On January 13, 2026, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) issued two sanction decisions: €27 million against Free Mobile and €15 million against its parent company Free, for a combined penalty of €42 million.

The fines followed a cyberattack in October 2024 that compromised the personal data of 24 million subscriber contracts — including International Bank Account Numbers (IBANs) for customers who held accounts with both entities. More than 2,500 individual complaints were filed following the breach, triggering CNIL’s formal inspection.

The CNIL’s published rationale identifies three distinct GDPR violations. Each represents a category of compliance failure that is widespread in enterprise data governance — not exotic or unusual, but routine. That is what makes this case instructive.

The Breach: What Happened

In October 2024, an attacker succeeded in penetrating Free Mobile’s and Free’s information systems and extracted personal data from subscriber records. The data compromised included:

  • Names, email addresses, and phone numbers
  • Home addresses
  • International Bank Account Numbers (IBANs) — the most sensitive element of the exposure, as IBANs enable direct debit fraud and financial account targeting

The scale — 24 million subscriber contracts — made this one of the largest data breaches in French telecom history. The IBAN exposure was particularly significant: French banking regulators and consumer protection groups flagged the risk that exposed IBANs could be used to initiate unauthorized direct debit mandates, a form of fraud that is difficult for consumers to detect and reverse.

Violation 1: Inadequate Technical Security Measures (Article 32 GDPR)

What the CNIL Found

The CNIL’s inspection identified two specific security failures under Article 32 GDPR, which requires organizations to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Weak VPN authentication for remote access. Free Mobile’s employee remote access infrastructure relied on VPN credentials that did not meet the standard the CNIL determined was appropriate for access to production systems containing personal data of millions of customers. Specifically, the authentication mechanism used was insufficient — the CNIL’s decision indicates that multi-factor authentication was either absent or insufficiently implemented for remote access pathways.

This is the attack vector through which the breach occurred. The attacker exploited inadequate remote access authentication to penetrate the production environment.

Ineffective detection of abnormal activity. The CNIL found that Free Mobile and Free had monitoring and detection capabilities that did not identify the breach in real time or in a timeframe that would have allowed meaningful containment. The attacker moved through the system and exfiltrated data without triggering detection controls that should have been in place.

Why This Matters Beyond the Fine

Article 32’s “appropriate to the risk” standard is not a ceiling — it is a floor. For a telecom company processing financial data (IBANs), payment data, and identity data for tens of millions of customers, the appropriate security standard is high. The CNIL’s application of Article 32 here reflects a judgment that the risk profile of Free Mobile’s data processing required MFA on remote access pathways as a matter of baseline compliance — not as a best practice, but as a legal requirement.

Organizations that have not implemented MFA for all remote access to production systems containing personal data are operating with the same structural vulnerability that produced a €27 million fine. The technical fix is inexpensive relative to the enforcement exposure.

The anomaly detection finding is equally significant. A security program that cannot identify an active breach affecting millions of records in real time is not meeting the “appropriate” standard under Article 32, regardless of what the technical documentation says about controls in place. The CNIL’s finding suggests that paper controls — policies and procedures that are not operationally effective — do not satisfy Article 32.

Violation 2: Excessive Data Retention (Article 5(1)(e) GDPR)

What the CNIL Found

The CNIL found that Free Mobile retained personal data of former subscribers beyond the period that was necessary for the purposes for which it was collected — a violation of Article 5(1)(e), the storage limitation principle.

Specifically, the CNIL found that:

  • Free Mobile had not implemented a systematic process for sorting and deleting former subscriber records when the retention period expired
  • Personal data of former subscribers remained in live production systems beyond what was justified for any lawful purpose, including accounting and legal requirements

The breach affected not just current subscribers but former subscribers whose records should have been deleted or anonymized. This expanded both the volume of data compromised and the severity of the GDPR violation: the company could not have leaked former subscriber data in a breach if it had deleted that data on schedule.

Why This Matters Beyond the Fine

Storage limitation is one of GDPR’s seven foundational data protection principles, but it is consistently the least operationally implemented. Most organizations have data retention policies. Far fewer have operational data deletion processes that actually execute those policies in live systems.

The compliance gap the CNIL identified at Free Mobile is extremely common: a retention policy exists, but the automated deletion or archiving workflows that enforce the policy against actual data in production systems have not been built or maintained. The result is data that lingers in systems indefinitely — available to breach, available to misuse, and available to regulatory inspection.

The operational lesson is direct: data retention compliance requires more than a policy document. It requires:

  1. A data inventory that maps where each category of personal data lives in your systems
  2. Automated workflows that execute deletion or anonymization when the retention period expires
  3. Regular audits confirming that the workflows are operating correctly
  4. Governance processes that flag when new data categories are added to systems without corresponding retention rules

If Free Mobile had deleted former subscriber records on the schedule their retention policy presumably required, those records would not have been in the system to be stolen. Storage limitation is not an abstract compliance principle — it is a concrete security control.

