In January 2026, France’s data protection authority, Commission nationale de l’informatique et des libertés (CNIL), imposed combined fines totaling €42 million on French telecom operator Free Mobile and its parent company Free (Free SAS). The sanctions followed a major 2024 data breach that exposed serious shortcomings in the companies’ data protection and cybersecurity practices, in violation of European privacy law.

Under the CNIL’s decision, Free Mobile was fined €27 million, while Free SAS received a €15 million fine. Together, these penalties reflect the gravity of the incident, the scale of the data affected, and multiple breaches of obligations under the General Data Protection Regulation (GDPR). The regulator emphasized that telecom operators handle particularly sensitive personal data and are therefore expected to meet especially high security and governance standards.

Details of the 2024 data breach

The breach occurred in October 2024, when attackers gained unauthorized access to internal systems used by Free Mobile and its parent company. Investigators found that a compromised management tool was used as an entry point, allowing attackers to extract personal data belonging to approximately 23–24 million subscribers. The exposed information included names, contact details, and, for a significant number of customers, international bank account numbers (IBANs)—data considered highly sensitive due to the financial risks it poses.

According to CNIL’s findings, the breach was not the result of a single isolated failure but rather a combination of inadequate cybersecurity defenses, weak authentication mechanisms, and poor handling of credentials and remote access. These weaknesses made it easier for attackers to move within internal systems and access large volumes of personal data without being detected quickly.

GDPR violations identified by CNIL

Following an in-depth investigation, the CNIL concluded that the companies violated several core GDPR provisions:

• Article 32 (Security of processing): The regulator found that technical and organizational measures were insufficient. Weak monitoring and access controls failed to prevent or promptly detect unauthorized access.
• Article 34 (Communication of a personal data breach): Notifications sent to affected customers lacked clear and actionable information about potential risks, limiting individuals’ ability to take protective measures.
• Article 5(1)(e) (Storage limitation): Free Mobile retained personal data belonging to former customers for longer than necessary, without adequate justification or clear retention policies.

Regulatory orders and wider impact

In addition to the financial penalties, CNIL issued binding corrective orders. The companies were instructed to fully implement enhanced security measures within three months and to complete the review, sorting, and deletion of excessive or outdated customer data within six months.

The case followed thousands of complaints from affected individuals and serves as a strong signal of Europe’s continued commitment to enforcing GDPR rules. It highlights the growing regulatory expectation that organizations—especially those handling data at massive scale—must treat data protection not as a formality, but as a core operational responsibility.