French CNIL’s six first month of GDPR

by Tara Taubman-Bassirian LLM

Early July this year the French CNIL published its priorities and main targets for 2018 :

• Recruitment companies
• Rental companies
• Parking automated pay machines

Here is a snapchot of the CNIL’s main investigations

Validity of consent :

The CNIL investigated mobile applications using embedded software development kit (SDK) and ad biding gathering personal data even when the application is not in use. The data collection is activated by default, which is contrary to the principal of privacy by design.

* The company VECTUARY had suggested the use of Consent Management Provider – the CNIL considered the CMP not offering suffisant protection, the consumer still lacking information. Consent needs to be informed, specific and affirmative. The technicality and opacity of the ad targeting justifies greater transparency requirement. The CNIL is insisting that informed consent has to be given before the data is collected. Personal data is used for profiling and targeted advertising as large scale as many have phones. The data collected representing serious risk of privacy, the geolocation tracking revealing intimate information about habits and patterns of life.

Consent cannot be passed to another controller through a contractual relationship. Following the Article 7, a controller has the obligation to demonstrate, for the entirety of the data they are processing under consent, the validity of the consent obtained.

VECTUARY has an injunction to cease data collection, to provide clear information before requiring informe consent. It has been asked to delete all data collected. that is 42 millions of personal identification and geolocation data collected from 32 000 application. Vectuary has 3 months to comply to avoid further sanctions.

This case challenged the IAB Europe consent framework French regulator’s decision against an adtech company confirms that IAB “Transparency & Consent Framework” does not obtain valid consent. It also illustrates how even tiny adtech companies can unlawfully gather millions of people’s personal data from RTB.

* Very similar case of lack of valid consent for SINGLESPOT using SDK for targeted advertising.

* Previously in July, the CNIL announced that it served a formal notice to two advertising startups FIDZUP and TEEMO. Both companies collect as well personal data from mobile phones via (“SDK” tools integrated into the code of their partners’ mobile apps—even when the apps are not in use—and process the data to conduct marketing campaigns on mobile phones.

Users were not informed when downloading mobile apps that an SDK that will collect their data is integrated into the apps.

Therefore, they not informed about the advertising targeting purposes of the processing or the data controller’s identity when installing the app. they were required to obtain valid consent by providing that information before collating the data.

Additionally, the CNIL found that the retention of geolocation data for 13 months was excessive as disproportionate in relation to the purpose of the processing. The CNIL stressed that use of geolocation devices are especially intrusive as they constantly track users in real time.

The CNIL ordered TEEMO and FIDZUP to obtain users’ valid consent within three months (e.g., via a pop-up containing specific information and a tick-box to signify consent). The CNIL also ordered TEEMO to define a retention period for geolocation data that is proportionate to the purpose of the processing. Failure to do so within the prescribed time limit may result in sanctions, including a fine.

* On March 2018, the CNIL had served a notice to Direct Energie, the company behind the smart meter Linky. for lack of transparency in the collect of consumers personal data.

Intrusive camera surveillance

* Association 42, is a higher education. In February 2018, the CNIL proceeded to an investigation in their premises to detect abusive permanent video camera footage everywhere without due notice. Furthermore the live video recording was accessible to everyone.

It was reminded that the video surveillance should be limited and access limited to authorised staff. Association 42 was given two month to comply.

* The Institut des techniques informatiques et commerciales (l’ITIC), another private school, had a similar practice of excessive camera surveillance, with retention of video footage over the required one month, lacking secure storage to avoid unauthorised access.

Data breach

* If all these companies were served a notice, OPTICAL CENTRE has incurred a fine of 250,000 euros for a significant data leak that might have exposed customers’ sensitive personal information.

“An on-site inspection was carried out on the premises of OPTICAL CENTER, during which [the company] acknowledged that [its] website did indeed have a security defect. In this case, the site  www.optical-center.fr did not include functionality to verify that a customer is well connected to his personal space (“customer area”) before displaying his invoices. It was thus relatively simple to access documents from another client of the company.”

Biometrics in workplace

* Assistance Centre d’Appels was investigated in its premises back in 2016. Several irregularities were found :

• fingerprint used to control work hours without prior authorisation,
• audio recording of phone conversations without notice to employees and contacts
• lack of strong passwords and automatic lock

After an initial notice, the CNIL did a second inspection that revealed only a partial application of the injunctions. therefore a fine of 10.000 Euros was given.

These are the decisions that were deemed worthy of publication by the CNIL. Neither of them belong to the targeted sectors. the fines are minimal. the CNIL has preferred the approach of giving notice and checking if the injunctions have been followed by action.

List of all CNIL’s sanctions here.

This work is licensed under a Creative Commons Attribution 4.0 International License.