23 March 2021

Data Blast: French authorities find that a data processor is also liable for inadequate security leading to data breach and more…

See below for the latest Data Blast from our legal team: French authorities find that a data processor is also liable for inadequate security leading to data breach; Florida city’s water supply targeted by hackers; European Commissioner seeks to dampen expectations of a quick solution for EU-US data transfers; Report reveals UK government testing of controversial surveillance tools…

French regulator fines data controller and data processor for security failings

On 27 January 2021, the French data protection authority (CNIL) announced the imposition of a fine of €150,000 against an anonymous data controller, and a €75,000 fine against its data processor, for failing adequately to protect consumer personal data against a series of ‘credential stuffing’ attacks (more on which below) on the data controller’s website. CNIL decided not to publicise its decision or the names of the sanctioned companies.

Between June 2018 and January 2020, the CNIL received several data breach notifications regarding a popular online shopping website. The CNIL decided that it would investigate both the data controller that owned the website, as well as the service provider (data processor) that operated the site on the controller’s behalf. The CNIL’s investigation concluded that the website had suffered several credential stuffing attacks, which the controller and processor had failed adequately to guard against.

Credential stuffing is a type of cyberattack in which credentials obtained from one data breach are used to attempt to log in to other unrelated services, usually via large-scale automated login requests. The CNIL’s investigation found that the attackers were able to access roughly 40,000 customer accounts between March 2018 and February 2019, exposing user email addresses, first and last names, dates of birth, account balances and order histories.

The CNIL found that the data controller and processor had failed to provide adequate security for consumers’ personal data, as required under Article 32 of the General Data Protection Regulation (GDPR). It was held that the companies had not acted quickly enough following the initial attack, having developed a security tool to block further attacks only a year after the attacks began. The CNIL held that the companies could have enacted other measures to prevent attacks or mitigate negative consequences for impacted consumers, including using a CAPTCHA during login attempts to seek to prevent bots from gaining access, or limiting the numbers of requests per IP address on the site.

In deciding to fine both the controller and processor, the CNIL highlighted that the decision to implement appropriate security measures lies with the controller, but the processor was also responsible for identifying necessary solutions for meeting adequate security requirements, and proposing these to the data controller.

Hackers attempt to poison Florida city’s water supply

On 8 February 2021, the sheriff of a small Florida city announced that hackers had attempted to poison the city’s water supply. The sheriff announced that the Oldsman, Florida water treatment system, serving over 15,000 people, was hacked into, and that the attackers had attempted to flood the water supply with levels of sodium hydroxide greater than 100 times the normal amount. The attackers accessed the system by hacking an on-site PC, and attempted to use the machine to increase the sodium hydroxide levels.

The compound, also known as lye, is used to raise water pH levels and reduce acidity, as well as to minimize the amount of heavy metals in the water. However, at higher concentrations it can cause skin and eye irritation, as well as more serious injuries. Fortunately, a plant employee noticed the concentration level changes and reversed them immediately, and the water supply was ultimately unaffected.

On 5 February, an on-site operator logged into a PC and noticed the system had already been accessed that day. For several hours, the operator lost control of the computer’s mouse and watched as it navigated the plant’s operating system. Once the attackers had finished adjusting the sodium hydroxide concentrations, they discontinued their remote access, at which point the operator alerted his supervisor.

Local officials stated that other safeguards existed which would prevent the high concentrations of sodium hydroxide from entering the main water supply; however, remote access of on-site PCs has now be disabled. The incident comes at a time of heightened awareness of the vulnerabilities of public bodies to cyber attacks; the Solar Winds hacking incident discovered in December 2020 is believed to have impacted numerous federal and state level bodies in the US, as well as many private sector organisations.

EU-US Privacy Shield replacement may be years away

A top EU official has warned that negotiations with the US regarding a new data-transfer framework could take years instead of months.

In an interview, EU Justice Commissioner Didier Reynders stated that it will be difficult to craft a new agreement that protects the personal data of Europeans from US law enforcement and intelligence services. Mr. Reynders office is in charge of EU negotiations concerning international data transfers, while US Secretary of Commerce Gina Raimondo, confirmed by the US Senate on 2 March, will be responsible for negotiating a replacement deal with EU officials.

While Ms. Raimondo has identified EU-US data flows as a priority for her office, Mr. Reynders explained that a ‘quick fix’ is unlikely, and the offices are yet to contact one another regarding a replacement agreement.

As previously reported here, the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield agreement in July 2020. Of specific concern to the CJEU was the potential exposure of Europeans’ data to US government surveillance. Certain US law, including section 702 of the US Foreign Intelligence Surveillance Act, provide for US authorities to access Europeans’ data, without affording them the same rights as Americans to challenge illegal surveillance. Mr. Reynders said that any new agreement must guarantee that European personal data will not be subject to US surveillance, and also that Europeans could seek redress in American court in their information is accessed.

Mr. Reynders stated that if federal legislation were passed in the US to address these pitfalls, it would be an important step toward mending the current impasse between the EU and US on data matters. Mr. Reynders noted that the patchwork of state level data protection law which has arisen in recent years is a helpful development that could lead to a further agreement he suggested that federal US legislation would not need to mirror the GDPR in order for an agreement to be reached, but that the jurisdictions should share similar data principles. Many US companies, he suggested, would easily adjust to any new US rules seeking to bridge the divide with the EU, having already aligned their data personal practices with the GDPR. Mr. Reynders also expressed hope that the US and EU could hold discussions regarding data protection with China, Russia and other countries.

Prior to the invalidation of the Privacy Shield last summer, the Safe Harbour agreement, which previously governed EU-US data transfer, was also ruled illegal by the CJEU in 2015. Both rulings stemmed from lawsuits brought by Austrian privacy advocate Max Schrems; Mr. Reynders voiced his hope to avoid a ‘Schrems 3’ decision.

Controversial surveillance tools being trialled by UK agencies

On 11 March 2021, Wired magazine reported that, as part of a government trial, two internet service providers have for two years been tracking and collecting the websites visited by customers, in an effort to assess whether a national bulk surveillance system would aid national security and law enforcement efforts.

The trials, being run by two unnamed internet providers, together with the Home Office and the National Crime Agency, are being conducted pursuant to the 2016 Investigatory Powers Act, and result in the creation of ‘internet connections records’ (ICRs). ICRs are metadata regarding which websites customers visit, when they do so, and what information they download, as well as apps used and user IP addresses. According to the Investigatory Powers Commissioner’s Office annual report, the first trial commenced in July 2019, and the second trial commenced in October of 2019.

The powers available under the Investigatory Powers Act have been contentious since the law was passed, and it had been argued that the law might prevent the UK from being granted adequacy decision by the European Commission (EC) post-Brexit. However, as we have previously reported (here), adequacy findings by the EC are presently being considered by representatives of the EU Member States and are expected to be confirmed in the coming months.

As noted above, adding to the surrounding debate about access to personal data in the interests of national security, are the ongoing discussions between the EC and the US government to seek to replace the invalidated Privacy Shield program. A difficulty for the EC in determining whether non EU countries have adequate data protection regimes, is that EU Member States’ own national security practices are not subject to the same level of scrutiny as those of ‘third countries’ seeking to be considered adequate; that approach leaves the EC open to criticism that a double standard is at play when assessing other countries’ data protection laws.

For more information please contact Partner, James Tumbridge at