French broadcasting company Groupe Canal+ was recently fined €600,000 by the French data protection authority (CNIL) for multiple violations of the EU’s General Data Protection Regulation (GDPR).
The CNIL’s investigation uncovered several areas where Canal+ was non-compliant:
- Invalid consent for direct marketing activities, including insufficient transparency over data sharing with partners
- Inadequate information provided to individuals creating accounts or receiving sales calls
- Slow response times for data subject rights requests
- Insufficient data security and supplier oversight measures
- Failure to report a data breach within 72 hours
The data breach in question exposed the contact details of around 10,000 Canal+ subscribers over a period of 5 hours. According to the CNIL’s report the breach was relatively minor in scope, it exposed users’ phone numbers and postal addresses and the data was accessible only to other Canal+ users. The number of Canal+ users with potential unauthorised access to the data was estimated to be between 7 and 777 users.
Regardless, Canal+’s failure to report it reflected poorly on their GDPR accountability practices.
What Constitutes a Data Breach Under GDPR?
Under GDPR, a personal data breach is defined broadly as a security incident leading to the destruction, loss, alteration, unauthorised disclosure, or access to personal data. Crucially, breaches do not require any malicious intent – accidental disclosures can still qualify.
Examples of common data breaches include:
- Hacking or malware attacks
- Loss or theft of data storage devices
- Employee mistakes such as emailing data to the wrong recipient, for example by misusing (BCC, CC)
- Poorly configured cloud storage platforms exposing data publicly
Data Breach Reporting Requirements
For any breaches likely to result in a risk to individuals’ rights and freedoms, GDPR requires notification to the relevant supervisory authority within 72 hours. Organisations should also inform affected individuals promptly.
When notifying authorities, organisations must describe the nature of the breach, categories and number of individuals/records affected, likely consequences, and mitigation measures being taken.
Under the UK’s GDPR rules, failure to report breaches can lead to fines of up to £8.7 million or 2% of global turnover for less serious violations, or £17.5 million or 4% of global turnover for more serious ones.
The EU’s GDPR allows for fines up to 10 million euros or 2% of global turnover for standard violations, and up to 20 million euros or 4% of turnover for more serious ones.
That said, it would be highly unusual for a fine to reach such levels for solely failing to report a data breach – the calculation for a fine is more complex and typically is the result of multiple failure points in an organisation’s GDPR compliance. Additionally regulators have been reluctant to issue fines that test the upper limits of GDPR fine ranges, with the exception of some financial penalties aimed at serial big tech offenders.
While Canal+’s breach was relatively minor, their lack of transparency failed to meet regulators’ strict standards. With GDPR enforcement continuing to ramp up, organisations should ensure they have suitable data protection governance and risk management practices in place.