A recent data protection fine highlights the risks of getting a few key things wrong.

Fines for large data security breaches always grab press attention, however a recent €600,000 fine from the French data protection regulator (the CNIL) brings into sharp focus the risks for businesses when they get a few key things wrong without any catastrophic failures amongst them. It highlights that all organisations need to think about where the weaknesses sit in their compliance programme, or potentially face a similar fate.

The CNIL received 31 complaints against media group CANAL+ for its marketing activities and response to data subject rights requests. This led to a full investigation into the CANAL+ website and an audit of its privacy compliance, as a result of which the CNIL found infringements of the EU GDPR and French Post and Electronic Communications Code. 

Once under the microscope, the company fully co-operated with the extensive investigation which included consideration of its policies, supply chain contracts and arrangements, marketing activity, website activity and dealings with the regulator. The investigation was opened in January 2021 and has only just concluded. 

It must have been a trial for the company, but for others it provides an object lesson and warning about the importance of investing wisely in targeted compliance activities to avoid a much more costly exercise when it’s too late. 

CNIL’s findings

The CNIL found the following breaches:

• Failure to evidence valid, informed consent to e-marketing – the company was using suppliers to collect consents but remained fully responsible when subcontractors did not sufficiently identify who data would be shared with, which amounted to invalid consent.
• Failure to provide all required information to individuals about the processing of their data – the company’s privacy notice was not “sufficiently precise”, in particular around retention periods.
• Failure to provide all required information to individuals about the processing of their data during cold calls – the CNIL identified that in 20 out of 70 calls, individuals were not given full, or any, information as required by Art. 14 GDPR.
• Failure to respect data subject rights – CANAL+ failed to respond correctly to a handful of access requests by data subjects and failed to inform some data subjects once rights requests (erasure and objection) had been actioned.
• An inadequate processing contract with a processor – which did not include all the mandatory terms and information required under Art. 28 EU GDPR.
• Lack of appropriate security measures - storage of employee passwords in an app with outdated encryption was not in line with ‘the state of the art’. 
• Failure to notify CNIL of a notifiable data breach -  a breach in 2020 exposed subscriber information of 10,000 customers to around 700 other customers for five hours. The company made an incorrect assessment that this did not reach GDPR thresholds for notification.

This was not a question of systemic failings or blatant disregard for rules. CANAL+ had attempted to undertake all their activities in a compliant manner. But, as the French saying goes: “small streams make a river”, and once it started looking closely, the CNIL found failings in each one of these areas which added up to a significant fine. This will no doubt have come on top of some hefty management and legal costs. 

Key takeaways

The ruling will cause alarm bells to ring for any company that thinks it has a robust and compliant privacy programme. So when thinking about de-risking, these are the key lessons companies can learn from the ruling:

Be careful of direct marketing and DSARs. Complaints about unsolicited marketing and careless data subject rights responses were enough to trigger a painful trawl into every area of privacy compliance. 

Lots of relatively minor breaches make a major problem. None of the breaches were severe, and there was no question of “structural failure”. Nevertheless, the CNIL found breaches at every level and it’s the cumulative effect of minor problems which seems to have caused the fine. 

Policies and procedures matter. The regulators will look at the fine print and are ready to pick up on any deviation from the rules which they consider material. Privacy policies are a central area of risk.

No contract too small. The breach of Art. 28(3) GDPR rested on a single non-compliant supplier contract.  Renewal of existing contracts without updating privacy terms is the classic pitfall. 

Liability cannot be subcontracted. Regulators repeatedly point out that blaming a supplier for not managing marketing consents properly will not wash. The same goes for all controller compliance.

Decisions not to notify a data breach need special care. The company assessed the right guidelines but made the wrong call. Getting experienced advice, and recording judgements carefully, are the best defences.