France, CNIL, 30 October 2018 2018-042

Identification of the case

• Protection of personal data (art. 8 CFREU)

• Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, in particular article 45
• Decree No. 2005-1309 of 20 October 2005, as amended, implementing Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
• Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (GDPR), in particular Articles 6 and 7

Summary of the case

The CNIL (Commission nationale de l'informatique et des libertés) has carried out audits of the company VECTAURY to verify the compliance of all processing of personal data implemented by the company with the Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties.

It has controlled the data processing implemented by VECTAURY, which uses technologies that allow personal data to be collected via multifunction mobiles and to carry out advertising campaigns on mobiles.

This company uses technical tools called "SDK" integrated into the mobile application code of its partners. These SDKs allow the company to collect data from users of multifunction mobile phones even when these applications are not running. The SDK collects the advertising ID of the MFPs and the geolocation data of the people. This data is then cross-referenced with points of interest determined by partners (store chains) to display targeted advertising on people's devices from the places they have visited.

VECTAURY also processes, for the purposes of profiling and advertising targeting, geolocation data that it receives via real-time auction offers initially transmitted for the purpose of enabling the company to purchase advertising space.

VECTAURY indicates that it processes this data with the consent of the persons concerned. However, controls by the CNIL have shown that consent is not validly collected. Controls also found that users' consent was not collected before their personal data was used for advertising profiling. The information given to the user does not explain that their data will be used for this real-time auction system, nor that it will then be stored for the purpose of defining a commercial profile. As with the SDKs, data collection is enabled by default.

• Administrative judicial enforcement

Formal notices for lack of consent to the processing of geolocation data for the purposes of advertising targeting. Necessity to comply with the Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties within a period of three months.

The CNIL has noticed the failure to obtain consent for data from SDKs.

First of all, people are not systematically informed when downloading mobile applications, that an "SDK" collects their location data. At the time of installation, the user is informed neither of the purpose of advertising targeting, nor of the identity of the person responsible for this processing. The information provided in the general conditions of use of the applications comes after data processing, whereas consent requires prior information.

Furthermore, it is not always possible for the user to download the mobile application without activating the SDK. When the two are inseparable, the use of the applications automatically results in the transmission of data to VECTAURY. Such a combination of the personal data of mobile users, for advertising purposes, can only take place if the company can avail itself of one of the conditions provided for in Article 7 of Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties.

The company recently proposed the implementation of a Consent Management Provider (CMP) system to enhance information. However, the CNIL noted that this CMP isn’t systematically implemented in applications. Moreover, it is still unsatisfactory, in particular because the information given to the user is insufficient and the collection of geolocation data is activated by default.

The CNIL has also noticed the failure to collect consent on data from real-time advertising space bids.

The ad space auction system has enabled the company to collect more than 42 million ad IDs and geolocation data from more than 32,000 applications. These processes resulting from SDKs and real-time auction bids present a particular privacy risk. They are in fact revealing about people's movements and lifestyle habits. Moreover, these processing operations are carried out without the data subjects being aware of it, and without their being able to exercise the rights provided for in the GDPR.

According to Article 2(h) of Directive 95/46/EC of 24 October 1995, consent shall be understood as any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

In this respect, the concept of consent, as set out in the GDPR, is no less demanding since it is provided that consent must be given by a clear positive act by which the data subject freely, specifically, knowingly and unambiguously gives his or her agreement to the processing of personal data concerning him or her.

However, it emerges from the checks and analysis of the documents sent to the Commission that the mechanism proposed to users who have downloaded applications from the company's partners does not enable users to give valid consent to the processing carried out by the company.

The company VECTAURY is therefore required to obtain the effective consent of all users concerned. It has also been given formal notice to delete the data that it had unduly collected.

Consequently, the company VECTAURY shall, within three months of notification of this decision and subject to any measures it may have already adopted, be given formal notice to not to proceed without a legal basis with the processing of geolocation data of persons for the purposes of advertising targeting, in particular to effectively collect, in an effective manner, the prior consent, under conditions that comply with the provisions of Articles 6 and 7 of the GDPR, of the users of the applications published by the partners of the company VECTAURY as well as those of the users of the applications from which the real-time auction bids originate, to the processing of their data by the latter.

VECTAURY has since complied with the law, and the formal notice procedure was closed by a decision of 25 February 2019.

Role of the Charter and role of the general principles on enforcement

Article 8 of the Charter.