Data protection and the associated data breaches have been a much-discussed topic since the GDPR came into force. Today, we would like to present a case that already made waves before the GDPR. On June 7, 2018, Optical-Center, a French company, was fined €250,000.
Previous story
Optical-Center is a company that manufactures optical glasses for customers. Customers can order appropriate visual aids on the company’s homepage.
In 2017, the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) was informed that the company’s website was not sufficiently secured. By simply changing the website address (URL), unauthorized persons were able to access customers’ personal data. It was not only possible to retrieve names, addresses and telephone numbers, but also medical data that customers had provided when ordering glasses (e.g. diopters, so that the glasses would be manufactured with the appropriate prescription), .
The company was notified of this gross data protection violation by the data protection authority. The company responded immediately by commissioning its service provider to close this gap.
Legal assessment
Access to third-party data records must be prevented by technical measures. The system would thus have had to check whether the user had the authorization to check the requested records at all and would then have had to deny access if necessary. However, on Optical-Center’s website, this review was missing. This is not a minor bug, but a fundamental architectural flaw in the software used.
The data protection authority recognized this deficiency and imposed a fine of € 250,000, the highest penalty in its history. Nevertheless, the data protection authorities did not exhaust the penalty range by a long shot, as the maximum possible penalty is three million euros. Optical-Center’s quick action certainly had a mitigating effect on the punishment here.
Although the penalty was imposed only on June 7, 2018, the GDPR did not apply in this case. Since the data breach occurred in 2017, the data protection law at the time applied. The rules and penalties of the GDPR only take effect for violations after May 25, 2018.
Conclusion
The case shows that serious data protection violations could already result in severe fines even before the GDPR. With the GDPR, the range of penalties has been further increased and it can be assumed that the penalties imposed will rise. Data protection and data security have come into focus with the General Data Protection Regulation, so a data protection breach due to inadequate safeguards will be subject to higher penalties in the future.
Particular attention should be paid to Article 24 (Responsibility of the controller) and Article 83 (General conditions for imposing financial penalties) of the GDPR.