Communications Daily is a service of Warren Communications News.
Subscriber Login

French Telco Will Appeal Massive Fine for GDPR Violations

January 15, 2026 |International Telecom

French telco Free will appeal the "unprecedented" decision of privacy regulator CNIL to fine it and Free Mobile 15 million euros ($17.5 million) and 27 million euros ($31.5 million), respectively, for failing to keep 24 million subscribers' data secure, a spokesperson for Iliad Group, which owns the providers, said in an emailed statement Wednesday. It intends to appeal the decision to France's Supreme Administrative Court, the spokesperson added.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Start My Free Preview

In October 2024, an attacker infiltrated the companies' information systems, accessing personal data from an estimated 24 million subscriber contracts, including International Bank Account Numbers (IBAN), when the affected individuals were customers of both providers, CNIL said, according to a translation.

After more than 2,500 complaints from people affected by the breach, CNIL conducted an investigation that found that the telcos failed to comply with several GDPR provisions, it said.

Among other things, the watchdog said it found that the "authentication procedure for connecting to the VPNs of Free Mobile and Free -- used in particular for remote working by the companies' employees -- was not sufficiently robust." It also said measures that the companies used to detect abnormal behavior in its information systems were ineffective.

The fines took into account the financial circumstances of the companies, their failures to comply with essential security principles, the number of people affected, the "highly" personal nature of the data compromised, and the risks arising from leakage of the IBAN data, CNIL said.

"The severity of this decision is unprecedented, and the sanctions imposed are completely disproportionate compared with previous cases relating to cyberattacks," said a spokesperson for parent company Iliad.