Free Mobile/Free fined €42M: lessons for your 72h GDPR response

In January 2026, CNIL fined Free Mobile €27M and Free €15M after a breach affecting 24 million contracts. Key takeaway: security (Art. 32), information to individuals (Art. 34) and the content of the notification (Art. 33) are scrutinized word for word.

The case

On 13 January 2026, CNIL issued two penalty decisions against Free Mobile (€27M) and Free (€15M), following an intrusion disclosed in October 2024 that exposed data linked to 24 million subscriber contracts, including IBANs for some customers common to both companies. The restricted committee found:

• a failure to comply with Article 32 GDPR (security measures deemed insufficient, notably weak VPN authentication and «ineffective» detection of abnormal behavior),
• a failure to comply with Article 34 GDPR (incomplete content of communications to individuals),
• and, for Free Mobile, a breach of the storage limitation principle (Art. 5-1-e).

Official references: CNIL press release of 14/01/2026 and decisions SAN‑2026‑001 and SAN‑2026‑002 of 08/01/2026 published on Légifrance. See the summary and links to the decisions: CNIL, Data breach: €42M fine against FREE MOBILE and FREE (with links «Délibération SAN‑2026‑001» and «SAN‑2026‑002»). (cnil.fr)

Legal reasoning

• Article 32 GDPR (security): CNIL reiterates that measures must be «appropriate» to the actual risk. Here, the volume and nature of data (including IBANs) required robust VPN access authentication (phishing-resistant MFA), effective monitoring, and operational anomaly detection. (cnil.fr)
• Article 34 GDPR (communication to individuals): the information email lacked elements required by Art. 34(2), which explicitly refers to the minimum content in Art. 33(3)(b)-(d) (nature of the breach, approximate categories/volumes, likely consequences, measures taken and proposed, and a contact point). In other words, a «generic» message that does not help subscribers protect themselves (e.g., concrete risks of IBAN abuse, expected hygiene measures) is sanctionable. Reference text: GDPR on EUR‑Lex (Arts. 33 and 34). (eur-lex.europa.eu)
• Article 33 GDPR (notification to the authority within 72h): although the decision focuses on Arts. 32 and 34, it illustrates the coherence of the 32‑33‑34 triptych: notification to the authority must occur «without undue delay and, where feasible, not later than 72 hours after having become aware of it» (Art. 33(1)), and include the elements of Art. 33(3). To harmonize and structure these contents, the EDPB adopted on 10 June 2026 a common breach notification template for authorities and organizations. See EDPB – Template for personal data breach notification (10/06/2026). (edpb.europa.eu)
• EDPB Guidelines: to assess when to notify and what to say, the Guidelines 01/2021 (Examples regarding Personal Data Breach Notification) provide useful real-life cases (ransomware, credential leaks, misdirected attachments, etc.). (edpb.europa.eu)
• CNPD (Luxembourg) position: CNPD recalls the obligation to notify if the risk to individuals is at least «plausible», and clarifies the internal organization expected from controllers/processors to meet the 72h deadline («without undue delay») from awareness. See CNPD’s «Data breaches (GDPR)»: CNPD – Data breaches. (cnpd.public.lu)

For a compact refresher on the provisions at stake, see our page on the GDPR and notification requirements.

What this changes in practice

For executives, DPOs and CISOs in Luxembourg (and cross-border), this case confirms three operational requirements:

1. Design realistic «72h» playbooks. The deadline is achievable only if you have:
   • effective detection (SIEM/EDR with correlation and meaningful alerts) and an awareness procedure that clearly sets the point at which the organization «becomes aware» (Art. 33 trigger). In practice, managed SOC for incident detection helps secure this milestone,
   • a notification core based on Art. 33(3) ready to be completed: nature of the breach, categories/volumes, likely consequences, measures taken/proposed, DPO/contact point,
   • an escalation matrix with roles (CISO, DPO, Legal, Comms, Management) and a weekend/holiday fallback.
2. Write useful communications to individuals (Art. 34). The «we are investigating» email is insufficient if the risk is non-negligible. Use clear language to:
   • describe what was compromised and why it matters (e.g., IBAN, wire fraud risks),
   • provide concrete protective steps (e.g., vigilance over payment orders, bank alerts, IBAN verification, blocking if needed),
   • indicate technical/organizational measures taken,
   • provide a support/DPO contact channel.
3. Align your records and retention policies (Art. 5-1-e). Free Mobile was flagged for excessive retention: document durations, configure automatic purges, and suspend purging when needed (data subject rights or incident) to preserve traceability.

In the short term, embed the new EDPB template into your incident playbooks: it structures Art. 33(3) content and will facilitate the authority’s assessment (including CNPD). See CNIL’s note on the common model and the EDPB link: CNIL – EDPB adopts a common model. (cnil.fr)

If you operate in Luxembourg, align with CNPD expectations as outlined on our page GDPR Luxembourg and CNPD compliance.

Common pitfalls

• Downplaying scope and waiting for «the end of the investigation» before alerting: Art. 33 requires a prompt initial notification, followed by updates. CNPD reminds that initial incompleteness does not excuse late notification. (cnpd.public.lu)
• Overly generic emails to individuals: Art. 34(2) explicitly refers to Art. 33(3)(b)-(d); in practice, lack of risk explanation and concrete actions = infringement (as illustrated by Free/Free Mobile). (cnil.fr)
• «Weak» MFA on VPN and inoperative logging: the case shows that non-phishing-resistant MFA and «blind» detection weigh heavily in the Art. 32 assessment. (cnil.fr)
• Poorly controlled retention periods: keeping millions of legacy records «just in case» exposes you to cumulative issues (security + minimization + retention). (cnil.fr)
• Processors not aligned with the «72h» rule: Art. 33(2) requires processors to alert the controller «without undue delay». Test this flow in exercises: without upstream alerting, the controller will miss the 72h window. Text: GDPR Chapter IV (CNPD). (cnpd.public.lu)

Official sources

• CNIL — Data breach: €42M fine (Free Mobile €27M; Free €15M), 14/01/2026. Context, infringements (Arts. 32, 34, 5-1-e) and Légifrance links to SAN‑2026‑001/002. https://www.cnil.fr/fr/sanction-free-2026. (cnil.fr)
• EUR‑Lex — Regulation (EU) 2016/679 (GDPR): Arts. 33 and 34 (72h authority notification; communication to individuals and minimum content). https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=EN. (eur-lex.europa.eu)
• CNPD (Luxembourg) — Data breaches (GDPR): notification duties, processor role, 72h deadline. https. (cnpd.public.lu)
• EDPB — Common breach notification template (10/06/2026): structure to meet Art. 33(3). https. (edpb.europa.eu)
• EDPB — Guidelines 01/2021 (Examples regarding Personal Data Breach Notification): practical cases to decide when to notify and how to write. https. (edpb.europa.eu)
• CNIL — EDPB adopts a common notification model: https. (cnil.fr)

In short: the Free/Free Mobile case confirms the authority assesses end to end the «secure — notify — inform» chain. In Luxembourg, frame your 72h with the EDPB template, prepare clear messages to individuals, and document your choices. The gaps now identified and fined (here €42M) precisely indicate what CNPD expects.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.