CNIL Fines Personalized Ad Service $1.2M for GDPR Breaches Affecting Deezer
French data protection watchdog CNIL hit Mobius Solutions, a subcontractor that ran personalized advertising campaigns for Deezer, with a 1 million euro ($1.2 million) fine for serious GDPR violations, including failing to delete millions of people's data after ending its association with the music streaming app, it said Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Deezer notified CNIL in November 2022 that data from its users had been put online on the darknet and that Mobius, its former partner, was involved, CNIL said, according to a translation. CNIL's subsequent inspections of Mobius found it failed to meet several of its GDPR obligations as a data processor.
The watchdog imposed the fine and decided to make its decision public based on the severity of the breaches, the number of people affected and Mobius' revenue.
One GDPR violation was its failure to delete data at the end of the contractual relationship, with Mobius retaining a copy of the information of more than 46 million Deezer users, CNIL said. Mobius said three of its employees copied the data "without its knowledge." However, CNIL determined Mobius "was responsible for their actions." The unlawful retention created a security risk for people's data, CNIL said.
Mobius also failed to comply with Deezer's instructions as the data controller, the DPA said. It "copied and used Deezer's data without instruction to do so in order to boost the performance of its own services" offering the creation of "personalised ad campaigns."
In addition, Mobius failed to maintain a record of its processing activities for Deezer, also an obligation under the GDPR, CNIL said.
To sanction Mobius, which isn't established within the EU, CNIL held that the processing it carried out in its capacity as a data processor, which consisted of the analysis, segmentation and hosting of user data for Deezer, should be classified as tracking people's behavior. CNIL then had jurisdiction to monitor Mobius' data processing compliance on behalf of Deezer on French territory, it said.
Mobius and Deezer didn't comment Friday.