Doctors fined by CNIL

Doctors fined by CNIL: The French DPA has sanctioned two health professionals over poor data protection.

Two doctors have been fined by CNIL for having insufficient data protection, and neglecting to notify of a recent data breach. 

 

Last month, in France, CNIL announced that two doctors were found to be in breach of articles 32 and 33 of the GDPR. Following a September 2019 online check, the two doctors had thousands of images hosted on their servers, freely available online. Upon investigation, the doctors were concluded to have poorly configured their internet box, as well as their medical imaging software, leading to the data breach. The doctors were charged €3,000 and €6,000 respectively, and while the CNIL thought it unnecessary to publish the names of the doctors in question, they expressed the importance of the publicity of these decisions in an effort to alert health professionals to their obligations and the need to strengthen their vigilance on security measures.

 

The doctors fined by the CNIL, failed to adequately protect data thereby breaching article 32 of the GDPR. 

 

According to article 32 of the GDPR, data controllers and processors are responsible for implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk in order to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. A data protection impact assessment would have notified the doctors in advance of the faults in the configuring which led to the data breach. 

 

Article 32 of the GDPR states “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

 

By not adequately notifying the CNIL of the data breaches, the two doctors breached article 33 of the GDPR as well.

According to article 33 of the GDPR controllers need to make a notification of any data breaches without undue delay, and where possible, within 72 hours of realizing that data has indeed been breached. After being notified that the images were freely accessible, the two doctors should have made the mandatory notifications, but failed to do so. According to the GDPR, this is a necessary step “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This data breach compromised the medical images of the doctors’ clients, directly infringing on their rights, making it necessary to notify the authority. 

 

CNIL made these decisions public in order to send a message to other medical professionals to ensure compliance with the GDPR.

 

While CNIL did not find it necessary to publicize the doctors’ names, they felt it was important to report on the incident to implore other health professionals to be vigilant with their measures for data protection. The aim is to encourage professionals to choose application solutions offering the maximum guarantees in terms of IT security and personal data protection. If not, these professionals risk the same fate for not being cautious when developing and configuring their internal IT system. The CNIL suggests that professionals employ competent service providers where necessary, to ensure compliance.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Google and Amazon fined

Google and Amazon fined: CNIL has fined the two major companies for unlawful cookies.

Google and Amazon, fined by CNIL of France, for placing cookies on users’ computers without getting prior consent or giving satisfactory information.

The CNIL reported last week that both companies have been sanctioned, for their misuse of cookies which breached the French Data Protection Act. Following several investigations from December 12th 2019 to May 19th 2020 on amazon.fr and on March 16th 2020 on google.fr, the CNIL discovered that the websites of both of these companies violated Article 82 of the Data Protection Act. 

Google was found to have three violations of Article 82 of the DPA, while Amazon had two of those three.

Both websites, upon investigation, were found to have been placing cookies on users’ computers automatically, without any action required on their part, or prior consent required from the users. These cookies were deemed non-essential to the use of their service and should only be placed once the user has expressed their consent. This practice violates Article 82, of the DPA and fails to comply with the requirement of obtaining prior consent before placing cookies on users’ computers. 

While both google.fr and amazon.fr issued brief statements via a banner pop-up to the bottom of their screens, informing visitors of either the company’s confidentiality agreement (in the case of Google), or the users acceptance of cookies by their use of the website (in the case of Amazon), both of these banners were found to have inadequately informed users, resulting in further breaches to Article 82. In Google’s case, this banner did not inform users at all, on the cookies which had already been automatically placed on their computers. The “Consult now” button which was placed on the banner at google.fr also did not lead users to any information on those cookies. 

On amazon.fr, while the banner informed users of their automatic acceptance of cookies by using the site, this information was found to be neither clear nor complete. The banner did not specify that cookies placed on users’ computers were mainly used to display personalized ads. It also failed to explain to the user that it could refuse these cookies or how to do it.

In addition, on google.fr, even after using the mechanism provided through the “Consult now” button, to deactivate the personalisation of ads, one of the advertising cookies remained stored on the user’s computer and continued to read information intended for the attached server. The “opposition” mechanism on google’s website was deemed faulty and resulted in an additional violation of the DPA, Article 82.

Google and Amazon fined a total of 100 million euros and 35 million euros respectively. 

GOOGLE LLC was hit with a fine of 60 million euros, and GOOGLE IRELAND LIMITED was fined 40 million euros. The authority justified these fines, and their decision to make them public, by the seriousness of Google’s triple breach of Article 82, the search engine’s reach and the fact that nearly fifty million users were affected by this breach. The advertising revenues generated by companies like Google are indirectly generated from the data collected by the advertising cookies placed on users’ computers. Since a September 2020 update on google.fr, cookies are no longer automatically placed on users’ computers, however the information banner still did not inform users residing in France of the purposes for which cookies are used, nor does it inform them that they could refuse these cookies. In addition to the fine charged to GOOGLE LLC and GOOGLE IRELAND LIMITED, an injunction was also placed under the penalty, threatening a 100,000 euro per day fine, if after three months, companies were still not adequately informing users, in accordance with DPA article 82. 

