fined just €30,000. Under GDPR the fine could be a maximum of 4% of global annual turnover which could lead to a fine as high as €6m under GDPR based on turnover estimates from BrandAlley’s CEO in 2015.
You can find out more about GDPR in our FAQs and films here.
For more information please contact Jonathan Armstrong who is a lawyer with Cordery in London where his focus is on compliance issues.
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A4HH
Office: +44 (0)207 075 1785