French CNIL fine against a French SME for multiple infringement to data protection and cookies regulations

This decision implements three core principles of data protection law: 

It is an opportunity to recall these principles and how they are interpreted by the CNIL as they can easily be overlooked by data controllers.

It is also worth noting that this decision doesn’t concern one of the major Internet players or an international group, as is usually the case with decisions published by the CNIL, but a French SME. 

This is a reminder that many procedures and sanctions are pronounced against such SME and that the tolerance period to comply with the GDPR is well and truly over. 

CITYSCOOT is a French SME, with about 225 employees and a turnover of 21.882.031 EURO in 2019. 

It is specialized in the rental of shared electric mopeds via its mobile application “CITYSCOOT”. 

The electric vehicles it offers are shared in freefloating, meaning that they don’t need to be parked in specific areas but can rather be left anywhere in an identified rental area, after use. 

An important element of the services offered by CITYSCOOT is that the mopeds are equipped with an embedded tracking device allowing CITYSCOOT and its users to know the position of the scooters via a mobile application. 

This tracking device is also used by CITYSCOOT to collect data on the mopeds’ position every 30 seconds when it’s being used. 

At the time of the control, in 2020, CITYSCOOT’s services were offered in Paris and Nice, as well as in some cities of Spain and Italy. For this reason, the CNIL collaborated with the Spanish and Italian Data Protection Authority before adopting its decision. 

The first and main issue with CITYSCOOT’s services is, quite obviously, the geo-tracking of each moped every 30 seconds. 

CNIL underlines that if the data merely relating to a moped’s position, when it’s not being used, are not personal data, they need to be considered as such when they concern a moped in use, as they are then associated with data of the person renting the moped. 

As personal data, geolocation data need to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This is the data minimization obligation, a core principle of the GDPR stated in article 5 paragraph 1-c). 

This principle is all the more important as geolocation data are a special kind of data. 

Based on EDPB ’s 01/2020 Guidelines on processing personal data in the context of connected vehicles and mobility related applications, the CNIL recalls that ‘location data’ are particularly revealing of the life habits of data subjects and need therefore to be considered as “highly personal data”.

The EDPB namely stated that data revealing the users’ journey enable one to infer the place of work and of residence, as well as a user’s centers of interest, and may possibly reveal sensitive information such as religion through the place of worship, or sexual orientation through the places visited. 

Therefore, even though geolocation data aren’t “sensitive data” in the meaning of the GPDR, they are to be considered as sensitive in the common sense as they have an impact on the fundamental freedom of movement. 

For these reasons, the necessity of processing such data needs to be assessed very strictly. 

Yet, in CITYSCOOT’s case, the CNIL found that none of the stated processing purposes justify a collection of geolocation data every 30 seconds during the rental period. 

Neither the processing of traffic offences, of customer complaints, nor the processing for user support or the management of claims and thefts justify the collection of near real-time geolocation data.  

The relevant criterion for reaching this conclusion is whether the company could have achieved the same goals with less data collection, or the collection of less sensitive data. 

As the CNIL finds that less intrusive means could have allowed CITYSCOOT to provide the same services, and that such data collection infringes the users’ freedom of movement, it concludes that CITYSCOOT violated the data minimization principle. 

As per article 28 of the GDPR, all processing to be carried out by a data processor on behalf of the data controller need to be governed by a binding contract. This article also states the essential content of such contract. 

However, as underlined by the CNIL in this decision and based on the EDPB 07/2020 Guidelines on the concepts of controller and processor in the GDPR, the agreement between data controller and data processor must not simply reproduce the GDPR’s provision: it must, on the contrary, include specific and concrete information on how the GDPR’s requirements are met as well as on the security level required for the type of processing concerned. 

For example, the agreement can’t simply foresee that the security of the data will be ensured by the processor but must rather entail a dedicated annex stating the specific processes and mechanisms used as technical and organizational measures to warrant the security of the data. 

This distinction is often omitted by the parties when negotiating such agreement.

In the case of CITYSCOOT, three contracts concluded with its processors didn’t comply with these obligations: 

For all of these reasons, the CNIL finds that CITYSCOOT violated its obligation per article 28 paragraph 3 of the GDPR.

The third and final violation by CITYSCOOT concerns the obligation to inform users and obtain their consent before ‘writing and reading information on their personal device’ or, in other words, before depositing and using cookies. 

This obligation is not related to GDPR but to the European e-Privacy Directive of 2002, as transposed in article 82 of the French Data Protection Act (Loi Informatique et Libertés, 1978). 

In the present case, CITYSCOOT used on its website and mobile app a ‘reCaptcha’ mechanism when users create an account and connect to his account or use the forgotten password procedure.

 

This reCaptcha mechanism is offered by Google and entails the deposit of cookies on the users’ mobile device. 

Since CITYSCOOT isn’t the entity using the cookies, it considered that it was neither necessary to inform users about such cookies nor to obtain their consent prior to using the cookies. 

However, this is not the interpretation of the CNIL which recalls that, per the French Administrative Supreme Court caselaw, the editor of a website depositing third party cookies is also considered as a data controller responsible for complying with article 82 of the French Data Protection Act.  

Another defense argument of CITYSCOOT was to argue that, in any case, the information and consent of the users wasn’t necessary since the only purpose of the reading and writing cookies on the users’ device was to secure the authentication mechanism enabling the use of the services. Indeed, cookies which have for sole purpose to allow or facilitate electronic communication services are indeed exempted of such obligations by article 82. 

But here again, the CNIL disagrees: Google’s reCaptcha mechanism didn’t have for only purpose to secure the authentication mechanism to the benefit of users but the cookies were also used to for analysis operations made by Google.

The CNIL therefore concludes that CITYSCOOT should have informed its users and obtained their consent for the use of Google’s cookies. By not doing so, it violated the French Data Protection Act.

The sanction is proportionate to the nature of the violations and the number of person they affected, taking into account the correction measures put in place by the company during the control, as well as the activity and the financial situation of the company. 

Regarding CITYSCOOT, the CNIL deems that it is responsible for major failures in terms of data protection since it infringed fundamental and elementary principles of the GDPR as well as of the French Data Protection Act. 

The harm to data subject resulting from these infringements is particularly important, notably concerning the violation of the data minimization principle. 

Moreover, 247.000 users in France, Spain and Italy were concerned. 

Nevertheless, the CNIL notes that CITYSCOOT became compliant after its control, which always works in favor of the controlled companies.

As a consequence, the CNIL finds an administrative fine of 100.000 EURO for the GDPR violation and of 25.000 EURO for the Data Protection Act violation to be an adequate sanction.  

However, the CNIL decided to make the decision public, in order to reflect the seriousness of the facts and the exemplary nature of the sanctions.

This decision therefore also emphasizes the need not to take lightly the control procedures and correction injunctions of the CNIL, and to make the necessary corrections as soon as possible, in order to avoid or reduce the penalty.