The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed for lobbying purposes.
Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.
Failure to inform individuals about the data processing operations (Art. 14 GDPR)
The CNIL considered that the company had disregarded applicable law by not informing the persons concerned of the recording of their personal data in those records. Such information requirement, regardless of the method of acquisition of the personal data in the first place, is a cornerstone of GDPR to the extent that it allows individuals to exercise their rights, including the right to object.
Finally, she noted that the breach was not addressed until several years after the implementation of the processing, after several media outlets revealed its existence.
The creation of specific records for lobbying purposes is not, per se, unlawful. However, in order to be lawful, such records must comply with GDPR’s requirements. Among those requirements, the CNIL stated that only individuals who could reasonably expect, due to their reputation or activity, to be contacted with regard to the subject matter could be included in such record. Furthermore, while it is not mandatory to obtain the prior explicit consent of such individuals, the data collection must be implemented lawfully, starting with the proper information of the existence of the records to allow individuals to exercise their rights under GDPR.
The CNIL noted that the persons whose personal data had been collected were not informed of the data processing operation until 2019, and only further to the revelation of the practice by media outlets.
Art. 14 GDPR mandates that, when the personal data is not collected directly from the data subjects, the data controller must inform them of the specific of the processing operations and their rights under GDPR within 30 days from the acquisition of their personal data unless:
- the information has already been provided beforehand;
- the provision of such information proves impossible or would involve a disproportionate effort, which was not characterized here inasmuch as the very purpose of the records was to contact the individuals in question;
- obtaining or disclosure is expressly laid down by Union or Member State law to which the data controller, which is not applicable to lobbying activities; or
- where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy, which was not the case here.
Consequently, the individuals should have been informed of the data processing operations Monsanto had been carrying out.
The CNIL also pointed out that not informing data subjects of the existence of a processing necessarily undermines the exercise of their rights under the GDPR. Information is an essential right that conditions the exercise of other rights (rights of access, object, erasure, etc.) enjoyed by individuals. The investigated practices effectively prevented such individuals from exercising such rights for several years.
Failure to safeguard the data processing operation when involving service providers (Art. 28 GDPR)
Furthermore, the CNIL’s investigation revealed that these practices had been carried out on behalf of Monsanto by several companies specialized in public relations and lobbying, as part of a major advocacy campaign. The CNIL therefore took into consideration that Monsanto had failed to implement contractual guarantees to govern relations with its service providers. As the data controller for the processing operations considered, the CNIL stated that Monsanto had the obligation to provide a legal framework for the processing carried out on its behalf by its processor, in particular in order to provide for data security guarantees.
The CNIL’s investigation revealed that none of the relevant contracts included so-called “data processing agreements”, as mandated under Art. 28 GDPR.