On Nov. 26, 2020, the French equivalent of the Personal Data Authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), announced the imposition of fines on two divisions of the well-known Carrefour for violating the AVG. A fine of €2,250,000.00 has been imposed on Carrefour France and a fine of €800,000.00 on Carrefour Banque. The fines were imposed for more than 10 violations in the areas of transparency, information provision, retention periods and safeguarding data subjects’ rights.
Reason
CNIL detected the violations in 2019 due to several complaints from Carrefour France customers. As a result, inspections were conducted at these Carrefour entities between May and July 2019. Those inspections identified several deficiencies in the processing of (potential) customer and user data. This led CNIL to decide to launch a sanctions procedure. An abridged version of that French procedure can be found here.
For Carrefour Banque, the trigger was not complaints, but its own investigation by the CNIL. In July 2019, the CNIL conducted both an online and a physical audit. This looked at the processing of data on Carrefour Banque’s website and the processing of data from Carrefour’s so-called Pass card, a type of credit card. These checks triggered the sanction procedure here as well.
In the sanction procedures, the identified deficiencies were examined by a rapporteur. The rapporteur communicated his findings to Carrefour by bailiff on January 10, 2020. Carrefour was thereby given the opportunity to respond to the report. Several violations were found by the rapporteur. He therefore proposes to the CNIL to impose on Carrefour an order for a periodic penalty payment to end the violations and, in addition, to impose a fine.
Violations and judgment CNIL
The following discusses separately for Carrefour France and Carrefour Banque the AVG violations found.
Carrefour France
As far as Carrefour France is concerned, the first issue is a violation of Article 5(1)(e) of the AVG, not to keep data longer than necessary. Carrefour kept the data of loyalty customers for four years after their last activity. This period is considered excessive by the CNIL. For this type of customer, a period of three years would be more appropriate. Indeed, the turnover of such customers is rapid and fleeting.
At this point, the second accusation is that Carrefour did not comply with its own retention period (of then four years). The rapporteur found that inactive customers continued to appear in the databases for longer than four years. It involved more than 28 million (!) customers who were still inactive for five to 10 years. Data of 750,000 of them were retained. The CNIL does note that Carrefour has shown that it has made every effort to undo this violation of Article 5(1)(e) AVG.
Third, the rapporteur accuses Carrefour of keeping copies of identity documents for a period of one to six years. The CNIL agrees with the rapporteur that this period is unreasonable. These were identity documents for the identification of someone who wished to exercise a right under the AVG (Article 12(6) AVG). Carrefour is obliged to delete these documents immediately after establishing an applicant’s identity. Keeping them for a long time violates Article 5(1)(e) AVG. Also on this point, the CNIL indicates that Carrefour has shown itself to have complied with this during the sanction procedure.
Fourth, following the previous point, the Rapporteur notes that it was standard practice at Carrefour to request an identity document from each applicant under the AVG. This systematic request is disproportionate according to CNIL because there is not reason to doubt the identity of an applicant in all cases. This is considered a violation of Article 12 AVG. Carrefour has also amended this point.
Fifth, the rapporteur notes that Carrefour is structurally late in responding to requests. The response time varies, but can be as long as nine months without informing the requester. The CNIL notes that this again violates Article 12 AVG, despite the improvements Carrefour has made in that regard. Carrefour now responds on average within 15 days (!).
The sixth reproach made by the rapporteur to Carrefour concerns the provision of information to those concerned. The Rapporteur notes that the information on Carrefour’s site is not easily accessible, due to the multiplicity of pages to consult, links on different pages and redundant information. The CNIL agrees, even though layering of information is permitted (see recital 39 AVG). It subtly notes that the user had to be particularly determined to access all relevant information. She bases this not only on the multiplicity and availability of information, but also on the use of language. This is unnecessarily complicating. Carrefour thus fails to comply with Articles 12 and 13 AVG.
In the same context of transparency, the CNIL notes, seventh, that the information provided by Carrefour is also incomplete. Incorrect or incomplete is Carrefour about the identity of the controller, the bases for processing, transfers to other countries and retention periods. That too is a violation of Articles 12 and 13 AVG, although the CNIL underlines that Carrefour is now compliant.
Eighth, the CNIL notes an individual case in which a request was wrongly not notified of the origin of data collected about him under Article 15(1)(g) AVG. Carrefour believed that the data had been collected directly from the data subject and therefore this information did not need to be provided. This is legally correct, but it became clear that indirect collection had also taken place.
Ninth, the Rapporteur noticed that several customers experienced difficulty in exercising their right to data deletion, especially in deleting the e-mail address for receiving commercial mailing. The actual reason was that users’ e-mail address had been used as a customer code. Removal of the e-mail address was therefore not possible. This structure had since been changed. Also in a number of other requests (incidental) errors were found that lead to data being erroneously not deleted. Carrefour thus violated Article 17 AVG. Especially when it comes to deletion of data for direct marketing, as this must always be done immediately.
Then there was a tenth violation. In fact, several users opted out of receiving commercial messages, but then still received those messages. According to Carrefour, this error stems from the fact that the third party managing this did not pass on the objections to Carrefour. However, that does not make it not a violation, more specifically of Article 21 AVG.
