On November 21, 2019, the French data protection authority (the "Commission Nationale de l'Informatique et des Libertés" or "CNIL") imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the "GDPR") in connection with cold calling campaigns.1
The CNIL sanctioned Futura Internationale for, inter alia, failing to provide adequate information and effectively implement current and prospective clients' opt-out requests, as well as recording excessive comments about them. The French authority also found that Futura Internationale failed to provide sufficient safeguards to enable the international transfers of data to call centers located outside of the European Economic Area (the "EEA"). While this enforcement action is not unexpected as it relates to infringements of essential provisions of the GDPR, it sheds an interesting light on the CNIL's expectations that companies implement and demonstrate effective measures to comply with the GDPR.
With this decision, the CNIL signaled that mere documentary compliance with the GDPR is insufficient and that companies must, when they rely on cold-calling marketing campaigns:
- allow individuals to effectively exercise their rights under the GDPR, including the right to opt-out from direct marketing, and put processes in place to ensure that such objections are automatically implemented;
- give any third-party operators clear instructions on what information they must provide consumers and which comments they may record, and implement appropriate automated processes to prevent the recording of certain excessive terms in their client relation database; and
- put in place adequate safeguards concerning the transfer of personal data to any data centers located outside the EEA, such as entry into of standard contractual clauses.
The CNIL's decision was also meant to deter similar future violations and send the following message to companies, regardless of their size:
- When given a formal notice by the CNIL to stop certain breaches of the GDPR, companies should comply promptly to avoid a finding of continuous infringement;
- Companies should duly cooperate with the CNIL in order to mitigate the potential fine and avoid being found in per se breach of the GDPR; and
- A shortfall in a company's turnover will not necessarily be taken into account in the calculation of the fine if its profits remain in the same order of magnitude.
In February 2018, an individual lodged a complaint with the CNIL alleging persistent calls from Futura Internationale despite repeated opt-out requests. Investigations were launched by the CNIL, which revealed several other instances of disregarding requests from current and prospective clients to opt-out from future direct marketing operations, as well as other serious GDPR violations.
In September 2018, the CNIL issued a formal notice requesting Futura Internationale to take corrective measures. In June 2019, the appointed rapporteur issued a report setting out Futura Internationale's violations of the GDPR and the recommended sanctions. The CNIL ultimately found in its November 2019 decision sanctioning Futura Internationale that the corrective measures outlined in the 2018 formal notice had not been properly implemented.
The CNIL's Decision
Applicability of the GDPR to Infringements That Began Before the GDPR's Entry Into Application
The CNIL established that the GDPR was applicable even though the proceedings against Futura Internationale were initiated prior to its entry into application. To this end, the CNIL referred to the case law of the European Court of Human Rights and the French Administrative Supreme Court regarding continuous offences, which are deemed to come to an end on completion of the last occurrence of the offence. The CNIL found that the infringements at stake were ongoing at least until the violations report was issued to Futura Internationale in June 2019, i.e. after the GDPR's effective date.
Serious and Repeated Infringements of the Core Principles of the GDPR
The CNIL first found that Futura Internationale and its subcontractors, call centers located in Africa, were processing health data relating to current and prospective clients, and were making and recording offensive and excessive comments about them in violation of the GDPR's data minimisation principle. Futura Internationale argued that, over the course of the proceedings, it remedied the breach by informing call operators via a specific banner in the relevant software of the type of information that could be included in the comment section. The CNIL found this measure to be insufficient and held that Futura Internationale should have set up a mandatory and automated process to prevent operators from recording certain terms in the concerned database.2
Furthermore, the CNIL held that Futura Internationale failed to properly inform individuals of their rights, that their data would be processed for the purpose of cold-calling campaigns and that telephone conversations would be recorded. The CNIL also reminded Futura Internationale that the required notice of rights had to be given at the time the personal data was collected and that information by email following the telephone conversation was insufficient. In practice, when conducting telephone campaigns, notice of rights must be given – even if only partially – to individuals on the phone through the call service and by offering them access to the entire set of information by pressing a telephone key or by sending an email to the individual.
The CNIL also considered that Futura Internationale failed to implement a mechanism to effectively allow individuals to opt-out from direct marketing. In particular, Futura Internationale did not relay opt-out requests to call centers (acting as data processors). The CNIL also underscored that Futura Internationale did not include the telephone number of individuals in the opt-out list or collect enough information to prevent errors. According to the CNIL, only an automated process would allow individuals to effectively exercise their rights.
Moreover, the CNIL highlighted its view that Futura Internationale displayed a blatant lack of interest for data protection matters, and that its uncooperative behavior was a per se violation of the GDPR.
Finally, the CNIL found that Futura Internationale did not implement appropriate safeguards to cover international transfers to data centers located in countries outside the EEA. While Futura Internationale did provide to the CNIL some agreements that included standard contractual clauses, these documents were still unexecuted draft documents. Moreover, the draft contracts stated that they were subject to the law of the country where the service provider was located, while the GDPR requires that applicable standard contractual clauses must be subject to the law of the data exporter.
The CNIL issued an injunction to Futura Internationale to remedy all violations of the GDPR, with a penalty of €500 per day of breach if the violations are not remedied within 1 month after the notification of the decision.
The CNIL also imposed a fine of €500,000, which represents 2.5% of Futura Internationale's annual turnover.3 The CNIL justified the fine based on the nature, gravity and duration of the violations and Futura Internationale's lack of responsiveness and cooperation with CNIL's investigation. In particular, the CNIL considered that Futura Internationale's infringements were continuous and related to core rights of individuals, and underscored that Futura Internationale delayed implementing corrective measures until after it received CNIL's violations' report in June 2019 (i.e. over 8 months after CNIL issued its formal notice). Additionally, Futura Internationale's argument that it needed more time to familiarize itself with the new framework of the GDPR was rejected since most of Futura Internationale's infringements related to obligations which already existed prior to the GDPR. The CNIL also stressed the importance of providing appropriate safeguards to data subjects when transferring their personal data outside the EEA, as personal data may be processed there outside of any legal framework.
Futura Internationale sought reduction of the fine by arguing that its turnover had fallen by €7 million between 2017 and 2018. The CNIL rejected that argument. In calculating the fine, the CNIL took into account that Futura Internationale is a midsized company and had experienced revenue changes, but nonetheless held that a substantial fine was appropriate. The company's profits remained constant and the fine was not meant to be directly correlated to the financial results of Futura Internationale, but instead to deter future misconduct.
2 In its guidelines in relation to "comment sections", the CNIL reminds companies that recorded information must remain objective, relevant and not excessive. Comments must never be insulting. For example, comments such as "unemployed client" or "currently in the course of divorce proceedings" could be deemed irrelevant and excessive. It is also important not to include sensitive information, such as health-related information and information relating to criminal convictions and offenses.
3 The maximum fine under the GDPR is up to €20 million or 4% of a company's total annual worldwide turnover of the preceding financial year, whichever is higher.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.