The French regulator, the Commission nationale de l’informatique et des libertés (CNIL), fined broadcaster Groupe Canal+ €600,000 on 19 October, over breaches of the EU General Data Protection Regulation (GDPR) and the Post and Electronic Communications Code (CPCE).
The investigation into Canal+ appears to have been particularly extensive, and the CNIL found issues in the areas of transparency, security, data breach notification, and more. The CNIL’s decision provides many insights into the regulator’s strict interpretation of the GDPR.
Transparency in privacy notice
Most of the CNIL’s findings (in French) regarding Canal+ are related to transparency.
Canal+’s privacy notice was “insufficiently precise” when describing the company’s retention periods. The notice stated that personal data would be retained for as long as necessary in relation to various purposes, such as tax, legal, and accounting obligations.
The CNIL found that the privacy notice failed to meet the requirements under Article 12 GDPR and the expectations of the European Data Protection Board (EDPB) transparency guidance.
Transparency in consent request
The CNIL found that Canal+ had failed to get valid consent before sharing personal data with third parties. This issue also linked to Canal+’s transparency practices.
The consent form provided to data subjects explained that personal data would be shared with various types of third parties. Canal+ argued that this was acceptable under Article 13 GDPR, which requires controllers to list the “recipients or categories of recipients” of personal data.
However, more recent case law from the Court of Justice of the European Union (CJEU) has found that controllers must provide the specific identities of any recipients of personal data unless it is impossible to do so.
Because of the lack of appropriate information in the consent request, the CNIL found that Canal+ had failed to obtain valid consent.
Transparency in phone calls
The CNIL found a further transparency issue in Canal+’s operations, during phone calls.
Canal+ hired a service provider to handle phone calls on its behalf. The CNIL found that phone operators failed to read the necessary transparency information during the call. This was deemed to be a further breach of Article 12 GDPR.
Invalid Data Processing Agreements
The CNIL examined agreements between Canal+ and some of its service providers. The regulator found that the agreements did not fulfil the requirements of Article 28 (3) GDPR.
In its defense, Canal+ noted that the agreements were formed in 2016—before the GDPR came into force. The CNIL did not consider this to be a mitigating factor, and decided that the contracts should have been updated.
Data Subject Rights
The CNIL had received three complaints from data subjects who had submitted data subject rights requests to Canal+, two under “the right to erasure” and one under “the right to object”.
Canal+ reportedly left these individuals waiting for several months after they submitted their requests—much longer than the one-month deadline required under Article 12 GDPR.
The CNIL found Canal+ to have breached Article 32 GDPR by hashing employee passwords via the 128-bit MD4 algorithm. This security measure was deemed not to be “state-of-the-art” and thus insufficiently secure, given the resources available to the company.
Data breach notification
Finally, Canal+ failed to report a notifiable data breach.
The issue arose when the names, addresses, and phone numbers of 10,154 Canal+ subscribers were made available to an indeterminate number of other, unauthorized Canal+ users for 5 hours and 35 minutes.
Canal+ determined that this incident was not sufficiently serious to warrant notification to the CNIL, given the ostensibly low-risk nature of the personal data and the context of the breach.
This transpired to be the wrong call, according to the CNIL, which found that the breach was sufficiently serious to require notification to the data protection authority.