Sanctioned by a heavy fine, the mobile operator is accused by the CNIL of not having sufficiently secured the personal data of its subscribers and of not having respected their right of access to this information.
After a period of observation and tolerance, sanctions keep raining down all over Europe on companies that take too many liberties with the GDPR (General Data Protection Regulation), which entered into force on May 25, 2018. The initial objective of this European regulation was to allow individuals (and therefore consumers like us) to better control the management and use that can be made of personal data. And in this area, although very well aware of these issues, the major players in tech, e-commerce and telecommunications are no exception.
Thus, after the 225 million euros fine imposed on WhatsApp in Ireland, after the 746 million euros fine imposed on Amazon in Luxembourg and France, the CNIL (National Commission for Informatics and Liberties) has just, more modestly but just as significantly, imposed on December 28, 2021 a fine of 300,000 euros to the operator Free Mobile, a subsidiary of the Iliad group. The company has two months to appeal this decision to the Council of State. Notably, the independent administrative authority has chosen to make its decision public to, she says, “recall the importance of dealing with human rights requests and the security of user data”. After having received several complaints and having initiated a “on-site control and off-site control”, the CNIL accuses Free Mobile of four major breaches of the application and compliance with the GDPR.
Free Mobile: breaches of the GDPR
The first concerns the right of access of individuals to personal data shared with and collected by the operator (art. 12 and 15 of the GDPR). In the second case, Free Mobile is accused of having continued to send commercial solicitations to people who had expressed the wish not to receive any more (art. 12 and 21 of the GDPR). The CNIL also noted that Free Mobile had “continued to send plaintiffs invoices for telephone lines whose subscriptions had been terminated” (art. 25 of the GDPR). Finally, the CNIL was able to establish that the operator Free Mobile (whose subscriber base is now made up of more than 13 million customers), had failed in its obligation to ensure the security of the personal data of said customers, transmitting “By email, in plain text, the passwords of users when they subscribe to a” (mobile telephony) offer without these passwords being temporary and (without) the company imposing to change them “ (Art. 32 GDPR).
To justify the amount of the fine applied to Free Mobile, the CNIL claims to have taken “take into account the size and financial situation of the company”. In 2020, the Iliad group’s mobile telephony activities recorded a turnover of 2.123 billion euros. As stated by the CNIL on its website, “with the GDPR (General Data Protection Regulation), the amount of financial penalties can be up to 20 million euros or in the case of a company up to 4% of annual turnover worldwide. “ The Iliad group, parent company of Free Mobile, is present in France, Italy and Poland.