The CNIL fines Free €300,000 for failing to secure user data

The CNIL, the National Commission for Computing and Liberties, has just imposed a fine of €300,000 on Free. The institution accuses the operator of several shortcomings concerning the rights of access and erasure of users’ personal data.

free cnil fine
Credit: 123RF

After Discord and its fine of 800,000 euros for non-compliance with the GDPR, the CNIL decided to sanction the operator Free for several breaches of the General Data Protection Regulation. In a press release published on December 8, 2022, the National Commission for Computing and Liberties explains that it pronounced a fine of 300,000 euros against Free after noting several breaches of respect for the rights of individuals and the security of users’ personal data.

After being seized by several complainants, the CNIL carried out several checks. They revealed many discrepancies, particularly in the respect of the rights of access and erasure of the personal data of the users. Indeed, the operator did not respond to the requests made by the complainants within the regulatory deadlines. Then, the company did not process the complainants’ data erasure requests, again within the time limits imposed by the GDPR.

Also to read : The CNIL wants to strengthen the protection of your personal data in Android and iOS applications

Serious data security breaches

The CNIL also mentions failures in the data security offered to customers. According to the investigation carried out by the institution, the passwords generated when creating a user account or during a recovery/renewal procedure were not strong enough. We must add to this storage in plain text on a database of all the passwords generated for the creation of a user account…

The icing on the cake, user passwords were sent by email or plain mail when creating their account on the website. A failure all the more worrying that it was not a temporary password. Finally, the CNIL found that Free had put 4,100 Freebox boxes back into circulation which were not properly reconditioned. In other words, these boxes still contained data belonging to previous subscribers, such as personal photos and videos.

In addition to the payment of the fine, the CNIL demands that Free comply with the management of requests for the right of access and erasure of individuals within 3 months, under penalty of a penalty of €500 per day late. On his side, the operator denounced the decision of the CNIL in the columns of the world. Free finds it harmful that the CNIL “sanctions past facts, which occurred during the first months of the entry into force of the GDPR (2018-2019) and ensures that the measures necessary to bring the company into compliance have been taken since the facts”. The net troublemaker adds that he is studying “the follow-up to be given to this decision”. As a reminder, the CNIL had already pinned Free Mobile for breaches of the GDPR in January 2022.

Related Articles