In January 2019 the French Data Protection Authority (the CNIL), hit Google LLC with a record €50m fine for failing to comply with the EU’s General Data Protection Regulation (GDPR). A decision made on the 28th May 2019 which imposes a €400,000 fine on SERGIC, a real estate company, indicates that the Google case was never intended to be a one-off.
A CNIL investigation revealed that Sergic permitted its customers’ personal information to be accessed online and that the same information was often retained for longer than necessary. By modifying the text of a particular URL, Sergic users were able to retrieve personal private that other clients had uploaded into the company’s website.
Inspections of Sergic by the CNIL, both online and on-site, were carried out on the 7th and 13th of September 2018. It was discovered that numerous documents submitted by potential tenants could be accessed freely, i.e. without prior authentication, on the company’s website. Documents which were available online included copies of ID cards, health insurance cards, family allowance fund certificates, divorce judgements and even bank details. Sergic has acknowledged that its website’s security breach may have affected an estimated 29,440 users. CNIL stated that the website design flaw compromised the confidentiality of personal private data and therefore breached Article 32(1) of GDPR.
More precisely, the CNIL judged that Sergic had failed in its obligations to ensure:
- Data security: The vulnerability which exposed clients’ personal data (lack of prior authentication) did not require any particular computing expertise to exploit – simply changing a value in the website URL permitted access. The CNIL felt that this was particularly poor. Several public fines had already been issued for cases with similar facts. The sensitive nature of the data was seen as an aggravating factor and Sergic’s lack of diligence in responding to the security failure, i.e. it took them six months to remedy the problem, was viewed dimly.
- Storage limitation: The CNIL concluded that, when the processing purposes has been achieved, personal data should either be deleted or archived. Simply put, Sergic failed to do either.
Most security experts seem to agree that Sergic must accept that they are responsible for a rather serious security lapse. It is therefore somewhat unsurprising that the CNIL decided to impose a fine of this size in the circumstances. Once again, the importance of putting GDPR compliant data retention policies in place for any company which holds personal data, particularly sensitive data, has been underlined by the actions of a national Data Protection Authority.