French data protection authority fines health software provider €1.5M for failing to protect personal information

May 17, 2022 | Titli Datta, David Krebs

Cybersecurity attacks, data security, and privacy breaches are no longer confined to the technical and esoteric discussions of lawyers, IT professionals, and privacy communities but rather over the past two years have become part of “coffee row” and “water cooler” conversations (whether or not those conversations were actually being had around the water cooler or, ironically you might say, online and via video-conferencing).

Canadian organizations are usually quite aware of the potential risks surrounding cyberattacks and the importance of securely maintaining personal information. However, there is slightly less awareness of the consequences of breaches or what kinds of legal penalties are at stake now or may be in the near future.

In Canada, we have not seen much enforcement by way of penalties or fines related to data breaches, either for not reporting a breach or for having failed to secure personal information in the first place. The Personal Information Protection and Electronic Documents Act, as well as Alberta’s Personal Information Protection Act, provide for such fines to be levied (up to $100,000) but thus far since 2018, no such fines have been levied.

As we have previously reported, regulators in the European Union have a much more significant enforcement toolkit and regularly use this ability to enforce the provisions of the General Data Protection Regulation (“GDPR“) by levying fines, both significant and more nominal in amount. Canadian law is changing and the ability to enforce meaningful penalties will soon be a reality in Quebec with the passing of Bill 64, which contemplates maximum penalties similar to those of GDPR. Canadian federal law will very likely follow a similar pattern when Bill C-11 is reintroduced in the Canadian parliament after having been tabled in the wake of the COVID-19 in 2020. The Office of the Privacy Commissioner of Canada has just very recently made several recommendations in this regard, including the importance of effective enforcement strategies and the ability to impose administrative penalties.

€1.5M fine for failing to protect personal information and not having appropriate contracts in place

A very recent case out of France is an illustrative example of the significance of the fines at stake and to what types of infractions these fines may attach. In this case, the French data protection authority, Commission Nationale de l’Informatique et des Libertés (“CNIL“), fined a software solutions provider, Dedalus Biologie, €1.5M for failing to protect personal information and personal health data of 500,000 French citizens impacted in a breach. During a software migration of one of the company’s clients, more data than necessary was extracted (Dedalus Biologie sells software solutions for medical analysis laboratories).

The specific shortcomings under Article 32 of GDPR were noted as follows by the CNIL:

  • lack of a specific procedure for data migration operations;
  • lack of encryption of personal data stored on the problematic server;
  • no automatic deletion of data after migration to the other software;
  • no authentication required from the Internet to access the public area of the server;
  • use of user accounts shared by several employees on the private area of the server; and
  • lack of a procedure for monitoring and reporting security alerts on the server.

The CNIL also noted that Dedalus Biolgie did not have appropriate contracts in place for the processing of information, as is required by Article 28 of GDPR.

Takeaway for Canadian organizations

Will we see Canadian Privacy Commissioners take enforcement action similar to CNIL when they have the tools to do so? The details and impact of privacy reform remains to be seen, but increased enforcement and higher potential penalties are an inevitable aspect of such reform. A core takeaway from this decision of the CNIL is that breaches need not show intentional or wanton disregard for the security of information. Rather, it may be enough that the organization failed to implement appropriate technical security safeguards or administrative safeguards, such as not having appropriate contracts in place with processors or sub-processors.

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.