Breaches of data subjects' rights on the internet

15 April 2009

Claire Romac

The CNIL (Commission nationale de l'informatique et des libertés) issued a warning against the website “” which specialises in putting real estate buyers and sellers in contact with each other. The website had breached the rules on unfair collection of personal data, provision of information to users and security measures and the CNIL’s warning was highly publicised.

On 20 May 2008, the CNIL issued a warning against the website after receiving a number of complaints. The complaints were related to a number of issues, including security failures that enabled users to access other users’ accounts, the fact that data could not be erased or corrected, and direct marketing by real estate agencies.

The CNIL first sent a cease and desist letter to the website and carried out on-site investigations to verify whether the breaches listed in its letter had been remedied. The CNIL noticed that:

  • a security breach enabled users to access other users’ accounts;

  • data were being retained indefinitely;

  • the website did not comply with the obligation to inform users (it provided incomplete information notices and did not correct the data when requested by the users); and

  • commercial emails were sent to users without their prior consent.

This warning illustrates the current approach of the CNIL and French courts towards unfair collection of personal data and sending unsolicited commercial emails.

Unfair collection of personal data

This is not the first time that a data controller has been sanctioned for unfair collection of personal data. By way of example, a French company was sanctioned by the criminal section of the Paris Court of Appeal on 18 May 2005, for having unfairly collected email addresses. It has collected information from forum members or from individuals registered on online professional directories without prior information, in order to create a database for sending commercial emails.

Sending commercial emails and data subjects' personal data

Under French law, data subjects must give their prior consent to receiving commercial emails or text messages. However, most sites do not comply with this requirement and use data subjects’ email addresses to send them commercial emails or disclose their address to partners that will in turn send them commercial emails.

In the last few months, sending commercial emails without data subjects’ prior consent has been the most frequently sanctioned breach by the CNIL.

The CNIL construes the obligation to obtain data subjects’ prior consent before sending commercial email or text messages very broadly and has decided that mobile users' prior consent is needed to send Bluetooth messages. The CNIL considers that a MAC address (Media Access Control address) and Bluetooth login is personal data. Additionally, sending commercial messages on mobile phones equipped with Bluetooth technology, asking the user to consent to a Bluetooth connection being established, is not valid to obtain consent as it happens too late.

Data subjects are aware of their rights regarding unsolicited commercial emails and are more willing to complain to the CNIL and to file criminal complaints. The Versailles Court of First Instance has recently ruled that a website’s terms and conditions were void and ordered the website to pay damages of €300 000. Those terms and conditions simply stated that the company as well as its affiliates were authorised to send commercial emails to its customers; this meant that the data subjects' consent was obtained in an unfair manner.

Due to the increase in complaints by individuals related to unsolicited commercial emails, a website named “signalspam” has been created. This website, to which internet users can forward unsolicited commercial emails, forwards the complaints and emails to the CNIL department that is in charge of filing criminal complaints.

Security breach

entreparticuliers' warning was based on the fact that users could access other users’ accounts. The CNIL regularly sanctions data controllers for this reason and had already issued a warning in 2003 to a bank which had used a processor to send bank statements to its clients by post, and several clients received statements relating to other clients. Under the French Data Protection Act, the data controller needs to implement measures to ensure the security and the confidentiality of personal data. In France the data controller is not under an obligation to notify data subjects in the event of a security breach and making a notification would be contrary to data controllers’ interests. In the event of a security breach, the French courts and the CNIL consider that the data controller is liable for any breach of security, even where the breaches are in fact the fault of processors appointed by the data controller.