The CNIL has just imposed a fine on Free. Reasons: the operator did not comply with the GDPR, by poorly securing the personal information of its subscribers… and by recycling Freeboxes still containing data from former users!
Free is once again in the sights of the National Commission for Computing and Liberties (CNIL). After being sentenced in January 2022 by the digital policeman to pay a fine of 300,000 euros for not having sufficiently secured the personal data of its subscribers and not having respected their right of access to this information, the operator is doing it again. for similar reasons. In a decision made public on December 8, 2022, the CNIL revealed that it had received 41 complaints from customers between October 2018 and November 2019 – only 10 of them were retained within the framework of the procedure – for not having respected the GDPR (General Data Protection Regulation). After investigation, it found several shortcomings, “in particular the rights of data subjects (right of access and right of erasure) as well as data security (weak password robustness, storage and transmission of passwords in plain text, recirculation of approximately 4,100 badly reconditioned “Freebox” boxes)“.
Free and the GDPR: poorly protected subscriber data
The CNIL has identified several breaches of the GDPR on the part of Free. First of all, the operator did not respect the obligation of the right of access of its customers, since it did not follow up on their various requests and complaints within the stipulated time, or else gave them incomplete answers. As a result, it also failed to respect their right to erasure. Then, the digital policeman raised a breach of the obligation to ensure the security of personal data, which itself includes several problems.
For the administration, the passwords generated during the creation of a user account on the company’s website, a recovery procedure or a password renewal were too weak, and the whole passwords generated during registrations were stored in plain text in the company’s subscriber database. In addition, these passwords, as well as those associated with the “free.fr” e-mail accounts, were sent by post or by e-mail in plain text, without their having to be changed or are subject to a temporary restriction. Imagine the panic if someone intercepted the message! Note, however, that Free has partially corrected this problem since, since the beginning of the year, it offers a link to reset the password of its fixed and mobile subscribers on demand.
Freebox: boxes with personal files in nature
But subscriber passwords aren’t the only information that isn’t secure. Another complaint from the CNIL concerns Freeboxes which have not been reconditioned according to the rules of the art. Indeed, as with all operators, Free regularly recovers boxes either following a malfunction – a breakdown due to lightning, for example – or following the departure of subscribers. However, models containing a hard drive, such as the Freebox Revolution, retain various data stored by their users – videos, photos, music, TV recordings but also sometimes personal and confidential documents – so that it is used as a storage server in network. However, the commission noted that some 4,100 Freeboxes had been badly reconditioned, without erasing the data of their former users before returning to the circuit. As a result, subscribers who recover these boxes end up with potentially sensitive files from former customers…
In its defense, the company argued that the “seriousness of this incident must be nuanced given the nature of the data usually stored on the Freeboxes“. An opinion that the CNIL obviously does not share, which considers “that this common usage does not rule out the possibility that some of the badly refurbished Freebox boxes contain personal photos or videos, which have a highly personal character.” Finally, the documentation established by the operator did not make it possible to be aware of all the measures taken to remedy this incident, which constitutes a breach of the obligation to document a breach of personal data.
It is therefore because of all these offenses that the CNIL announced, on November 30, 2022, that it had imposed a fine of €300,000 on Free. This takes into account the size and financial situation of the company and the fact that it has taken measures during the procedure to correct the shortcomings. The Commission also ordered him to comply with the management of requests for the right of access of individuals and to justify them within 3 months, under penalty of having to pay 500 euros per day of delay. This decision was revealed to the general public by “the need to recall the importance of processing personal rights requests and securing user data“. Let’s hope that the operator has finally learned the lesson!