The eleventh violation found is one in the area of security. It notes that after an online order is placed, the purchase invoice is accessible to anyone with a fixed URL address. That, according to the CNIL, is a violation of Article 32 AVG, even though Carrefour has since added a random string of characters to the URL and implemented an authentication mechanism.
Finally, as the twelfth, the CNIL notes that Carrefour wrongfully failed to report a data breach. It concerns a hacking attack from July 2019. Carrefour believed that the attack did not violate the rights of affected individuals because only 275 customer accounts could be broken into and customers did not lose accrued balances. The CNIL does not share this assessment, in part because as many as 4,000 successful authentications took place. That poses a risk of further breaches, either at Carrefour or elsewhere through credential stuffing.
Carrefour Banque
In the case of the banking arm of the Carrefour Group, the first issue is a violation of Article 5(1)(a) AVG. This involves the fact that Carrefour Banque provided unclear and misleading information when participating in Carrefour’s loyalty program. Namely, Carrefour did not mention that customers’ personal data would be shared with Carrefour France. In addition, the enumeration of personal data provided to third parties was incomplete.
Second, the CNIL finds that Carrefour Banque’s site is also inadequately accessible to a user. The privacy notice is poorly findable and incomplete. Again, users have to be persistent to find all the information. In addition, retention periods were unclear. Especially since Carrefour used legal formulas, such as “the applicable statutory limitation periods. The CNIL notes this as a violation of Article 13 AVG.
As a third violation, the CNIL notes that Carrefour uses about five non-essential, tracking cookies on its site. These are placed before any action by the user. The CNIL considers that to be in violation of the French cookie law.
Sanctions
Carrefour France
The CNIL decides not to impose a penalty payment order on Carrefour. It does not consider this necessary because Carrefour has demonstrated during the sanction procedure that it has ended all violations. Carrefour has thus done itself a service.
However, CNIL does believe that identified violations, even if rectified, warrant a fine. For the amount, it is considered that the vast majority of violations result from its negligence, occasional errors and inadequate implementation of the AVG. Most violations have limited consequences. The CNIL commends Carrefour for its perfect cooperation during the investigation. The CNIL notes that the personal data affected is not sensitive data. And Carrefour also did not benefit from the violations, according to the CNIL.
The technique for calculating the fine level is based by the CNIL on Article 83(5) AVG. This states that for companies, the annual turnover must be looked at. For the Carrefour France group, CNIL sets this at €14.9 billion in 2019. However, turnover is not the only guiding factor for the CNIL. It points out that retail is characterized by extremely high volumes and low margins. While sales may be particularly high, net profit is comparatively low. That makes – without calculating this further – the CNIL set the fine at €2,250,000.00.
As a third part of the sanction, the CNIL still stipulates that the fine decision with all its considerations must be published publicly for two years. After that period, the name Carrefour will be removed from the publication.
Carrefour Banque
The CNIL also sees no reason to impose a penalty payment on Carrefour Banque. Indeed, Carrefour has already undone the violations as well. The online registration process for the Pass card has been completely revised and users are now informed of all data sent to Carrefour France.
But, there remains reason to punish the violations found. Merely ending them is insufficient. It takes into account that the nature, severity and duration of the violation is substantial. The lack of transparency is a violation of the basic principles of Article 5 AVG. The violation also affected a large number of people, namely all Pass card subscribers. Again, the CNIL weighs Carrefour’s great efforts as a mitigating factor.
The CNIL arrives at a fine of €800,000.00. The CNIL explains that it is 0.25% of net banking income in 2018 (€308 million). Considering financial strength and the cases mentioned in the previous paragraph, the CNIL considers €800,000.00 an effective, proportionate and deterrent amount of fine.
Finally, this fine decision will also have to be published by name for two years. This is partly to inform (potential) customers about the (penalized) violations.
Author: lessons for (Dutch) practice
The CNIL’s considerations provide insight into the test used by the French regulator. Because the AVG is a European legal framework, a foreign regulator’s interpretation may also color Dutch practice. A number of lessons can be drawn from this:
- Layered privacy statements are permitted, but must remain sufficiently clear, accessible and simple.
- It is insufficient to suffice with a general enumeration of the bases used. The bases must be linked to specific processing operations.
- When estimating annual turnover, CNIL also counts the annual turnover of subsidiaries of Carrefour France that benefited from the infringements under European competition law (Articles 101 and 102 TFEU, recital 150 AVG and EU Court of Justice rulings C-217/05 and T-265/12).
- A three-year retention period is considered reasonable by CNIL. It refers for that purpose to a non-binding recommendation on the subject. That constitutes a useful reference for the CNIL.
- For “perfectly” cooperating with investigations and correcting violations, Carrefour is rewarded.
A small note fits: the decisions are still subject to appeal by Carrefour. This must be filed with the French Council of State, the Conseil d’État, within two months of their publication. From Carrefour’s tweets, it seems that it does not intend to do so, but accepts the sanctions.
CNIL’s detailed considerations can be found – in French – on its website. For Carrefour France, please click here and for Carrefour Banque here.
Source: CNIL, November 26, 2020