Violation 3: Inadequate Breach Notification to Data Subjects (Article 34 GDPR)

What the CNIL Found

Following the breach, Free Mobile and Free sent email notifications to affected subscribers. The CNIL reviewed the content of those notifications and found that they did not satisfy the requirements of Article 34(2) GDPR.

Article 34(2) requires that breach notifications to data subjects contain:

  • A description of the nature of the breach
  • The name and contact details of the data protection officer
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The CNIL’s finding: the notification emails sent by Free Mobile and Free omitted required information — specifically, information that would allow data subjects to understand:

  1. What the consequences of the breach were for them — including the specific risk that exposed IBANs could be used for unauthorized direct debits
  2. What protective measures they should take — including steps to protect their bank accounts, monitor for unauthorized direct debit activity, or request IBAN changes from their banks

The CNIL’s rationale was explicit: a breach notification that does not tell the affected person what the breach means for them and what they should do is not functionally adequate under Article 34, regardless of whether it technically acknowledges that a breach occurred.

Why This Matters Beyond the Fine

Organizations facing a breach typically treat notification as a legal checkbox: notify the DPA within 72 hours, notify affected individuals, retain documentation. The CNIL’s decision makes clear that notification quality — not just notification timing — is a compliance obligation.

An email that says “we experienced a security incident and your data may have been affected” without specifying the nature of the data compromised, the specific risks created, and the specific steps the individual can take to protect themselves is not adequate notification under Article 34.

For breaches involving financial data — IBANs, payment card numbers, account credentials — the consequences are concrete and the protective steps are specific. The notification must reflect that specificity.

For compliance and legal teams drafting breach notification templates: template language that is generic across all breach types is not adequate for breaches with specific financial or identity harm profiles. The template needs to be completed with breach-specific content that answers the question a reasonable person would ask: “What does this mean for me and what should I do?”

The Aggregate Picture: Organizational Failure, Not Technical Failure

Read individually, each of the three violations the CNIL identified is a specific technical or process failure. Read together, they describe an organization that had documented compliance obligations across data security, data retention, and breach response — and failed to operationalize any of them effectively.

The VPN authentication gap is a technical failure — but it is also an organizational failure to have adequately reviewed and tested remote access security for systems processing high-risk data.

The retention excess is an operational failure — but it reflects an organizational failure to have built and maintained the operational infrastructure to execute the stated retention policy.

The notification deficiency is a content failure — but it reflects an organizational failure to have developed breach response playbooks that specify what content a notification must include for specific breach types.

None of these failures require exotic remediation. Multi-factor authentication on remote access is table stakes for enterprise security. Automated data deletion workflows are standard practice in organizations that have taken retention compliance seriously. Breach notification templates that include financial risk information for financial data breaches are basic tabletop exercise outputs.

The €42 million fine represents the regulatory cost of systematic failure to operationalize compliance obligations that were already legally required.

Remedial Orders

Beyond the financial penalties, the CNIL issued remedial orders requiring:

  • Free Mobile and Free to complete their security measure implementation (MFA, anomaly detection) within three months of the decision
  • Free Mobile to complete the sorting and deletion of excess former subscriber data within six months of the decision

These operational remediation requirements are as significant as the financial penalties — they create ongoing supervisory exposure and require Free Mobile to demonstrate, on a regulatory timeline, that the identified failures have been corrected.

The CNIL’s €42 million fine for Free Mobile and Free comes as the EU’s cumulative GDPR enforcement total has passed €7.1 billion since May 2018. France has historically been a mid-tier GDPR enforcer by fine volume, but this case represents one of France’s largest individual enforcement actions and signals that CNIL is now operating at a scale consistent with the most active EU data protection authorities.

For organizations operating in France or processing French resident data, CNIL’s demonstrated willingness to impose substantial fines for operational — not just policy — failures should inform compliance program investment priorities for 2026.

For context on EU regulatory developments that may affect GDPR’s future trajectory, see our analysis of the EU Digital Omnibus simplification proposals.

Sources: CNIL Sanction Decision (January 13, 2026); Bleeping Computer (France fines Free Mobile €42 million over 2024 data breach); The Register (France fines telcos €42M for issues leading to 2024 breach); Kahn Consulting (CNIL’s €42M Free Mobile Fine); The Record from Recorded Future News (French data regulator fines telco subsidiaries); Digital Watch Observatory; ALLNET Law (France’s CNIL Steps up Enforcement). This article is provided for informational purposes only and does not constitute legal advice.