France: CNIL fines EDF €600,000 for data security and transparency violations
The French data protection authority ('CNIL') announced, on 29 November 2022, that it had issued, on 24 November 2022, deliberation No. SAN-2022-021, in which it imposed a fine of €600,000 against Electricité de France ('EDF'), for violations of Articles 7(1), 12, 13, 14, 15, 21, and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as Article L. 34-5 of the Post and Electronic Communications Code (last amended in 2016) ('the Communications Code'), following an investigation.
Background of the case
In particular, CNIL outlined that it carried out an inspection of EDF, following several complaints concerning the difficulties encountered by people in having their rights taken into account by EDF.
Findings of CNIL
As a result of its investigation, CNIL determined that EDF did not obtain prior valid consent from the individuals for a commercial prospecting campaign in violation of Articles 7(1) of the GDPR and Articles L. 34-5 of the Communication Code. In addition, CNIL confirmed that EDF breached:
- the obligation to inform people under Articles 13 and 14 of the GDPR, as the website did not specify the legal basis corresponding to each data use, the precise duration of storage, and precisely where the data came from, among other things;
- the procedures for exercising rights under Article 12 of the GDPR, as EDF did not respond to certain complaints within one month; and
- the right of access according to Article 15 of the GDPR and the right to object in line with Article 21 of the GDPR, as EDF provided inaccurate information on the source of collected data and did not take into account objections received for commercial prospecting.
Furthermore, CNIL explained that EDF also breached the obligation to ensure the security of personal data since the passwords for accessing the customer area of the prime energy portal for more than 25,000 accounts were stored in an unsecured manner until July 2022, and the passwords were only hashed, without having been salted (adding random characters before the hash, to avoid finding a password by comparing hashes) which put them at risk.
In calculation of the fine, CNIL considered the breaches identified, as well as the cooperation of the company and all the measures it took during the procedure to bring itself into compliance on all the shortcomings with which it was charged.
Accordingly, CNIL imposed a fine of €600,000 on EDF and published the deliberation.