France: National Commission for Information Technology and Civil Liberties imposed 42 million fine against FREE MOBILE and FREE over violations of cybersecurity obligations

On 8 January 2026, the National Commission for Information Technology and Civil Liberties (CNIL) imposed fines of EUR 27'000'000 on FREE MOBILE and EUR 15'000'000 on FREE following an investigation into data security breaches. The sanctions resulted from an October 2024 cyberattack that exposed the personal data of 24'000'000 subscriber contracts, including International Bank Account Numbers (IBAN). The CNIL identified failures to implement basic security measures, such as robust authentication for remote work virtual private networks (VPNs) and ineffective detection of abnormal system activity, violating Article 32 of the General Data Protection Regulation (GDPR). Both companies were found to have provided incomplete information to affected users under Article 34 of the GDPR, preventing individuals from understanding the breach's consequences and protection measures. Further, FREE MOBILE was also found to have violated Article 5(1)(e) of the GDPR for retaining millions of former subscribers' records for excessive periods without justification. The Restricted Committee ordered both entities to complete security enhancements within 3 months, while FREE MOBILE must finalise its data purging and sorting process within 6 months.