France’s data regulator has said the company subcontracting for Deezer engaged in behavioural monitoring of EU users despite operating outside of the bloc, issuing a fine for multiple GDPR breaches.
Shutterstock.com/T. Schneider
The CNIL today said it had found Mobius Solutions, an Israel-based marketing technology provider, liable as a processor for GDPR infringements linked to a large-scale breach affecting users of music streaming service Deezer.
Although Mobius operates outside of the EU, the CNIL applied the GDPR extraterritorially because the processing “related to the monitoring of behaviour” of EU data subjects as Mobius created user segments for Deezer for personalised advertising using socio-demographic and service-usage data including listening behaviour. The CNIL added that the creation of such segments was sufficient to characterise monitoring, whether or not they were actually used by Deezer.
Linklaters partner Sonia Cissé told Lexology PRO the CNIL adopted “an expansive view” of behavioural monitoring in this case and it signified that “regulators are taking an assertive view of the GDPR’s territorial scope, particularly for non‑EU processors in marketing and analytics.”
“Profiling confined to a single service, and even the mere creation of behavioural segments (whether or not they are used in campaigns), is enough to qualify as monitoring,” Cissé said.
“This is consistent with GDPR and European Data Protection Board guidance, and in practice means that many routine CRM, personalisation and analytics activities based on detailed usage data will be treated as behavioural monitoring, pulling numerous non‑EU vendors within the GDPR’s territorial scope where EU users are affected,” she added.
The decision stems from an investigation opened by the CNIL in September 2023 after Deezer sent notification of a personal data breach affecting several million users of the platform worldwide in November 2022, including 9.8 million in France alone. Deezer said the likely source was former subcontractor Mobius, and in January 2023 concluded the breach “most certainly” originated from Mobius’ systems.
The CNIL today said Mobius breached key processor duties by copying non-anonymised Deezer data into its own non-production testing environment in April 2019 without authorisation. Mobius later admitted this data was accessible to third parties and unsecured at the time of the breach. The regulator also found Mobius kept a copy of more than 46 million users’ data until October 2023 despite the contract ending in December 2020 and failed to keep mandatory processing records.
Cissé noted the decision “illustrates the GDPR’s deliberate shift towards holding processors directly to account by enforcing their standalone regulatory obligations” and shows that behavioural processing is “being interpreted broadly and pragmatically, in line with how modern digital services actually operate.”
Mobius Solutions Limited did not respond to a request for comment.