CNIL (France) - SAN-2026-002

Summary

France's CNIL issued a €15,000,000 fine to Free, a landline telephone operator, for violations of GDPR Articles 32 and 34 following a 2024 data breach affecting over 7 million subscribers. The DPA found that Free failed to implement sufficient security measures for VPN user authentication, lacked adequate anomaly detection mechanisms, and failed to provide complete breach information to affected data subjects. An additional compliance order was issued with a €25,000 per-day penalty for non-compliance.

Full text

Help CNIL (France) - SAN-2026-002: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:35, 20 January 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators369 editsmTag: Visual edit← Older edit Latest revision as of 14:42, 23 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators369 editsmTag: Visual edit Line 59: Line 59: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=|Initial_Contributor=dt || }}}} Latest revision as of 14:42, 23 April 2026 CNIL - SAN-2026-002 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 32 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 08.01.2026 Published: Fine: 15,000,000 EUR Parties: Free National Case Number/Name: SAN-2026-002 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): French Original Source: Legifrance (in FR) Initial Contributor: dt The DPA issued a €15,000,000 fine to a landline telephone provider for insufficient security measures and for failing to provide all necessary information to data subjects following a data breach affecting 7 million data subjects. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Free is a landline telephone operator (the controller) in France. A data breach took place in 2024 affecting two companies – Free Mobile, a mobile phone operator from the same group, and the controller. The data breach affected over 7 million among the controller’s subscribers. Following the breach, the controller notified the DPA and informed the affected subscribers of the incident. Subsequently, the DPA launched an investigation into the controller. Holding Firstly, the DPA found that the controller failed to put in place sufficient security measures for the authentication of users to its Virtual Private Network (VPN), thus allowing a malicious actor to connect to it. Moreover, the DPA noted that the mechanism in place for detecting abnormal activity in the system was inadequate. Therefore, the DPA found a violation of Article 32 GDPR. Secondly, the DPA found that the controller violated Article 34 GDPR by failing to provide all the necessary information regarding the breach to the data subjects. Therefore, the DPA fined the controller €15,000,000 for breaches of Article 32 GDPR and Article 34 GDPR. In addition, the DPA issued an order for the controller to bring its activities into compliance with the GDPR at the risk of a penalty payment of €25,000 per day if failing to comply with the order. Comment This decision concerns the data breach that affected the company Free Mobile of the same group, which led to a €27,000,000 fine for Free Mobile in CNIL decision SAN-2026-001. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. Decision SAN-2026-002 of January 8, 2026 National Commission for Information Technology and Civil Liberties Nature of the decision: Sanction Legal status: In force Date of publication on Légifrance: Wednesday, January 14, 2026 Decision of the restricted panel No. SAN-2026-002 of January 8, 2026, imposing a financial penalty on the company FREE - The sections of the decision containing personal data or secrets protected by law are replaced by the symbol […] - The National Commission for Information Technology and Civil Liberties, meeting in its restricted panel composed of Mr. Philippe-Pierre CABOURDIN, Chairman, Mr. Vincent LESCLOUS, Vice-Chairman, Ms. Laurence FRANCESCHINI and Ms. Isabelle LATOURNARIE-WILLEMS, Mr. KLING, Members, Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; Having regard to Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, in particular Articles 20 et seq.; Having regard to Decree No. 2019-536 of 29 May 2019 implementing Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties; Having regard to Resolution No. 2013-175 of 4 July 2013 adopting the Rules of Procedure of the National Commission for Information Technology and Civil Liberties; Having regard to Constitutional Council Decision No. 2025-1154 QPC of August 8, 2025; Having regard to Decision No. 2024-205C of November 6, 2024, by the President of the National Commission for Information Technology and Civil Liberties (CNIL) instructing the Secretary General to conduct or have conducted an audit; Having regard to the decision of the President of the CNIL appointing a rapporteur to the restricted panel on July 24, 2025; Having regard to the report of Mr. Tarissan, rapporteur, notified to the company on July 25, 2025; Having regard to the written observations of FREE received on September 15, 2025; Having regard to the rapporteur's response notified to FREE on October 15, 2025; Having regard to the written observations of FREE received on November 17, 2025; Having regard to the closure of the investigation notified to FREE on November 18, 2025; Having regard to the request for a closed hearing made on September 15, 2025, and refused on December 3, 2025; Having regard to the oral observations made during the hearing of the restricted panel on December 15, 2025; Having regard to the written submission filed by the company on December 19, 2025; Having regard to the other documents in the file, The following were present at the hearing of the restricted panel on December 15, 2025: - Mr. Tarissan, Commissioner, who presented his report; As representatives of FREE: - […] The presiding judge, having verified the identity of the defendant's representatives, outlined the proceedings and reminded the defendant that he or she might, if he or she wished, present introductory oral observations or answers to questions from the members of the restricted panel. FREE, having been informed of its right to remain silent regarding the allegations against it, was given the last word. After deliberation, the following decision was adopted: I. Facts and Procedure 1. The ILIAD Group, specializing in telecommunications in Europe, has more than 50.2 million subscribers. The French company ILIAD is the parent company of the group of the same name. It wholly owns FREE (hereinafter "the Company"), which operates as a fixed-line telephone operator and had approximately 7.6 million fixed-line subscribers as of December 31, 2024. In 2024, ILIAD's revenue was €10.024 billion, with a net profit of €367 million. 2. On October 21, 2024, FREE was alerted by an attacker who had infiltrated FREE MOBILE's information system to a breach of subscriber data belonging to both companies. Following this alert, FREE conducted investigations that confirmed the occurrence of a data breach (hereinafter "the data breach in question"). This breach lasted from September 28 to October 22, 2024. 3. Through its subsidiary FREE MOBILE, FREE notified the French Data Protection Authority (CNIL) of this data breach on October 23, 2024, and supplemented this notification on November 5, 2024. Furthermore, it informed the affected individuals of the data breach by email, staggered between October 24 and 29, 2024, to avoid overloading its email servers. 4. As of the date of notification of the sanction report, the CNIL had received 2,614 complaints from individuals affected by this data breach. 5. By Decision No. 2024-205C of November 6, 2024, the Chair of the Commission instructed the Secretary General to conduct or have conducted an audit to verify compliance with Law No. 78-17 of January 6, 1978, as amend

Entities