December 5, 2019

December 05, 2019

Subscribe to Latest Legal News and Analysis

December 04, 2019

Subscribe to Latest Legal News and Analysis

December 03, 2019

Subscribe to Latest Legal News and Analysis

December 02, 2019

Subscribe to Latest Legal News and Analysis

French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.

CNIL also knocked the company for keeping users’ information for longer than it was needed for the purpose of processing the user’s real estate rental application. The company did not disclose that it would keep or use the information for another purpose, and did not properly archive the data after the purpose was finished. The fine assessed by CNIL came to nearly 1% of revenue. The maximum GDPR fine considered was 20 million euro or 4% of revenue.

Putting it Into Practice: This fine is a reminder for companies that operate in the EU to review their data protection assessments, as EU privacy regulators field and investigate complaints about data security vulnerabilities and continue to enforce GDPR.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Alyssa Shauer, Sheppard Mullin Law Firm, Century City, Cybersecurity and Litigation Attorney
Associate

Alyssa M. Shauer is an associate in the Business Trial Practice Group in the firm's Century City office. Ms. Shauer is a Certified Information Privacy Professional (CIPP/US) and a member of Sheppard Mullin’s Privacy Team.

Prior to joining Sheppard Mullin, Ms. Shauer externed in the chambers of the Honorable Margaret M. Morrow, Central District of California. She served as a Managing Editor of the UCLA Law Review and as Vice President of the Cyber Crimes Symposium and Competition on the Moot Court Honors Board. Prior to law school, Ms. Shauer...

424-288-5305