CNIL’s recent ruling against Orange has wider lessons for all data controllers who rely on processors and sub processors to process personal data. Datonomy’s correspondent in Paris analyses the issues.
In its deliberation dated 7 August 2014 (but only published on 25 August), the CNIL issued, for the first time, a public warning (i.e no fine has been imposed on Orange, but the sanction consists in the publication of CNIL’s ruling on its website) against a telecoms operator on the basis of personal data breach requirements (pursuant to Article 34 bis of the French data protection act 1978). On 25 April 2014, Orange notified the CNIL of a technical failure in one of its marketing sub-processors, resulting in the leak of personal data (name, surname, birth date, email address and phone number) concerning 1.3 million subscribers. Following this notification, the CNIL investigated Orange and its processors’ premises and found that Orange had not fulfilled its obligation to ensure the security and confidentiality of personal data with such sub-processor, despite the fact that the security breach had been adequately notified and dealt with by Orange.
The focal point of particular interest in this decision is that, although Orange was found to be compliant with personal data breach requirements, notably by having notified the CNIL and data subjects “forthwith” of the breach, this notification brought the attention of the French privacy watchdog to the security and confidentiality measures imposed by Orange on its subcontracting chain. The key issues highlighted by CNIL were as follows:
- although its first (main) processor had complied with security and confidentiality measures imposed on it contractually, Orange had not ensured a back-to-back of the security and confidentiality provisions in the agreement between the processor and its sub-processors;
- Orange had not conducted any security audit on the version of the marketing application specifically developed by its sub-processor, which would have allowed it to identify the security breach; and
- Orange did not sufficiently protect customers’ personal data when updating and sending them to its processors (by non-encrypted emails).
Lessons to be learned and security standards to be set to anticipate data breaches
This case stresses the utmost importance for electronic communications operators to be proactive and plan appropriately, notably by complying with the high preventive standards that regulators expect data controllers to adopt in order to demonstrate that they have implemented “appropriate” security measures under the current data breach rules, as indicated in the recent March 2014 Data Breach Opinion issued by the EU’s Article 29 Working Party. On top of that, this ruling shows how important it is for electronic communications operators to impose security obligations at least as stringent as those applicable to them on their processors and sub processors. For further information on this WP 29 Opinion, please see the report by my fellow Datonomist Claire issued in April this year, and the coverage of the underlying Regulation by Carsten in July 2013.