The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.
On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).
Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.
On 26 June 2020 the CNIL launched an investigation in response to a complaint submitted by a privacy advocacy NGO (Privacy International). Four online and on-site investigations followed, resulting in a report of the public rapporteur recommending a fine against Doctissimo. Since the website was available in all EU Member States and engaged in cross-border data processing, the CNIL communicated its draft decision to all other EU data protection authorities on 30 March 2023. None of those relevant authorities required the matter to be submitted to the GDPR consistency mechanism.
Doctissimo may appeal the CNIL’s decision within two months. The decision is the most recent related to the processing of health data and reaffirms the rules concerning explicit consent laid down by the CNIL in 2016. The fine for violation of the French Cookies Rule also showcases how this rule continues to be an entry point for investigations, since the regulator can verify compliance with the French Cookies Rule relatively easily through online investigations.
The CNIL’s Decision
The CNIL held that Doctissimo was in violation of four provisions of the GDPR:
- storage limitation under Article 5.1(e);
- consent for the processing of health data under Article 9;
- obligation to conclude an arrangement between joint controllers under Article 26; and
- security obligations under Article 32.
Beyond the fines noted above, no additional penalties were set as all violations had been corrected by the time the decision was published.
The CNIL stated in its decision that it had set a relatively high fine despite the fact that Doctissimo reported a loss in 2021. In setting the fine, the CNIL considered that Doctissimo’s indirect parent company, Reworld Media, recorded a net profit of €42.2 million in 2021.
The CNIL referred to a number of factors in setting the fine, including:
- the fact that Doctissimo had committed multiple violations, including violation of four provisions of the GDPR;
- the large number of data subjects impacted (several million for the violation of the French Cookies Rule); and
- the nature and sector of the website (medical and health-related content).
Under Article 5.1(e) GDPR, personal data may only be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
The CNIL noted that Doctissimo had over-retained the following two categories of data:
Test and quiz results provided by users: Tests and quizzes created by Doctissimo were implemented by a data processor, which retained the results for 24 months in conjunction with the users’ IP addresses. Doctissimo had requested that the processor anonymise the IP addresses, but the processor only encrypted them using SHA256, which the CNIL did not consider equivalent to anonymisation. Although the violation resulted from the data processor’s breach of the data processing agreement, the CNIL still held Doctissimo liable. The CNIL stated that Doctissimo had been negligent in its selection and monitoring of the data processor, by, among other things, failing to regularly audit the processor.
Data related to Doctissimo accounts: Doctissimo’s retention policy states that data related to user accounts should be anonymised after three years of inactivity. However, the CNIL flagged that Doctissimo had not only retained each unique user ID beyond three years, but had also merely replaced each username with a randomly generated string of letters and numbers rather than deleting it. Since that replacement remained visible on the website, users could still be identified by the remaining information. Therefore, such a process did not amount to anonymisation. Doctissimo has since adopted a new policy that involves the deletion of all usernames and unique IDs after three years of inactivity, including on the website.
Processing of Health Data
Under Article 9 GDPR, sensitive data (such as data concerning health) cannot be processed unless one of the conditions under Article 9 are met. One such condition is the data subject’s explicit consent for specified purposes pursuant to Article 9.2(a).
The CNIL noted that in order for consent to be explicit, the user must be made aware, even when the processing of health data is obvious by the nature of the activity, that sensitive data will be processed and stored by the data controller. According to the CNIL, the data controller should provide explicit information that sensitive data such as health data will be processed when consent is collected.
Under Article 26 GDPR, when “two or more controllers jointly determine the purposes and means of processing”, they are considered joint controllers and must determine their respective responsibilities for GDPR compliance through an arrangement.
The CNIL found that Doctissimo was in breach of Article 26 as it did not enter into written contracts with its joint controllers, one related to advertising space on the website and another to the use of technical tools.
According to Article 32 GDPR, the controller or processor must implement security measures “to ensure a level of security appropriate to the risk”.
The CNIL found that Doctissimo’s use of the hypertext transfer protocol (HTTP) rather than the hypertext transfer protocol secure (HTTPS) — despite its own Guide on Security of Personal Data and the French Information Security Agency guidelines for websites to use HTTPS or transport layer security (TLS) — constituted a violation of Article 32.
In addition, the CNIL found that the storing of user passwords using double encryption through MD5 and Bcrypt was not sufficiently secure and constituted another violation of Article 32. Again, the CNIL referred to its own recommendations from 2017 and general recommendations by the French Information Security Agency to justify this assessment. Specifically, the CNIL states that MD5 is considered obsolete and that using MD5 in conjunction with Bcrypt introduces a vulnerability.
The fact that no data breach had been documented was not considered a mitigating factor.
The French Cookies Rule
- deposited an advertising cookie on users’ terminals without their consent as soon as they had arrived on Doctissimo’s landing page; and
- deposited two advertising cookies on users’ terminals despite their refusal, which was indicated by the users who clicked on the “Refuse All” button on the website’s cookie banner.
The CNIL decision serves as a reminder of the standards that regulators use when assessing whether “explicit consent” as required under Article 9 GDPR has been obtained for processing sensitive information. Moreover, we continue to see that violations of the French Cookies Rule can be used as an entry point for triggering scrutiny and enforcement action by the CNIL, since violations can easily be identified. To minimise the risk of enforcement, data controllers should:
- ensure that processing of sensitive information is compliant with Article 9 GDPR, and if processing is based on consent, ensure that separate, explicit consent regarding sensitive information is obtained;
- enter into a written data processing agreement with joint controllers and data processors and regularly monitor their execution, including through appropriate audit procedures regarding data processors;
- ensure that appropriate cookie banners are implemented and no advertising or performance cookies are deposited without consent; and
consider technical guidelines issued by agencies such as the French Information Security Agency or the European Union Agency for Cybersecurity when implementing technical security measures related to personal data processing.