Cyber breach – The French Conseil d’Etat confirms the CNIL decision against Optical Center (250.000 Euros fine)
Published on 2nd May 2022
Optical Center company suffered a cyber-attack of its e-commerce website on January 2019 which resulted in several complaints of prospects and clients of this company to the French data protection authority (the “CNIL”). The CNIL conducted both on-line and on-site investigations that ultimately led to a fine of 250.000 Euros as well as an obligation to comply with the General Data Protection Regulation (GDPR) obligations on security (art. 32 of the GDPR) and exercise of rights by data subjects (art 12.2 of the GDPR), subject to a fine of 500 Euros per day of delay at the end of a period of three months following notification of its decision.
On April 26th 2022, the French administrative Supreme Court, the Conseil d’Etat, confirmed the CNIL decision.
This is the third time that Optical Center is sentenced by the CNIL, but in a previous 2018 decision, the Conseil d’Etat had lowered the CNIL sanction from 250.000 to 200.000 Euros.
In the case at hand, the breach originated from a data processor of Optical Center. The Conseil d’Etat noted a lack of regular control of the data processor by Optical Center. It resulted in the leak of the data of nearly 200.000 customers, including, for 23.000 of them, a leak of their NIR.
What are the key takeaways from this decision?
- Security and cyber-security is an-going process that must be a top priority
The Conseil d’Etat followed the CNIL reasoning according to which Optical Center should have controlled regularly the security and organisational measures implemented by its data processor in charge of ensuring the security of the website. Optical Center was not able to justify the regular update of the various software and programs composing the website.
Furthermore, the passwords were not strong enough regarding the sensitivity of the data at stakes (NIR).
The CNIL and the National Agency for IT security (the ANSSI) have published extensive guidelines regarding security. These guidelines encompass both technical, organisational and legal measures that any company must implement to ensure the security of the data entrusted to it and prevent a data breach.
Once implemented, the security practices must be regularly audited and constantly updated. This decision is a reminder that a data controller cannot delegate the security concerns to its processors. It must be proactive and verify that its data processor is using appropriate and updated security tools and measures.
- The CNIL may issue a fine without first imposing a formal notice.
Even if Optical Center had itself notified the CNIL of the breach and had started taking corrective measures, the Conseil d’Etat confirmed that CNIL may issue a fine without issuing first a formal notice to a controller to bring its data processing activities to compliance. This is in line with French law. This possibility is particularly used by the CNIL in data breach cases.
To note: French law was updated early 2022 to also allow for a simplified fast track procedure, enabling the CNIL to take sanctions faster in case of simple cases where the amount of the fine is low. The President of the restricted committee of the CNIL may act alone without even having a public hearing of the defendant, unless asked by the defendant.
- The CNIL has almost a discretionary power when assessing the quantum of the fine, which can be modulated by the administrative judge
Contrary to other EU jurisdictions, there is no specific guidelines or “rates” on the amount of the sanctions that may be imposed by the CNIL depending on the breached GDPR obligations.
The Conseil d’Etat reminds that the sanctions, must be “effective, proportionate and dissuasive” and recalls the various criteria of article 83 of the GDPR (nature, gravity and duration of the breach, intent, cooperation of the defendant etc.) that the CNIL took into account.
Here, even if the breach was not intentional and even if the defendant fully cooperated with the CNIL, Optical Center was negligent with respect to data security and this negligence led to the breach. Given that the company had already been sanctioned twice and given its turnover of 202 million in 2017, the Conseil d’Etat deemed that the CNIL sanction of 250.000 euros is not disproportionate (this represents 0.12% of the annual turnover). The Conseil d’Etat checked and confirmed that the CNIL had taken into account the GDPR criteria to impose its fine and that such fine is not “disproportionate”.
In most recent decisions, the Conseil d’Etat has adopted this approached and had confirmed the sanctions issued by the CNIL.