The French CNIL's Sentinel Stance: Slaps Euro 105,000 Fine on NS Cards France for GDPR Breaches

In other words:

NS CARDS FRANCE is a distributor of electronic money facilitating online payments.

One of the two payment solutions offered by the company was implicated in the proceedings, involving the use of so-called 'neosurf' vouchers, which could be linked to the creation of an electronic wallet. This electronic wallet requires the creation of a user account on the neosurf website or application and can be credited using these vouchers or a credit card, enabling users to make online payments or receive winnings.

When creating a user account on the company's website, personal information such as name, first name, date of birth, address, email address, phone number, and, if applicable, banking details were collected, along with personal documents such as proof of identity and residence.

However, during an on-site inspection, the CNIL found that while the company had set a data retention period of ten years from the last transaction on the account, in practice, the accounts were only deactivated after this period, while the data was retained in the production database indefinitely.

The CNIL also noted that no data purge had been carried out in the company's databases since the beginning of its operations in 2005. The CNIL's report revealed the retention of 70,049 inactive accounts for more than ten years and the retention of 51,735 accounts without purpose, as these were "non-confirmed," meaning that the email address had not been confirmed during the account creation.

The CNIL emphasizes that when data is no longer necessary for the purpose for which it was collected, it can be subject to intermediate archiving for compliance with legal obligations or for pre-litigation or litigation purposes. However, a sorting process must be conducted to archive only relevant data.

After sorting the relevant data for archiving, the data controller must provide a dedicated archive database or a logical separation in the active database. This logical separation must be ensured through the implementation of technical and organizational measures guaranteeing that only individuals with a legitimate interest in processing the data due to their functions can access it. Beyond these intermediate archive retention periods, personal data must, except for exceptions, be deleted or anonymized.

The CNIL points out that when the retention period is reached, personal data must be deleted or anonymized, whereas rendering an account inactive does not correspond to either the deletion of the personal data or anonymization. However, at the time of the on-site inspection, the company retained the data of even inactive user accounts for an indefinite period.

The company should have conducted such sorting of user account data, which was archived without distinction for 10 years, to comply with Article D. 213-1 of the French Consumer Code and Article 5-1-e) of the GDPR.

The CNIL acknowledges that the company achieved compliance during the procedure by implementing and applying appropriate retention periods for user account data, considering the various pursued purposes. However, it emphasizes that this compliance does not absolve the company of its responsibility for past actions.

The CNIL notes:

As a result, the CNIL considers that the company has violated articles 12 and 13 of the GDPR. It specifies that the violation taken into account is the one that was crystallized at the time of the inspections and acknowledges that the company has since come into compliance.

The CNIL directs its criticism towards the password policy and its storage methods. It observes:

First, the CNIL notes that during the creation of a user account on the NS CARDS FRANCE website, (i) passwords with only six characters composed of three categories of characters (uppercase, lowercase, and numbers) were accepted, and (ii) no access restriction in case of authentication failure was implemented.

As a reminder, the two possible options to meet the CNIL standards are:

Consequently, the CNIL considers that the deployed password policy was not sufficiently robust to ensure the security of the processed data, thereby infringing Article 32 of the GDPR.

Second, the CNIL notes that storing user passwords in clear text, associated with their identifiers and email addresses, does not ensure their security. This storage method implies that anyone with access to the company's customer database can view and collect these passwords.

These user passwords, along with their identifiers, provide access to all personal data contained in their Neosurf accounts or even other service accounts, as the same identifiers and passwords are often used to access multiple services, as highlighted in the report.

Under these circumstances, the CNIL considers that the password storage methods did not, at the time of the findings, ensure the security and confidentiality of the personal data of Neosurf account holders, which also violates Article 32 of the GDPR.

Third, the CNIL emphasizes that using the SHA-1 function for password hashing is no longer considered compliant with the state of the art. The CNIL has provided specific recommendations in its guide for developers, suggesting the storage of passwords.

As a result, the CNIL considers that the aforementioned facts, uncontested by the company, constitute breaches of the obligations under Article 32 of the GDPR.

First, the CNIL observed the placement of thirteen cookies before any user action upon arriving at the homepage of the website www.neosurf.com, including Google Analytics audience measurement cookies, which should have been subject to the prior consent of users.

Not surprisingly, the CNIL believes that the deployment of Google Analytics cookies should only occur after obtaining the consent of internet users, as they do not have the exclusive purpose of enabling or facilitating electronic communication and are not strictly necessary for providing a service expressly requested by the user. Google itself has already been fined for allowing this type of cookies without prior consent.

Indeed, Google's online documentation indicates that, depending on the settings chosen by the site's publisher, Google Analytics cookies may include advertising features, and regardless of the settings chosen for these advertising features, the data collected via Google Analytics cookies can be reused to maintain and protect the Analytics service.

Second, the CNIL notes that the company used the Google reCaptcha module to block robots on the registration and login page of the Neosurf website and mobile application without obtaining the prior consent of the user to use such module.

In its defense, the company argues, among other things, that given the unclear and inaccessible information provided by Google regarding the consequences related to the use of the reCaptcha service, it would be unfair to attribute breaches of Article 82 of the French ‘Data Protection and Freedom of Information’ Law to Google’s clients. The company contends that this attribution should not be made without considering the lack of transparency and accessibility in the contractual information provided by Google, a company already condemned by the CNIL for these reasons. Consequently, the company requests a downward revision of the proposed fine amount.

The CNIL does not favorably receive this request and considers that the company is not justified in asserting that it would be unfair to impose such breaches on Google's clients, including itself. The CNIL argues that, as a user of Google's reCaptcha service, the company is also responsible for complying with the provisions of this Law when using this mechanism and, as a consequence, to select its providers and partners.

Furthermore, the CNIL asserts that while a data controller may claim an exemption from information and consent gathering when the operations performed in a user's terminal solely aim at securing an authentication mechanism for the benefit of users, a different situation arises when these operations also pursue other purposes that are not strictly necessary for providing a service. In this case, the reCaptcha Google mechanism serves not only the purpose of securing the authentication mechanism for users but also allows for analysis operations by Google, as explicitly stated in Google's terms of use.

Finally, the CNIL adds that Google duly informs companies using reCaptcha technology, in its online terms of use:

Taking into account the infringement of fundamental principles outlined in the GDPR affecting numerous individuals (700,000 users) and considering that the company implemented measures following the notification of the sanction report, the CNIL asserts that these actions do not absolve the company of its responsibility for past breaches. 

Therefore, the CNIL deems it appropriate to impose an administrative fine in the amount of 105,000 Euros.

Again, this ruling is a reminder that it's not all about formalizing documents and processes to claim compliance with the GDPR. It's about these documents, organizations and processes being factually adequate, transparent and effective, depending on the level of risk involved in each data processing operation.