Free is a repeat offender in the eyes of the CNIL. After being fined 300,000 euros last January for its mobile telephony activity (Free Mobile), the telecom operator was fined a similar amount for, this time, its entity operating in the telephony market fixed (Free).
free don’t forget
The first warning does not seem to have been sufficient since the nature of the breaches of the European Regulation on the protection of personal data (GDPR) noted by the supervisory authority is quite similar to those noted at the start of the year. The CNIL first received several complaints from customers experiencing difficulty in having their rights of access and erasure of their personal data recognized.
Contrary to Articles 12 and 15 of the GDPR, Free did not respond to users requesting access to their private information or provided them with an incomplete response.
The obligation to respect the right to erasure concerns, this time, article 17 of the GDPR. Also known as the “right to be forgotten”, it guarantees people who request it – provided it is legitimate – that their data will be permanently deleted from all of the data controller’s systems. And this, within a maximum period of 30 days.
Insufficiently secure passwords
The other shortcomings observed are even more sensitive, since they relate to the very security of personal data. During its checks, the CNIL observed that “the password generated when creating a user account on the company’s website, during a recovery procedure or when renewing the password , was insufficiently robust.
When creating an account on the operator’s site, the passwords were sent “in plain text” to subscribers, by e-mail or post, without these passwords being temporary and Free imposing change it. The password associated with the email account in free.fr was communicated in the same manner.
The conditions for hosting passwords in the information system were not up to par either. “All of the passwords generated when creating a user account on the company’s website were stored in plain text in the company’s subscriber database”, supports the CNIL.
0.004% of Iliad’s turnover
Vigilance on the hardware side was no better. Around 4,100 refurbished Freebox boxes were reallocated to new customers without the data of previous subscribers having been properly erased. The boxes thus contained photos and personal videos, or the recording of television programs.
Free now has three months to enforce the right of access. Otherwise, the company will be subject to a penalty of 500 euros per day of delay. With regard to the other shortcomings, the commission judged that the operator had taken the necessary corrective measures to bring itself into compliance during the procedure.
It should be noted that the amount of the sanction pronounced corresponds to only 0.004% of the consolidated turnover of the Iliad group, the parent company of Free. In 2021, this amounted to 7.587 billion euros, up more than 29% year-on-year. For the record, the CNIL has the option of pronouncing, for the most serious breaches, an administrative fine of up to 20 million euros, or 4% of the annual worldwide turnover.
Operators and sensitive data
Given its activity, a telecom operator is called upon to handle a large amount of sensitive data and the Iliad group, founded by Xavier Niel, is not the only one to have been pinned down by the CNIL. Four years ago, in December 2018, the data protection policeman imposed a fine of 250,000 euros on the operator Bouygues Télécom for “breach of customer data security”.
A vulnerability made it possible to access contracts and invoices from B & You customers, the operator’s low-cost offer, “by simply modifying a URL address on the Bouygues Telecom website”. The data of more than two million subscribers has thus been accessible online “for more than two years”. At that time – the report predated the entry into force of the GDPR – it was a fine of a record amount for a French company.