At the end of February 2021, the French Data Protection Authority (CNIL) found out via the media about a massive personal data breach involving health-related data of about 500,000 French patients. After more than a year of investigation, CNIL has published its decision (available in French only) imposing a fine of 1.5 million euros against DEDALUS BIOLOGIE, a company processing the data on behalf of medical analysis laboratories. The company has not appealed, but the CNIL’s decision indicates that a processor can be sanctioned for the lack of a data processing agreement incorporating Article 28 General Data Protection Regulation (GDPR) provisions with the controller. In addition, a processor can be sanctioned for failure to abide with the controller’s instructions and for insufficient security measures.
The personal data leaked in the breach included the following categories of personal data:
- Identification data, such as social security number (SSN), surname, first name, gender, postal address, telephone number, email address, date of last medical visit and date of birth.
- Information relating to patients’ pathologies (i.e., HIV, cancers, genetic diseases), pregnancy status, drug treatments followed by the patient or genetic data.
- Identification data relating to the physician.
According to the CNIL’s preliminary findings issued in February 2021, this breach appeared to be “of a particularly large and serious scale.” The controllers involved in this leak were medical analysis laboratories, although the CNIL has not publicly disclosed the identity of these companies. As of February 24, 2021, the CNIL has carried out several controls, in particular with the company that markets software solutions for such medical analysis laboratories. More precisely, the processor provides the laboratories with tools to facilitate the implementation of the treatments. The CNIL’s decision establishes the role of the company as a processor, as it acts on behalf and under the responsibility of the laboratories for the maintenance of the software and, if necessary, the migration toward another software.
Based on the findings of its investigation, the CNIL considered the processor to have failed to comply with several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The three sanctioned breaches are listed below.
1. Failure of the processor to comply with the instructions of the controllers (Article 29 GDPR)
In the context of the migration of the service provider’s software to another updated tool, which was requested by two laboratories using its services, the software provider extracted a volume of data greater than what was requested by the controllers. The company therefore processed data beyond the instructions given by the data controllers.
2. Failure to ensure the security of personal data (Article 32 GDPR)
The CNIL pointed out numerous security loopholes within the framework of the operations of migration of one software toward another, including:
- Absence of a specific procedure for the operations of data migration.
- Absence of encryption of personal data stored on the server at issue.
- Absence of automatic deletion of the data after migration to the other software.
- No authentication required from the internet to access the public area of the server.
- User accounts shared by several employees in the private area of the server.
- Lack of supervision and security alerts on the server.
As a result of such failures, the investigation revealed that unauthorized third parties gained access to the personal data concerned, which resulted in the disclosure on forums of the file containing the medico-administrative data of the affected data subjects.
3. Failure to implement a data processing agreement (Article 28 GDPR)
Processors and controllers have an obligation to enter into a data processing agreement (DPA). The general terms of service of the processor and the related maintenance contracts did not contain a DPA, resulting in a breach of Article 28 GDPR.
- Failure to implement a DPA can be held against a processor. The service provider has been sanctioned as a processor for its failure to implement a DPA. The CNIL did not take into account the processor’s arguments that the conclusion of a DPA constitutes an obligation for both the data controller and the processor, which was used to justify that it should not be held solely responsible for this failure. Indeed, the CNIL noted the fact that the obligation resulting from Article 28 GDPR is incumbent on both the controller and the processor.
- Failure at a privacy by design stage by the processor can result in a failure to comply with the controller’s instructions. The concept of privacy by design requires controllers to consider privacy concerns at the outset of data processing practices, rather than applying features retroactively. The CNIL could not accuse the processor of having failed to implement privacy by design requirements in its tool. However, the CNIL’s decision shows that DEDALUS BIOLOGIE’s tool was not designed in a way that would have allowed the company to comply with the controllers’ instructions. Indeed, in the context of migrations, the tool only allowed a total extraction of the patient file of the concerned laboratory, without the possibility of adding filters on the fields to be exported in order to extract only those requested in accordance with the controller’s instructions. This failure led to a breach of Article 29 GDPR by the processor.
- Processors also can be subject to a significant fine for their own failures. Insofar as the company had been found in breach of Articles 28, 29 and 32 GDPR, the maximum fine that could be imposed was the higher of 10 million euros or 2% of annual worldwide turnover. As the company reported revenues of 16.3 million euros in 2020, the CNIL based its sanction on the maximum fine of 10 million euros, rather than the 2% of annual turnover threshold (which should not have exceeded 326,000 euros).