CNIL fines controller and processor for security violations under GDPR

On 27 January 2021, the CNIL announced that it levied administrative fines of €150.000 on a data controller and €75.000 on its data processor for failure to ensure data security. Since the entry into force of the GDPR, this is the first time that the CNIL imposes a sanction both on a controller and its processor for breach of security. So far, regulatory action has mostly focused on controllers for security breaches, without sanctioning their processors.

• Processors have to adopt an active approach to comply with their security obligations

In the given case, the controller (an e-commerce platform) suffered from a number of "credential stuffing" attacks on its website, which happens when hackers manage to obtain a list of logins and passwords, e.g. on the dark web or elsewhere on the Internet. Hackers then try to access customers' online accounts, using a combination of logins and passwords through robots. They may be successful if customers use the same credentials throughout the Internet.

The e-commerce platform had notified several dozens of data breaches to the CNIL between June 2018 and January 2020. In this context, the CNIL decided to carry out an inspection against both the e-commerce operator and its processor who was operating the web platform. According to the CNIL, the parties were late to put in place security measures that effectively tackled these repeated attacks. Indeed, it took them a year to develop a tool to block credential stuffing. In the meantime, hackers were able to access the personal data of approximately 40,000 customers.

The CNIL's sanction committee ruled that both the controller and processor had failed to comply with their respective obligations to ensure the security of customers' personal data, in violation of Article 32 of the GDPR. According to the CNIL, "the data controller must decide on the implementation of measures and give documented instructions to its processor. But the processor must also seek the most appropriate technical and organisational solutions to ensure the security of personal data and put them forward to the controller" (emphasis added). In this decision, the CNIL provides clarity on the role of data processors and their obligation to comply with the security requirements under Article 32. Indeed, processors must play an active role in assessing what the most appropriate security measures are, and should not limit themselves simply to adopting the security measures that are determined by the controller. This is particularly the case when the data controller has suffered several data breaches.

• The security obligations imposed on data controllers….

Under the GDPR, controllers must comply with the general principle of integrity and confidentiality for the data processing they carry out. They must be able to demonstrate that they have adopted "appropriate technical and organisational measures" to comply with GDPR requirements (Art. 24) in accordance with the accountability principle.

Data controllers also have a duty to engage data processors who provide "sufficient guarantees to implement appropriate technical and organisational measures" for the processing, including the security obligations (Article 28(1)). This verification is most often carried out as part of a due diligence on the chosen processors.

• …do not relieve processors of their own security obligations

Article 32 of the GDPR also imposes data security obligations directly on data processors. However, Article 32 does not explain in detail what security measures must be applied, leaving it to the controller and processor to determine the appropriate measures for each processing activity.

Furthermore, the data processing agreement entered into between the controller and its processor must stipulate that the processor takes all the measures required pursuant to Article 32 (see Article 28(3)(c) of the GDPR). The level of detail of the security measures varies from one data processing agreement to another.

Lastly, processors also have the duty to assist controllers to ensure compliance with their obligation under Article 32, "taking into account the nature of processing and the information available to the processor" (Article 28(3)(f) of the GDPR).

•  Are processors exposed to sanction risks?

A breach of Article 32 of the GDPR can lead to administrative fines of up to €10M or 2% of the global annual turnover of the preceding year, whichever is higher. The CNIL's decision does not specify what criteria were used to determine the level of the fines that were imposed on the controller and processor "in view of their respective liabilities". The CNIL's decision was not made public. Instead, a summary of the decision was published on the CNIL's website.

This decision also shows the importance for processors to negotiate clear terms in their agreements with their customers (including the types of security measures that are agreed upon by the parties) and what is expected of the processor in case of a data breach. Like any contract, the terms of a data processing agreement should not be theoretical but should impose a clear duty on processors to assist controllers in ensuring that the level of security is appropriate at all times and to offer practical solutions to the controller to remediate the risks when a data breach occurs.

This decision serves as an example that processors are exposed to GDPR sanctions as much as controllers and that the risk does not lie entirely on data controllers. It is also worth noting that the frequent notification of multiple data breaches to the regulator is an increasing risk factor. In this case, the multiple data breach notifications by the controller is what prompted the CNIL to carry out an inspection.