Last fall, Free was the victim of a cyberattack. Hackers managed to steal the data of 19 million subscribers and five million IBAN addresses. This massive data leak quickly led to a wave of scams targeting the operator's customers.
Several weeks after the incident, the French National Commission for Information Technology and Civil Liberties (CNIL) inspected Free's premises. During a series of inspections, the data protection agency verified that Xavier Niel's company had taken adequate measures to protect subscribers' private information.
Free faces sanctions following data theft
A few months later, the case could lead to sanctions. Contacted by us, the CNIL indicated that it had decided to initiate sanctions proceedings against Free. The data protection agency relies on Law No. 78-17 of January 6, 1978, which governs the protection of personal data in France and provides for sanctions in the event of breaches, notably via Article 22.
As part of this procedure, the CNIL has just appointed a rapporteur, i.e., a member of the agency's board responsible for investigating the case. This person will "present the case before the CNIL's restricted committee," which is responsible for imposing sanctions. The rapporteur will have to collect evidence of "GDPR breaches" and present them in the form of a report.
It is this report that will determine whether Free will be subject to sanctions. This is a key step in the CNIL's sanction procedure. As the agency points out, the restricted committee must still determine whether Free has indeed failed to its data protection obligations.
What sanctions against Free?
In the event of proven failures, Free could be subject to a simple warning or an administrative fine, which could be up to 20 million euros or 4% of annual turnover. The CNIL can also order Free to correct the shortcomings noted by its teams within a given timeframe. In the event of delay, the operator risks a further fine.
The CNIL has already sanctioned Free for failings in the management of its subscribers' personal data. The operator was fined €300,000 in 2022. The proceedings against Free come as part of an increase in CNIL controls. This tightening of the screws should allow the agency to respond to the explosion of data leaks in France.
0 Comments