France Update: Online commercial prospecting and the infringement of the rights of individuals: analysis of recent decisions of the CNIL

Since the entry into force of the General Data Protection Regulation (GDPR), many data subjects have become aware of their rights relating to the processing of their personal data. They no longer hesitate to complain about potential infringements directly to the CNIL.

There is also a 4% increase in the number of complaints in 2022 compared to the previous year and especially a clear increase in those relating to requests for access rights. At the same time, the CNIL has undeniably intensified its controls and imposed increasingly heavy administrative sanctions.

Faced with these numerous requests for access from the persons concerned by the processing of personal data, companies have no choice but to adapt in order to avoid being sanctioned. However, compliance remains a rather complex process, time-consuming and sometimes seemingly inaccessible. The major players in the market, although a priori better able to be compliant, are also subject to public and exemplary sanctions. The recent decisions of the CNIL against EDF or FREE MOBILE illustrate this phenomenon.

DECISION AGAINST EDF

The CNIL’s investigation followed several complaints from users and revealed breaches of the GDPR, particularly in terms of commercial prospecting, access rights and password security. On 24 November 2022, the CNIL imposed an administrative fine of €600,000 on EDF.

FAILURE TO COMPLY WITH THE OBLIGATION TO OBTAIN THE CONSENT OF INDIVIDUALS TO COMMERCIAL PROSPECTING BY ELECTRONIC MEANS (ARTICLES L. 34-5 OF THE CPCE AND 7 OF THE GDPR)

During the inspections, EDF did not demonstrate to the CNIL that it had obtained the authorization of the persons targeted by its commercial prospecting campaign by electronic means that took place between 2020 and 2021. EDF acknowledged having used a customer database purchased from a personal data broker and not having carried out verification of the consent collection forms;

FAILURE TO COMPLY WITH THE OBLIGATION TO PROVIDE INFORMATION (ART. 13 AND 14 GDPR) AND COMPLIANCE WITH THE EXERCISE OF RIGHTS (ART. 12, 15 AND 21 GDPR)

The CNIL indicates that EDF has not fulfilled its obligation to inform the persons concerned. Indeed, the personal data protection charter on the website did not specify the legal basis corresponding to each use case of the data and was imprecise on the retention periods;

FAILURE TO COMPLY WITH THE OBLIGATION TO ENSURE THE SECURITY OF PERSONAL DATA (ARTICLE 32 OF THE GDPR)

The CNIL considered that EDF did not comply with its obligation in terms of personal data security. Indeed, the passwords for access to the customer area of the “prime énergie” portal of more than 25,000 accounts were kept insecure until July 2022.

DECISION AGAINST FREE MOBILE

After receiving several complaints concerning the failure of FREE MOBILE to take into account requests for access and opposition to receive commercial prospecting messages, the CNIL investigated and pronounced on November 30, 2022 a penalty of 300,000 euros against FREE MOBILE.

ON THE BREACH OF THE RIGHT OF ACCESS (ART. 15 OF THE GDPR):

The CNIL has found a breach of the obligation to respect the right of access of individuals to data concerning them, FREE MOBILE not having responded within 30 days to the requests for access made by the persons concerned;

ON THE BREACH OF THE RIGHT TO OBJECT (ART. 21 GDPR):

In addition, FREE has not respected the right of opposition of the persons concerned (Articles 12 and 21 of the GDPR), since it has not granted the explicit requests to put an end to commercial prospecting;

ON THE BREACH OF THE OBLIGATION OF “PRIVACY BY DESIGN” (ART. 25 OF THE GDPR):

The CNIL also considered that there was a breach of the obligation to protect data by design (art. 25 of the GDPR), FREE MOBILE having continued to send invoices for telephone lines whose subscription had been terminated;

ON THE BREACH OF THE OBLIGATION TO ENSURE THE SECURITY OF PERSONAL DATA (ARTICLE 32 OF THE GDPR):

Finally, the CNIL found a breach of the obligation to ensure the security of personal data (Article 32 of the GDPR). Indeed, FREE MOBILE transmitted by email, in clear, the passwords of the users without them being temporary or it being necessary to change them.

By Ginestié Magellan Paley-Vincent, France, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact france@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.