On January 8, 2026, the French Data Protection Authority (CNIL), through its restricted committee, issued two separate sanction decisions against Free Mobile and Free, imposing administrative fines of €27 million and €15 million respectively.
Beyond the headline figure of €42 million, these decisions deserve closer attention from legal and compliance leaders. The CNIL did not sanction an isolated cyber incident. It sanctioned a systemic breakdown across multiple GDPR obligations, revealing organizational weaknesses rather than technical bad luck.
The regulator’s reasoning is built around three core pillars of the GDPR, whose cumulative failure explains the severity of the penalties.
1️ Data security as a continuous duty of care (GDPR Article 32)
The cyberattack of October 2024 did not involve particularly sophisticated techniques. Instead, it exposed vulnerabilities that the CNIL explicitly qualified as basic security failures: insufficient VPN authentication mechanisms, inadequate logging and monitoring, ineffective anomaly detection, and the use of outdated hashing functions for password storage.
The message is clear and consistent with prior CNIL enforcement practice: data security is not a one-time compliance exercise. It is a continuous obligation requiring regular reassessment of technical and organizational measures in light of evolving risks.
Here, the inability to detect the intrusion at an early stage allowed a limited breach to escalate into a large-scale personal data violation.
2️ Excessive retention and the risk of “ghost data” (GDPR Article 5(1)(e))
One of the most instructive findings concerns data retention practices, particularly for Free Mobile. The CNIL identified the continued storage of personal data relating to over 15 million terminated customer contracts older than five years, including approximately 3 million contracts terminated more than ten years ago.
In the absence of a clearly documented and legitimate purpose, such data no longer constitutes an operational asset. It becomes a latent legal liability.
This decision reinforces a key compliance principle: data deletion and retention policies are risk management tools, not administrative formalities. Poor data hygiene materially increases exposure in the event of a security breach.
3️ Transparency during data breach response (GDPR Article 34)
Although the companies did notify affected individuals through several communication channels, the CNIL found the information provided to be insufficiently precise.
According to the authority, individuals were not adequately informed about:
- the concrete consequences of the breach,
- the specific remedial measures implemented,
- and the actions they could take to mitigate potential harm.
The CNIL reiterates that breach notification is not a reputational exercise. Transparency under Article 34 requires actionable, meaningful, and intelligible information, enabling data subjects to make informed decisions.
Was the fine proportionate?
In determining the amount of the fines, the CNIL applied the framework established by the GDPR and the European Data Protection Board (EDPB) guidelines, taking into account:
- the gravity and duration of the infringements,
- the number of affected individuals,
- the sensitive nature of the compromised data (including IBANs linked to identity data),
- and the economic capacity of the corporate group as a whole.
This approach, aligned with recent Court of Justice of the European Union case law, reflects a clear enforcement objective: ensuring that administrative fines are dissuasive and not treated as a predictable cost of non-compliance.
Conclusion
These decisions confirm a clear enforcement trend. One may nevertheless observe, with some concern, the speed and severity with which sanctions are imposed on domestic European operators, while enforcement against large transatlantic platforms whose business models rely on systemic data exploitation often appears slower or procedurally more complex.
For corporate leaders, the lesson is straightforward: legal and compliance teams cannot be relegated to crisis response roles. Data governance, retention strategies, and security oversight must be embedded into operational decision-making. Data that is not deleted is risk that remains dormant until it materializes.
Free and Free Mobile have announced their intention to challenge the CNIL’s decisions before the French Council of State (Conseil d’État). The forthcoming ruling will be closely watched, particularly regarding the scope of supervisory authorities’ sanctioning powers and the legal expectations surrounding cyber resilience.
Sources :
