The French data protection authority, the CNIL, continues to fine organizations for failing to adopt what the CNIL considers to be fundamental data security measures. In May 2019, the CNIL imposed a EUR 400,000 fine on a French real estate company for failing to have basic authentication measures on a server and for retaining information too long. This is the second fine by the CNIL under the EU General Data Protection Regulation 2016/679 (GDPR) after the one against Google. The decision is among many pre-GDPR fines imposed by the CNIL for failing to meet security standards, and shows that data security continues to be a high enforcement priority for the CNIL.
French real estate company Sergic operated a website where individuals could upload information about themselves for their property rental applications. Responding to a complaint by an applicant, the CNIL investigated Sergic in September 2018, as it appeared that applicants’ documents were freely accessible without authentication (by modifying a value in the website URL). The CNIL confirmed the vulnerability and found that almost 300,000 documents were accessible in a master file containing information such as individuals’ government issued IDs, Social Security numbers, marriage and death certificates, divorce judgments, and tax, bank and rental statements. The CNIL also discovered that Sergic had been informed of the vulnerability back in March 2018 but did not fix it until September 2018.
As a result, the CNIL held that Sergic had failed to ensure:
As a result, the CNIL imposed a EUR 400,000 fine. Unfortunately, the CNIL (again) did not explain how it determined the actual fine amount, other than stating that the fine was justified and proportionate. It is interesting to note that it appears that the CNIL’s rapporteur initially requested a EUR 900,000 fine. Why (and how) the CNIL ultimately reduced the fine to less than half of that amount is not indicated.
Below are a few good practices to consider, given the GDPR and CNIL enforcement activity.
Security and retention good practices in France
Check legal statutes of limitation, as well as regulatory guidance. For example, CNIL guidance on specific topics (e.g., biometric access controls, HR management, and customer relationship management) may contain explanations of retention periods.