What’s this about?
Significantly for the first time, the French data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), has fined both a data controller and a data processor for the same data security breach. The CNIL has also set a deadline for website and mobile applications to meet cookies compliance.
There are some technical terms used in this note. You can find the definitions at www.bit.ly/gdprwords.
What’s the fines case about?
From June 2018 to January 2020 the CNIL was notified many times of data breaches concerning a website used for purchases by several million customers. The CNIL undertook an investigation of both the website business, the data controller, and the website service provider, the data processor. The CNIL found that the website had suffered numerous so-called “credential stuffing” attacks. “Credential stuffing” is a malicious form of hacking whereby an attacker attempts to get into a website using login credentials found on the dark web that have come out of data security breaches. Because website users tend to use the same password and username (i.e. their email address) for different online services a hacker then makes multiple login requests on multiple websites, using robots to help. If access is successfully gained the attacker can then review and obtain the personal information available and go on to use that for nefarious purposes.
In this particular case the CNIL stated that in the attacks that had occurred the attacker was able to access the following information: first name and surname; email address; date of birth; loyalty card number and balance; and, information concerning orders made. The information of some 40,000 customers was accessible between March 2018 and February 2019.
The CNIL found that the data controller and the data processor had failed to keep secure customer personal data, in particular because both the data controller company and the data processor service provider had waited far too long to put in place measures that would effectively deal with the repeated attacks on the website. According to the CNIL, although the two organisations decided to develop a tool to both detect and stop the attacks, the tool was only developed a year after the initial attacks. In the CNIL’s view, in the intervening period, the two organisations should have developed other measures that could have more quickly prevented new attacks or mitigated negative impacts for customers. The CNIL gave examples of two such possible measures: first, limiting the number of requests authorised per IP address on the website; and, second, using a CAPTCHA (a computer programme or system intended to distinguish human input from machine input) when users first attempt to log into their accounts.
Accordingly, by way of sanctions the CNIL imposed a fine of €150,000 on the data controller and a fine of €75,000 on the data processor for failure to implement adequate security measures to protect customer personal data against the website credential stuffing attacks.
The CNIL made a point out of stating that whilst a data controller is the one responsible for deciding on the implementation of appropriate security measures, along with providing documented instructions to its data processor, the data processor is the one who is responsible for identifying the most appropriate technical and organisational solutions to ensure data security, along with putting those solutions forward to the data controller.
Unfortunately only limited information about this important case is available as the CNIL has decided to only issue a press release about it. The actual decision is not publicly available and the names of the companies sanctioned has not been disclosed either.
This case shows that regulators are increasingly prepared to fine data processors for data protection non-compliance. It will be recalled that in the summer of 2020 the Swedish data protection regulator, the Datainspektionen, imposed a fine of 150,000 Swedish kronor (approximately €18,700 or $21,320 at the time) on a governmental organisation for breaching the (EU GDPR) obligation that a data processor has to notify a data controller without undue delay after becoming aware of a data breach; we reported on this case here https://www.corderycompliance.com/sdpr-fine-for-data-breach/.
What’s the cookies issue all about?
In a separate development the CNIL has also been active again in the area of cookie compliance. Following the CNIL’s updated cookies guidelines and recommendations issued in October 2020, it has issued a reminder to organisations to get their act together and ensure cookies compliance by 31 March 2021.
The CNIL has in effect made a rallying-cry urging public-sector organisations to audit their websites and mobile applications in order to comply and has contacted over 200 organisations about this. In the CNIL’s estimation the majority of public sector websites are non-complaint.
In particular the CNIL has drawn attention to two areas of concern: first, cookie banners need to better inform users of what the cookies are doing – general information is not enough; and, second, users must be able to either accept or reject cookies with equal ease such as having “accept” and reject” buttons appearing at the same level and in the same format.
The issue at the heart of cookie compliance is consent – one aspect of this is the issue of consent to third-party cookies. The CNIL has been pro-active here because the CNIL has also set up a particular watchdog mechanism (an “observatory”) to periodically analyse the cookie practices of the most widely viewed 1,000 websites in France, looking in particular at cookies used on the landing page as seen through user experience. One outcome of this already is that the CNIL has been in contact with a number of widely-viewed French websites who were found to have used more than six third-party cookies on their websites without obtaining consent for this from users. The observatory’s findings can be found here https://linc.cnil.fr/obs-cookies/.
The CNIL has also made a reminder of the cookie compliance check tools that it has developed, for use by both the public and private sectors, which can be found here https://www.cnil.fr/fr/cookies-et-traceurs-comment-mettre-mon-site-web-en-conformite, here https://www.cnil.fr/fr/cookies-traceurs-outils-et-codes-sources-0 and here https://linc.cnil.fr/fr/cookieviz-une-dataviz-en-temps-reel-du-tracking-de-votre-navigation. The CNIL has also produced a short cookie guidance film, which can be found here https://www.youtube.com/watch?v=oYGEXD8oTUE.
Although the public-sector has been the more direct focus of the CNIL’s latest action it also serves as a reminder to the private sector to ensure cookie compliance. In this regard it is worth bearing in mind that the CNIL imposed the highest fines for cookies non-compliance so far in the EU in late 2020 against Google and Amazon totalling €135 million, which we wrote about here https://www.corderycompliance.com/cnil-cookies-investigation/. The CNIL also fined Carrefour France €2.25 million and Carrefour Banque €800,000 in November 2020 in part for their failure to comply with cookie laws. You can find out more on the Carrefour case here https://www.corderycompliance.com/french-dpr-fine-for-dtt-non-compliance/
What can I do?
The key takeaways are as follows:
- As regards the controller/processor fines case: full and proper due diligence should be undertaken by data controllers on data processors and the technical and organisational measures (TOMs) by which the processors will keep personal data secure; to make sure that TOMs can deal with credential stuffing attacks; and, last but by no means least, whatever kind of data security incident occurs, you must remediate the problem as quickly as possible – fire drill your processes to ensure this; and,
- As regards cookie compliance in general, do a cookie audit where you should consider doing the following: identify cookies that are either operating on or through the website; confirm what types of cookies they are; confirm whether cookie ownership is first party or third party; confirm any third party access to the cookies; determine cookie lifespan and decide whether the duration is justifiable for the stated purpose(s); confirm the purposes of each of the cookies that are used/intended to be used; identify the data that each cookie holds or processes; confirm if the cookies are linked to other information held about users and whether the use of cookies involves processing personal data; as regards cookies and the UK, determine whether processing is in compliance with UK GDPR and PECR 2003; and, set out an action plan to address any of the above issues and fully document the audit.
There is more information on handling a data breach here https://www.corderycompliance.com/dealing-with-a-breach/. Cordery’s GDPR Navigator helps organisations keep on top of their GDPR compliance for one fixed annual fee. There are more details at www.bit.ly/gdprnav.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/. For other compliance issues we report about see here https://www.corderycompliance.com/news/.
The press release about the CNIL’s data controller and processor fine can be found here https://www.cnil.fr/fr/credential-stuffing-la-cnil-sanctionne-un-responsable-de-traitement-et-son-sous-traitant, and the CNIL’s cookies announcement can be found here https://www.cnil.fr/fr/cookies-la-cnil-incite-les-organismes-prives-et-publics-auditer-leurs-sites-web-et-applications.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
![]() |
![]() |