France's data protection authority (CNIL) has issued two sanction decisions against Free Mobile and Free, imposing fines of €27 million and €15 million respectively, citing inadequate security measures for subscriber data.
CNIL's summary links the sanctions to a 2024 security incident that resulted in unauthorised access to subscriber data, and highlights shortcomings in the measures implemented to ensure confidentiality and integrity.
The enforcement action illustrates that GDPR 'security of processing' obligations are being assessed through concrete controls, including access management and the ability to detect abnormal behaviour in information systems.
Acompli perspective: Security enforcement often turns on fundamentals: strong access controls, monitoring, and the ability to evidence what was implemented at the time of the incident — not what was planned. A significant regulatory fine of this scale illustrates why proactive compliance risk management and thorough processing activity records are essential.