Free Mobile CNIL €27M GDPR Fine — France's Largest Telecom Privacy Penalty of 2026

France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), has imposed a €27 million fine on Free Mobile, making it the largest GDPR penalty against a French telecom operator in 2026. The fine follows a cyberattack in October 2024 that exposed sensitive personal data for approximately 24 million customer contracts, including bank account identifiers (IBANs) for more than five million subscribers.

According to Skillcast's 2026 GDPR fines tracker, the CNIL's investigation identified three compounding failures: inadequate technical security measures that allowed the breach, unlawful data retention of former subscriber records, and insufficient post-breach notification to affected customers.

What Went Wrong at Free Mobile

The CNIL's ruling covers violations across multiple GDPR articles, revealing a pattern that is increasingly common in large-scale breaches: the breach itself was bad, but the compliance failures around it made the enforcement outcome far worse.

Insufficient security controls (Article 32): Free Mobile had not implemented adequate technical and organizational measures to protect subscriber data. CNIL investigators found that access controls to databases containing IBAN data were insufficiently granular, allowing the threat actor to extract banking identifiers alongside contract data in a single operation.

Unlawful data retention (Article 5(1)(e)): The CNIL found that Free Mobile retained personal data of former subscribers — including payment details — for periods significantly longer than necessary. GDPR requires organizations to delete personal data as soon as the original processing purpose has been fulfilled. Retaining IBAN data after a subscriber cancels their contract has no legitimate basis under the regulation.

Inadequate breach notification (Article 34): While Free Mobile did notify the CNIL within 72 hours as required, the authority found that the company failed to communicate the breach to all affected data subjects in a timely and complete manner. Customers whose IBANs were exposed were not individually notified for several weeks after the breach was confirmed.

The €27M Fine in Context

The fine represents approximately 1.2% of Free Mobile parent company Iliad Group's 2024 global revenue. GDPR allows fines of up to 4% of global annual turnover for the most serious violations — Free Mobile's penalty was calibrated at the lower end of Tier 2 (substantive violations), reflecting partial mitigating factors including the company's eventual cooperation and the voluntary disclosure of internal audit findings.

For comparison, GDPR fines in 2026 have already reached €7.1 billion in aggregate, with CNIL emerging as one of the most active enforcement authorities in the EU alongside Ireland's DPC and Germany's state-level regulators.

Three Compliance Lessons for API-First Companies

The Free Mobile case contains direct lessons for companies managing customer data through APIs — particularly those that store financial identifiers like IBANs or payment tokens.

1. Data Minimization Must Be Enforced at the API Layer

Many organizations maintain broader data access in their APIs than business logic requires. If the customer service API can return IBAN data, a breach of that API exposes banking identifiers — even if the frontend never displays them. Implementing field-level PII detection before data leaves your backend prevents unnecessary exposure.

2. Retention Policies Need Automated Enforcement

CNIL found that Free Mobile retained data of former subscribers far too long. Manual retention processes are unreliable at scale. Organizations processing millions of customer records need automated retention pipelines that trigger deletion or anonymization when contractual relationships end.

3. Breach Scope Assessment Should Be Near-Instant

Notifying affected data subjects is legally required under Article 34, but you cannot notify customers until you know what data was exposed. Organizations without PII classification systems face multi-week delays in breach scope assessment — exactly what CNIL criticized in this case. Automated PII detection enables immediate scope determination.

How GlobalShield Addresses These Requirements

GlobalShield provides an API for real-time PII detection and data masking that directly addresses the failure patterns identified in the Free Mobile ruling.

PII detection at ingestion: Before data enters your storage layer, GlobalShield identifies and classifies personal data — including financial identifiers like IBANs, account numbers, and payment tokens — so you know exactly what you're storing and where.

Automated masking for non-essential access: GlobalShield can mask or redact PII fields in API responses based on caller role, ensuring internal tools and third-party integrations receive only the data they legitimately need.

Retention audit support: The API returns structured metadata about detected PII types, which can be used to trigger downstream retention workflows and produce audit logs for GDPR accountability obligations.

import requests
 
def scan_customer_record_for_pii(customer_data: dict) -> dict:
    response = requests.post(
        "https://apivult.com/api/globalshield/detect",
        headers={"X-RapidAPI-Key": "YOUR_API_KEY"},
        json={
            "text": str(customer_data),
            "detect_types": ["IBAN", "PAYMENT_CARD", "EMAIL", "PHONE", "NAME"],
            "return_positions": True
        }
    )
    result = response.json()
    
    if result["pii_detected"]:
        print(f"Found {len(result['entities'])} PII entities:")
        for entity in result["entities"]:
            print(f"  {entity['type']}: {entity['masked_value']} at position {entity['start']}-{entity['end']}")
    
    return result
 
# Scan before storing — flag if sensitive financial data is present
customer = {
    "name": "Marie Dupont",
    "iban": "FR76 3000 6000 0112 3456 7890 189",
    "phone": "+33 6 12 34 56 78",
    "contract_end_date": "2025-10-01"
}
 
scan_result = scan_customer_record_for_pii(customer)

What Regulators Are Watching Next

The CNIL has signaled that telecom and utility providers — which by nature collect long-lived personal and financial data — are a priority enforcement sector for the remainder of 2026. The Free Mobile ruling establishes a precedent: even when a breach is caused by an external attacker rather than internal misuse, the organization is responsible for the security architecture that allowed the exposure.

For companies handling financial identifiers via API, the time to implement automated PII classification and retention enforcement is before a breach, not after.

Sources

• Biggest GDPR Fines of 2026 — Skillcast, April 2026
• GDPR Fines Hit €7.1 Billion: Data Privacy Enforcement Trends in 2026 — Kiteworks, 2026
• GDPR Enforcement Tracker — CMS Law, ongoing