Faced with the magnitude of the last free hacking of Free, the CNIL opened an investigation in order to detect possible breaches of the GDPR. After the first conclusions, she has just launched a procedure that can lead to sanctions.
The case had caused a stir, and for good reason: at the end of October 2024, Free had undergone a massive flight of data, impacting no less than 19 million customers (see our article). The hackers had seized very complete personal information sheets, opening the door to all kinds of scams, between identity theft and diversion. And that’s not all: millions of Iban – in other words, banking coordinates – had also been compromised. The consequences are already felt, since personalized campaigns aimed at operator subscribers are increasing.
The case was so serious that the authorities seized it. The National Commission for Data Protection (CNIL) has looked into the file and carried out a check in the premises of Free, in order to verify if the operator had taken the appropriate measures to protect private information from subscribers. The first results of the survey seem to lean towards a failure to the GDPR, and therefore towards a possible sanction.
Free piracy: risk of sanctions by the CNIL
Faced with the enormous risks represented by the flight of personal data for Free subscribers, the authorities have opened an investigation and invited the victims to file a complaint. Those who have done so are currently receiving an e-mail from the CNIL informing them of the advancement of the file. This email, shared by researcher Clément Domingo on his X account, indicates that the control procedure has been opened and that the elements collected have been the subject “of an in -depth analysis at the end of which the president of the CNIL decided to initiate one of the sanction procedures provided for by law”. Authority is based here on Law No. 78-17 of January 6, 1978which supervises the protection of personal data in France and provides for sanctions in the event of breaches, and more particularly on article 22.
As part of this procedure, the CNIL appointed a rapporteur to bring the file before the restricted training of the organization, which is responsible for the sanctions. The rapporteur will have to collect evidence on “Contributions to the GDPR” And present them in the form of a report, which should take six or seven months. This will then determine whether Free will or not to receive sanctions, which can range from a simple reminder to order to an administrative fine of 20 million euros or 4 % of the annual turnover of the company. The operator could be forced to correct the shortcomings noted in a timely time, under penalty of new sanctions. This has already occurred in 2022, the EA having received a fine of € 300,000 to have misunderstood the personal information of his subscribers and having recycled Freebox still containing data from former users!