The CNIL also uncovered breaches of the rules on supplier contracting and the use of third party cookies. This enforcement decision serves as a valuable reminder on the legal and regulatory expectations for compliance in these areas.
On 28 March 2023, the French data protection supervisory authority ("CNIL") published a fine of €125,000 issued to an electrical scooter company (the "Company") regarding its use of geolocation data.
Although the monetary value of the fine was not particularly eye-catching, the enforcement decision provides valuable insights on the legal and regulatory expectations regarding:
- the application of the concept of data minimisation under the GDPR;
- the mandatory contractual provisions that organisations need to have in place when engaging with third party suppliers to support with their data processing activities;
- an organisation's responsibilities when facilitating third party cookies and similar technologies on their website or application, particularly with respect to providing transparent information to users and obtaining their consent.
In addition, although this decision was issued by the CNIL as the lead supervisory authority in France, it is important to note that both the Spanish and Italian supervisory authorities were also concerned with this case and did not raise any objections with the CNIL's draft decision. As a result, the CNIL's decision and reasoning on these issues are also likely to reflect the views of data protection regulators in Europe more widely.
This article is based on an unofficial English translation of the CNIL's decision. Although this might not do full justice to the reasoning applied by the CNIL, the key issues and conclusions reached were evident, and is likely to prompt organisations to take action and review their own positions in relation to the use of tracking technologies, contracting with suppliers and the use of third party cookies (see the Recommended actions section below).
Data minimisation: How did the Company breach this principle?
The Company offers a self-service electric scooter rental service accessible from its mobile application. The scooters are equipped with an on-board location device (comprising of a SIM card and GPS geolocation system) that allows the Company and its users to know the location of the scooters via the mobile application. Importantly, this device collects location data from the scooters every 30 seconds when the mobile application is active and its dashboard is on, whether it is moving or ready to roll.
According to the Company, the collection of location data every 30 seconds was required in order to:
- process traffic offences and customer complaints;
- support the user (e.g. to call for help if a user falls) and
- manage claims and thefts.
The CNIL held that none of these purposes justified the collection of location data at this level of frequency. The CNIL made it clear that this practice is very intrusive in the private life of users insofar as it is likely to reveal their movements, including places visited, and all the stops made during a journey. In addition, the CNIL made reference to EDPB Guidelines 01/2020 in that information relating to the journeys made "are very characteristic in that they…may possibly reveal sensitive information such as religion, through place of worship, or sexual orientation, through places visited" and as a result, organisations should be "particularly vigilant not to collect location data unless absolutely necessary for the purpose of the processing".
In its defence, the Company gave a number of reasons as to why it believed that its processing of location data was necessary for each of the purposes listed above. For example, with respect to customer complaints for overbilling, a user could lose communication with a scooter for technical reasons and therefore fail to properly terminate their scooter session. Collecting the location data every 30 seconds would allow the Company to go back in 30 second increments to identify the length of time the scooter had been stationary.
However, the CNIL was not convinced by this reasoning, making the point that the user has the option to contact the Company to resolve the difficulties and terminate the session – and that it is at this point that geolocation could be triggered (rather than having it "on" every 30 seconds).
The CNIL applied similar reasoning to the other defences that the Company put forward relating to purposes such as user support and the management of claims and theft (which this article does not go into). Ultimately, the CNIL's view was that the Company could offer the same service without geolocating its customers almost continuously.
The CNIL therefore held that the Company failed to comply with the principle of data minimisation under Article 5.1(c) GDPR which requires the processing of personal data to be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". In other words, the collection and almost continuous use of location data in these circumstances was viewed as being "unnecessary" for the Company's stated purposes given that less intrusive means were available to achieve the same outcome/service.
Suppliers: Why were the contracts not GDPR compliant?
As part of its investigation, the CNIL also assessed the Company's contracts with the 15 suppliers that handle personal data on its behalf. It identified certain contracts that were in breach of Article 28(3) GDPR, which sets out the mandatory provisions that need to be included in a contract between a controller (i.e. the Company) and a processor (i.e. the suppliers).