AMAZON EUROPE CORE was fined 35 million euros, and the fines were also publicized due to the seriousness of the breaches. It was considered that, given the popularity of the website amazon.fr, millions of France’s residents visited this site daily, having cookies placed on their computers. In addition, the main activity of the company is the sale of consumer goods, therefore the personalized ads, made possible by the use of those cookies, lead to a significant increase in the visibility of its products on other websites. It was also taken into account that, until the restructure of the website amazon.fr in September 2020, the company was continuously placing cookies on the computers of users living in France, without informing them. Regardless of the path that led users to the site, they were either insufficiently, or not at all informed that cookies were being placed on their computers. Amazon is also faced with the threat of an additional 100,000 euro per day fine, if they are not in accordance with the act within three months. 

CNIL has released amended guidelines and recommendations regarding the use of cookies, in accordance with the GDPR. 

On October 1st 2020, the CNIL released its guidelines on the use of cookies and other tracking devices. These guidelines are part of its action plan on targeting advertising and the enforcement of the GDPR. CNIL is asking all parties to comply with the rules clarified therein, specifying that their adaptation period should not exceed six months. CNIL has also indicated that it will continuously monitor other requirements which have not been modified and, if necessary, adopt corrective measures to protect the privacy of individuals.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

CNIL provides further guidance on collection of personal data by employers in the context of COVID-19 pandemic.

CNIL provides further guidance in the context of the global pandemic, on the collection of personal data by employers.

In the context of the health crisis brought on by the spread of the coronavirus, many authorities and organisations have been providing as much help and guidance to relevant agents, in navigating the current situation and continuing business during the pandemic. We are collectively at the point of the pandemic where it has been established that life must go on and organisations and businesses are trying to establish some sort of normalcy to facilitate business continuity. The CNIL recently released a document, providing guidance which may aid employers in navigating data protection in the current atmosphere in the workplace with regard to the coronavirus-related health crisis.

Employers are obligated to ensure the safety of their employees.

it is the employer’s responsibility to implement measures to prevent occupational risks and information and training actions, as well as to ensure that work organization and resources are adapted to working conditions. Employers are encouraged to remind their employees, working in contact with other people, of their obligation to report individually in the event of contamination or suspected contamination, to them or to the competent health authorities, for the sole purpose of enabling them to adapt working conditions.

CNIL provides guidance to employees as well, on navigating working through the pandemic.

Employees are responsible for preserving their own health and safety and also that of the people with whom they may come into contact during their professional activity. Under normal circumstances, employees who are home sick, typically need only to communicate the terms (usually length) of their sick leave. However, in a context of a pandemic such as that of COVID-19, an employee who works in contact with other people (colleagues and the public), each time he has been able to expose some of his colleagues or for example clients, to the virus, must inform his employer in the event of contamination or suspicion of contamination with the virus. If this employee works in isolation or teleworks, they need not provide this information.

How does the GDPR say that health data should be processed?

Employers can only process health data necessary for the satisfaction of their legal and contractual obligations, that is to say necessary to take organizational measures (teleworking, referral to the occupational doctor, etc.), training and information, as well as certain actions to prevent occupational risks. For this reason, only elements of data linked to the date, to the identity of the person, to the fact that they have indicated to be or suspected of being contaminated, as well as the organizational measures taken, should be processed by the employer. The employer may communicate to health officials, the elements necessary for a possible health or medical care of the exposed person. However, under no circumstance is the employer to identify or communicate any personal info about the likely infected person to other employees.

In developing and implementing company protocol, employers cannot take measures likely to disproportionately infringe on the privacy of employees, or other data subjects, in particular through the collection of health data, that would go beyond managing suspected exposure to the virus to protect employees and the public. In order to be processed, the use of the data must necessarily fall within one of the exceptions provided for by the GDPR, thus securing the balance between the desire to ensure the security of individuals and respect for their fundamental rights and freedoms.

What does the law say about temperature readings at entrances?

In an effort to prevent contamination or spread of the virus, or to remove employees from the working environment who may have a fever, some employers may wish to systematically monitor employees’ temperatures at the entrance to their premises. Recently on our blog we reported on the CNIL calling for caution in the use of smart and thermal cameras in this process. The CNIL has noted that the effectiveness and appropriateness of the temperature measurement is disputable, as this symptom is neither systematic of, nor exclusive to COVID-19. In any case an individual’s body temperature constitutes sensitive data relating to his health and is therefore considered subject to special protection under the GDPR. In particular, Article 9 of the GDPR prohibits employers from keeping data on employees’ temperatures if taken at the entrance of a site.

CNIL provides further guidance, that only competent health personnel can collect, implement and access any medical forms or questionnaires from employees or agents containing any data related to the state of the health or information relating particularly to their family situation, living conditions, or even their possible movements. The same would apply for medical, serological, or COVID-19 screening tests, as the results of these are subject to medical confidentiality. 

The CNIL has provided further tips on business continuity in the context of the pandemic.

Companies may also be required to establish a business continuity plan, aiming to maintain the essential activity of the organisation during a crisis like the COVID-19 health crisis. This plan must be inclusive of all the measures to protect the safety of employees, and to identify the essential activities to be maintained and also the people necessary for the continuity of the service.

There are a few additional key points noted by the CNIL. The CNIL notes that the employer is responsible for the health and safety of his employees and must take collective protective measures, like social distancing protocol, and provision of personal protective equipment, hand sanitiser and so on. The authority also reiterates that the employer does not have to organise the collection of health data from all employees. The only situation that would warrant an employer taking individual measures, is in the event that a report is made by an employee himself that he may have been exposed, or may have exposed some of his colleagues or the public to the virus. In addition, the authority advises that employers who would like to go beyond their obligations and ensure the state of health of their employees by setting up individualized working conditions must necessarily rely on the occupational health service, which has sole competence on the subject.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.