GDPR : French ISP Free sanctioned for violations
On November 30th (link in French), la CNIL, the French personal data protection authority, sanctioned the French Internet Service Provider FREE for data security issues and not respecting the people rights granted by the GDPR.
According to the more complete délibération (in French) published in the Journal Officiel de la République Française, the Authority received 41 complains between October 2018 and November 2019. Ten of the complains were analyzed during the procedure which ended by this sanction. The complains topics were difficulties to use their personal data access right (GDPR 12 and 15), and their personal data deletion right (GDPR 12 and 21). Others complains were worries about the personal data security (GDPR 32), with weak passwords, clear text password transmission, and also about around 4 100 repackaged Freebox (the Internet router designed by Free and included in their subscriptions) that were not completely erased with the data from previous subscribers.
The sanction is a 300 000€ fine and the publication of the decision. The amount of the fine has been estimated according to the size and the financial status of the company in 2020. And I must admit it’s quite light, because Iliad’s (the holding owning FREE) 2020 financial reports published an Income of 5 871 millions € (page 9 - “Chiffre d’affaires consolidé”) and FREE ("Service fixe") itself represented 2 695 millions of €. However, one of the reasons of this low amount is also the number of complains, 10 regarding 6.9 millions subscribers. The commission estimated the violation was not a company-wide systematic issue.
Let’s check the details of the sanction.
Failure to comply to the obligation of giving access to data
GDRP articles 12 and 15 grant the people to obtain a copy, in a clear and readable language, of any personal data about them owned by a company, including the potential “comment” fields. According to the complains, several people had incomplete, or no response from the company.
When you formulate this demand to the Data Protection Officier (DPO), they have 30 days to answer. This answer delay is codified itself in the GDPR, article 12.3.
Some requests were also for obtaining the source of the personal data FREE obtained from a data broker. FREE refused to communicate the data broker name and this action is considered as a violation. Indeed, according the commission who proceeded the case, refusing to communicate the data origin is against the principle of the possibility to verify the legal compliance of the personal data processing and if the transmission to FREE was legal. Also, the commission estimated that having the data source identity is necessary to exercise our right of commercial prospection opposition.
FREE has to communicate to the person who filled a complain about it the data broker’s name. This action must be done one month after the commission’s publication, with a 500€ fine per day or delay.
Failure to comply to the obligation of data deletion
Granted by GDPR articles 12 and 21, the people can ask to the DPO to delete the personal data they detain about them (unless it could be mandatory to keep them for legal reasons). According to the complains, FREE didn’t proceed the requests during the legal delay.
Failure to secure the personal data
This obligation, written in GDPR article 32, indicates “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate”.
In this case, a password generated for a new user account on the company website, or during a password recovery procedure, or during a password renew procedure was insufficiently strong. The passwords generated were only height characters. Also, all passwords were stored in plain text in the ISP’s database until January 2020. Also, when a password is generated, it is transmitted to the user by email in clear text, and also in a paper letter.
FREE’s defense in this case has been quite surprising… The company said as a data processing responsible, they’re free to choose the security measures and estimated the recommendations from la CNIL and the ANSSI (Agence nationale de la sécurité des systèmes d’information - The French national cyber-security department) are not mandatory. The commission didn’t agreed regarding that fact it’s an authentication procedure. If the commission recognized their recommendations, and the ANSSI’s are not mandatory, they estimated the measures took by FREE were insufficient regarding the amount of personal data processed by the company.
The last part of this violation is the 4 100 Freebox terminals repackaged and sent to new subscribers with a partial, or absent data suppression of the previous user. These data could have been photos, personal videos, recordings from TV, etc. According to FREE these incidents were human errors. In this specific case, the issue noted against FREE was not a possible personal privacy violation, but an insufficient security that allowed these errors to occur. However, the commission noted that despite being mainly used for TV programs recording, the hard drive of the Freebox can also contains personal photos or videos.
FREE took actions for this problem in July 2022, they recalled the 4 100 Freebox and sent replacement to the subscribers. However, 322 were never sent back to the provider. Also, the commission noticed the remediation action has been initiated three years after the violation discovery.
Failure to document a personal data violation
The GDPR article 33 requires that “the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken”. This violation was retained because the incident about the 4 100 bad repackaged Freebox has not been documented in the personal data breach registry. FREE argued that it was a security incident, not a personal data incident. Also, the security incident documentation could not help to know if the Freebox were returned, and when. The commission reminded the company that describing how and when the violation was fixed are factual information used to evaluate the efficiency of the remediation.
Also, the commission established a violation to GDPR 33 because the documentation made by the company, at the request of la CNIL, during the two-days control, were insufficient to qualify the personal data violation.