The overarching view of the CNIL is reflected in its reference to EDPB Guidelines 07/2020, in that the mandatory contractual requirements under Article 28(3) "should not merely restate the provisions of the GDPR: rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement".
Examples of the deficiencies in the contracts that were identified by the CNIL include the following:
- Details of processing not included. The contract did not include mandatory information such as: (i) the purpose of the processing undertaken by the supplier; (ii) the duration of the processing; and (iii) the categories of personal data involved.
- Security obligations not specific enough. Although there was a contractual obligation imposed on the supplier to implement technical and organisational measures to ensure a level of security appropriate to the risk, the CNIL found that this obligation was not specific enough. It only described the security objective to be achieved without the means of achieving them, such as a description of the processes or mechanisms to be implemented.
- Right to audit not sufficiently addressed. The contract imposed an obligation on the supplier to answer the Company's questions and provide, on request, any documentation requested. However, it did not expressly impose an obligation on the supplier to allow for and contribute to audits, including inspections conducted by the Company or another auditor mandated by the Company.
- Deletion or return of data not addressed. Although the contract provides for a retention policy and period for the personal data processed, it did not address what happens to the personal data after termination of the contract. In particular, the contract should provide the Company (as controller) with the right to decide whether it wants the processor to delete the personal data or return it following termination.
Third party cookies and similar technologies: How did the Company breach the E-Privacy rules?
According to the Company, it makes use of Google's reCAPTCHA as a user authentication mechanism on its website and mobile application for the sole purpose of ensuring the security of the user when creating an account, connecting to the service and handling the process for forgotten passwords.
The use of reCAPTCHA requires access to information stored on the end-user's device which triggers the application of Article 82 of the French Data Protection Act ("FDPA") (implementing the E-Privacy Directive). This activity therefore requires users to be provided with transparent information and to provide their consent before such access is undertaken (unless an exemption applies). The CNIL found that the Company did not provide any transparent information, nor did it seek to obtain the user's consent.
In its defence, the Company stated that it was exempt from the requirement to obtain consent where the service was requested by the user and where such access to the end-user's device was necessary to ensure the security of the service. In any event, according to the Company, the reCAPTCHA mechanism is directly integrated into the Company's website and includes a link to Google's privacy notice, implying that Google considers itself responsible for the processing activity and the provision of transparent information to the user. Further, the Company stated that it is unable to configure or modify the reCAPTCHA mechanism and therefore does not have the option of integrating a consent checkbox or any additional transparency information.
The CNIL rejected this view on the basis that it was the Company that chose to use the reCAPTCHA mechanism and therefore enabled the access to information stored on the end-user's device. As a result, the CNIL considers that the Company is also responsible for ensuring compliance with Article 82 of the FDPA. In addition, the CNIL also found that the purpose of the reCAPTCHA mechanism was not solely used for the purposes of user authentication and security, but was also being used for data analytics purposes by Google as specified in Google's general conditions of use. As a result, the exemption from the requirement to obtain consent was not satisfied.
Recommended actions: What steps should organisations take in light of this enforcement decision?
Organisations should consider taking the following steps:
- Identify the processing activities that involve the tracking of individuals (whether using geolocation data or other methods) and ensure that they are proportionate, not excessive, and necessary for your purposes. Where you decide to use tracking technologies such as geolocation, it is important to thoroughly consider whether its use can be 'minimised' by using less intrusive methods where possible (and therefore avoiding its use on an almost continuous basis).
- Review and update supplier contracting templates and playbooks to ensure that the mandatory Article 28(3) GDPR contractual provisions are being incorporated in a manner that 'operationalises' these provisions (not merely restating them).
- Review and monitor the use of third party cookies or similar technologies on your websites (including how such third parties integrate and communicate with your website). In particular, taking steps to verify whether any exemptions to the rules on obtaining consent are justified. Where consent is required, ensure that there are appropriate mechanisms in place to obtain the same.