CNIL Fines Mobius Solutions €1 Million Over Deezer Data Breach

Key Takeaways

• €1 Million Fine Issued: The CNIL fined Mobius Solutions for multiple GDPR breaches tied to its role as a processor for Deezer.
• Data Retention Failures: The company unlawfully retained data relating to more than 46 million users after its contract with Deezer ended.
• Unauthorized Data Use: Deezer user data was copied and reused without instruction to improve Mobius Solutions’ own services.
• Record-Keeping Lapses: The processor failed to maintain mandatory records of processing activities.
• Extraterritorial Enforcement: The CNIL confirmed GDPR applicability and its jurisdiction despite Mobius Solutions being based outside the EU.

Deep Dive

France’s data protection authority has fined Mobius Solutions €1 million after finding that the company, acting as a processor for music-streaming platform Deezer, failed to comply with core General Data Protection Regulation (GDPR) obligations tied to subcontracting and data handling.

The penalty, imposed by the CNIL’s restricted committee on 11 December and made public this week, follows a data breach first disclosed by Deezer in November 2022. At the time, Deezer reported that user data had been posted on the dark web and that Mobius Solutions, a former service provider involved in personalized advertising campaigns, was implicated.

Following the notification, the CNIL launched documentary investigations into Mobius Solutions across 2023 and 2024. Those inquiries ultimately led the authority to conclude that the company had committed multiple breaches of the GDPR in its role as a processor.

According to the CNIL, the €1 million fine reflects the seriousness of the violations, the scale of the breach, the number of individuals affected, and Mobius Solutions’ turnover. The regulator also opted to publish the decision, underscoring the enforcement significance of the case.

Retaining Deezer User Data After Contract Termination

One of the central findings concerned Mobius Solutions’ failure to delete Deezer’s user data at the end of their contractual relationship, as required under Article 28(3)(g) of the GDPR.

The CNIL determined that the company retained a copy of data relating to more than 46 million Deezer users after the contract had ended. Mobius Solutions argued that three employees had copied the data without the company’s knowledge. The restricted committee rejected that defense, noting that the data was stored in a non-production environment owned by the company and alongside data from other clients.

By retaining the data in this manner, the CNIL found that Mobius Solutions exposed individuals to unnecessary security risks and failed to meet its obligations as a processor.

Using Controller Data Without Instruction

The regulator also concluded that Mobius Solutions breached Article 29 of the GDPR by using Deezer’s data without instruction from the data controller.

The investigation found that the company copied and reused Deezer user data to improve the performance of its own advertising-technology services. Mobius Solutions maintained that such use fell within the scope of the contract and ultimately benefited Deezer. The restricted committee disagreed, finding no contractual provision authorizing the processor to use the data for its own service development without explicit prior instruction.

Missing Records of Processing Activities

A third violation related to record-keeping obligations under Article 30 of the GDPR. While processors are required to maintain records of processing activities carried out on behalf of controllers, the CNIL found that Mobius Solutions had failed to do so.

The absence of such records, the authority said, undermined transparency and accountability and further compounded the company’s compliance failures.

Although Mobius Solutions is not established within the European Union, the restricted committee determined that the GDPR nonetheless applied. The processing operations at issue involved analyzing, segmenting, and hosting Deezer user data in ways that amounted to monitoring individuals’ behavior.

Because Mobius Solutions does not have an EU establishment, the GDPR’s one-stop-shop cooperation mechanism did not apply. The CNIL therefore asserted jurisdiction to assess the lawfulness of the processing carried out on behalf of Deezer in France.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.