French watchdog fines ad firm with €1M over Deezer leak
The French data protection authority (DPA) has imposed a fine of €1 million on advertising company Mobius for leaking data of tens of millions of Deezer users.
In November 2022, the Commission Nationale de l’Informatique et des Libertés (CNIL) was notified of a data breach by Deezer.
The music streaming service provider had discovered that personal information of millions of its users was posted on the dark web. A former subcontractor, Mobius Solutions, was involved in this breach.
In 2023, France’s data protection authority launched a formal investigation into the matter and found that the company had violated the General Data Protection Regulation (GDPR) as a data processor in several ways.
According to the privacy regulator, Mobius retained a copy of the data of more than 46 million Deezer users after the end of their contractual relationship, despite being obligated to delete all of this data at the end of the contract in accordance with Article 28.3 (g) of the GDPR.
The data had been copied by three of its employees without informing the advertising company. This illicit retention of data created a security risk for Deezer users.
In addition, the DPA found that Mobius copied data from Deezer and used it to improve its own services, without the music streaming service provider having given any instructions to do so, which conflicts with Article 29 GDPR.
Lastly, Mobius didn’t keep a record of its processing activities, which is mandatory for public or private organizations that process personal data. A processor that processes data on behalf of a data controller must keep a record of the data processed. That’s an infringement of Article 30 in the GDPR.
Based on the severity of the violations, the number of victims of the data breach, and Mobius’ annual global turnover, the French regulator imposed a fine of €1 million.
Unlock more exclusive Cybernews content on YouTube.
