France: Adopted CNIL recommendation relating to passwords and other shared secrets

On 21 July 2022, the Commission nationale de l'informatique et des libertés (CNIL) adopted the recommendation relating to passwords and other shared secrets. The data controllers use passwords or other non-shared secrets to protect access to the personal data they store, and the recommendation outlines the technical measures and organisational measures they have to implement to ensure compliance with Article 32 of the General Data Protection Regulation (GDPR). In particular, the recommendation states that the passwords used by data controllers should have a sufficient length and complexity, equivalent to the entropy of 80 bits and adopt measures to ensure the security of the password throughout its lifecycle. The entities using password-based authentication are required to establish a password management policy. Furthermore, the recommendation states that data controllers subcontracting other organisations for data processing must clearly define and formalise the roles and responsibilities to ensure the required level of security. The data controllers are also required not to store the passwords in clear text, and in case they do, they must implement additional authentification measures. Finally, the recommendation states that in case of a security breach, the entity must inform the person concerned and allow him to renew his password.