For the first time since its creation in 1978, the French Data Protection Authority (the "CNIL") fined not only a data controller, but also its data processor.
On January 27, 2021, the CNIL imposed a 75 000 euros penalty on a processor due to insufficient security measures.
Although unpublished, this decision is unprecedented both in its reasoning and its consequences.
This new approach completely shifts the contractual balance between processors and controllers.
Where processors used to rely on their status under the GDPR to exclude or limit their liability, they are now required to provide data controllers with the most appropriate security measures.
As for controllers, this decision incidentally confirms a forthcoming wave of audits to be operated in order to make sure that all the security standards imposed on their processors are actually met.
How can liability be shared in such a way as to ensure the legal security of the relationship between controllers and processors while taking into account the CNIL's new doctrine?
- What the French Data Protection Authority decision changes
In order to fully understand what this decision actually entails, one should take note of the CNIL's doctrine prior to this decision.
1.1 The CNIL's doctrine prior to January 27, 2021
Until January 27, 2021, the Authority's doctrine was quite straightforward: even when the processor was at fault, it would only fine the controller.
The CNIL's reasoning was actually based on the five following principles:
- The data controller's liability cannot be transferred to the processor. In other words, resorting to a processor or a sub-processor does not exonerate the controller from ensuring data security;
- Controllers must impose, by contract, appropriate and relevant security measures on their processors. Accordingly, where the contract does not provide for such measures, the controller will be fined;
- Controllers must not only impose security measures, but must also monitor their application by its processors, which entails conducting security audits or general monitoring of the processors' actions.
- This reasoning does not violate the constitutional principle of personal liability. Under this principle, vicarious liability should be excluded when awarding penalties. Accordingly, if the processor is solely responsible for the breach, it should be the only one being fined. However, according to the French Conseil d'Etat (the Council of State, or supreme court for administrative justice), reliance on a processor does not relieve the controller from its own obligation to ensure data security1. Therefore, the fines imposed by the CNIL are not unconstitutional.
- This doctrine would apply even when the processor acts outside of the controller's instructions. Such an interpretation could, however, be revised. Article 28 of the GDPR now provides that when the processor acts in this way, it can be considered as a controller itself.
It is important to note that this reasoning is still shared by other data protections supervisory authorities across Europe.
For instance, the ICO recently imposed a fine on a data controller where the breach was partly caused by the processor's failure to perform its obligations.
1.2 The CNIL's doctrine since January 27, 2021
The CNIL's decision follows several data breaches notifications related to credential stuffing attacks on a data controller's website.
As a result of these attacks, malicious individuals had obtained a large amount of personal data concerning the controller's customers.
According to the CNIL, the controller was responsible for deciding on the security measures to be implemented to remedy these attacks and should therefore have given its processor the relevant data security instructions.
However, the French Authority finds that the processor should not only have sought the "most appropriate" technical and organizational measures to ensure data security, but should also have recommended them to the controller.
Consequently, the CNIL imposed two separate fines against not only the controller but also its processor, the amount of which is based on their share of liability in the breach.
As a result, when the data controller is fined 150,000 euros, the data processor's penalty is 50% of the data controller's, i.e. 75,000 euros.
- What the CNIL's decision means
The unprecedented nature of this decision is more than likely to shift the contractual balance between controllers and processors. Whether it be during negotiations or while performing their own obligations, controllers and processors are heavily invited to level up.
2.1 What this decision means for processors
When it comes to data security, processors are no longer safe. From now on, they are just as likely as controllers to be fined by the CNIL.
The processors' obligations under the CNIL's doctrine are now more precise. The processor is no longer considered a "passive performer" of the controller's instruction, it is now required to come up with the most appropriate measures to ensure data security.
The tricky part of this decision is that the appropriate nature of these measures is doomed to change with the state of the art. In other words, it has to be reassessed. This means that processors are now, more than ever, invited to revise their security policies in order to provide controllers with an optimum level of data security in real time.
Processors should also note that the CNIL's financial sanctions are based according to the share of responsibility of each party in the breach, based on the actions that were taken prior to and following the breach.
Therefore, if the controller can establish that the processor refused to implement extra technical or organizational measures, the CNIL might impose a greater fine on the processor.
2.2 What this decision means for controllers
This decision is crucial for controllers and must be taken into account when selecting a new processor.
Since penalties are awarded on the basis of the actual share of liability in the breach, controllers must be able to demonstrate that they negotiated extra security measures and/or that they duly monitored the implementation of those measures by their processors.
By documenting each and every one of these extra steps, controllers might be able to shift the blame on their processors and, in a perfect world, avoid the sanctions of the CNIL.
From now on, one thing is clear, data controllers and data processors are strongly encouraged to take all the appropriate measures in order to:
- Neutralize any risk arising out of this new approach to sharing liability - in particular by amending existing data processing agreements;
- Document the adequacy of the security measures implemented for a processing operation;
- If applicable, ensure via an audit that these measures are effective.
1. Conseil d'État, 10ème / 9ème SSR, 11/03/2015, 368748
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.