Data security and individual rights: FREE fined 300,000 euros

08 December 2022

On November 30, 2022, the CNIL imposed a penalty of 300,000 euros on FREE, in particular for not respecting the rights of individuals and the security of its users' data.

Background information

The CNIL received several complaints concerning the difficulties encountered by individuals in having their requests for access to and deletion of their personal data taken into account by the French phone operator FREE.

Investigations revealed several infringements, in particular regarding the rights of data subjects (right of access and right to erasure) and of data security (weak passwords, storage and transmission of passwords in clear text, return into circulation of approximately 4,100 poorly reconditioned Freeboxes).

As a result, the restricted committee - the CNIL's body in charge of issuing sanctions - imposed a fine of 300,000 euros on FREE and decided to make its decision public. It also ordered the company to comply with its obligations regarding the management of requests of access by individuals and to justify its compliance within three months of the notification of the decision, subject to a penalty payment of 500 euros for each day overdue.

This sanction takes into account the nature and seriousness of the infringements, the categories of personal data concerned by these breaches and the size and financial situation of the company. Its publicity is justified by the need to recall the importance of dealing with the rights of individuals and of securing users' data.

Breaches sanctioned

The CNIL found four breaches of the GDPR by FREE.

A failure to respect the right of access of individuals to data concerning them (Art. 12 and 15 of the GDPR), as the company did not respond to the complainants' requests in time or gave them an incomplete answer regarding the source of their data.

A failure to respect the right to erasure of individuals (Art. 12 and 21 of the GDPR), as the company did not process the complainants' requests in time.

A failure to ensure the security of personal data (Art. 32 of the GDPR), since:

  • the password generated when creating a user account on the company's website, during a recovery procedure or when renewing the password was insufficiently strong;
  • all passwords generated when a user account was created on the company's website were stored in plaintext in the company's subscriber database;
  • the users' passwords were transmitted by the company by e-mail or post, in clear text, to the users when they created their account on the website, without these passwords being temporary and without the company requiring them to be changed. Similarly, the password associated with the "free.fr" e-mail account was transmitted by the company by e-mail or post to the user and indicated in clear text in the body of the message;
  • the technical and organisational measures of the reconditioning process did not prevent approximately 4,100 Freeboxes held by former subscribers from being reallocated to new customers without the data of these former subscribers, that would have been stored on them, being properly erased. This data could be photos, personal videos or recordings of television shows.

A failure to comply with the obligation to document a personal data breach (Art. 33 of the GDPR), since the documentation established did not allow to be aware of all the measures taken to remedy the incident relating to the reconditioning of the Freeboxes.

The CNIL's restricted committee issued an order to comply with the right of access. The restricted committee considered that the company had taken measures, during the procedure, to comply with all the other breaches identified.