引言
2026年1月13日,法國國家信息與自由委員會(CNIL)對法國電信巨頭Free Mobile及其母公司Free開出了總計4200萬歐元的巨額罰單,其中Free Mobile被罰2700萬歐元,Free被罰1500萬歐元。此次處罰源於2024年10月發生的一起大規模數據泄露事件,涉及超過2400萬用戶的數據。CNIL的這一決定再次凸顯了歐盟《通用數據保護條例》(GDPR)的嚴格執法態勢,並為所有在歐洲運營或與歐洲有數據往來的企業敲響了警鐘,特別是對於中資企業而言,該案例提供了寶貴的經驗和前瞻性啟示。
事件背景與詳情
2024年10月,Free Mobile和Free的信息系統遭到攻擊,導致約2400萬用戶合同相關的個人數據被泄露,其中包括部分用戶的銀行賬戶信息(IBAN)。此次泄露事件引發了大量用戶投訴,CNIL隨即展開調查。調查結果顯示,兩家公司在數據安全方面存在多項違規行為,未能充分履行GDPR規定的數據保護義務。
CNIL的調查發現,Free Mobile和Free在數據泄露發生時,未能采取足夠的基本安全措施來有效抵禦攻擊。具體而言,兩家公司用於員工遠程工作的VPN認證程序不夠健壯,且其信息系統中的異常行為檢測措施也未能發揮有效作用。此外,CNIL還指出,Free Mobile未能對其前用戶的個人數據進行及時清理和刪除,違反了數據保留期限的規定。
GDPR違規行為分析
CNIL的罰款決定主要基於以下幾項GDPR條款的違規:
1. 數據安全義務違規(GDPR第32條)
GDPR第32條要求數據控制者和處理者采取適當的技術和組織措施,以確保個人數據的安全水平與風險相適應。CNIL發現,Free Mobile和Free未能實施充分的安全措施,例如VPN認證薄弱和異常行為檢測無效,導致攻擊者能夠入侵其系統並獲取大量用戶數據。CNIL強調,盡管無法完全消除所有風險,但企業必須采取合理措施降低風險發生的可能性並限制其嚴重性。
2. 數據泄露通知義務違規(GDPR第34條)
GDPR第34條規定,當數據泄露可能對數據主體的權利和自由造成高風險時,數據控制者應及時通知數據主體。CNIL指出,Free Mobile和Free向受影響用戶發送的電子郵件通知未能包含GDPR第34條第2款所要求的所有必要信息,導致用戶無法直接了解泄露的後果以及如何采取措施保護自己。
3. 數據保留期限義務違規(GDPR第5條第1款(e)項)
GDPR第5條第1款(e)項規定,個人數據應以允許識別數據主體的時間不超過數據處理目的所需的時間的形式存儲。CNIL發現,Free Mobile在檢查時未能對其前用戶的個人數據進行分類和及時刪除,保留了數百萬條不再需要用於會計目的的數據,超出了合理的保留期限。
對中資企業的潛在影響
Free Mobile案例對在歐洲開展業務或與歐洲有數據往來的中資企業具有重要的警示意義:
-
合規風險增加:CNIL的嚴格執法表明,歐洲數據保護機構對GDPR違規行為的容忍度極低。中資企業若未能充分遵守GDPR,將面臨巨額罰款、聲譽受損甚至業務中斷的風險。
-
數據安全重視程度提升:該案例強調了數據安全措施的重要性。中資企業應審視自身的數據安全防護體系,確保其能夠有效應對日益複雜的網絡威脅,特別是對於VPN認證、入侵檢測和響應機制等關鍵環節。
-
數據泄露應對機制挑戰:CNIL對Free Mobile數據泄露通知內容的要求,提示中資企業需要建立完善的數據泄露應急響應計劃,確保在發生泄露時能夠及時、准確、透明地向受影響的數據主體進行通知。
-
數據生命周期管理要求提高:Free Mobile在數據保留期限上的違規,提醒中資企業必須建立健全的數據生命周期管理制度,明確各類數據的收集、使用、存儲、歸檔和刪除策略,避免不必要的長期數據保留。
合規建議
為應對GDPR日益嚴格的執法環境,中資企業應采取以下合規措施:
-
全面評估和強化數據安全措施:對現有信息系統進行全面的安全審計,特別是針對遠程訪問、身份認證、入侵檢測和響應等方面。投資先進的安全技術,並定期進行安全演練和員工培訓,提升整體安全防護能力。
-
建立健全數據泄露應急響應機制:制定詳細的數據泄露應急響應計劃,明確責任人、響應流程和溝通策略。確保在發生數據泄露時,能夠迅速識別、遏制、補救,並按照GDPR要求及時、准確地通知監管機構和受影響的數據主體。
-
優化數據保留和刪除策略:根據GDPR的數據最小化和存儲限制原則,審查並優化企業的數據保留政策。對不同類型的數據設定合理的保留期限,並建立自動化的數據刪除機制,確保不再需要的數據能夠及時、安全地銷毀。
-
加強員工GDPR意識培訓:定期對員工進行GDPR合規培訓,使其了解數據保護的重要性、GDPR的核心原則以及企業內部的數據保護政策和流程。確保所有員工都能在日常工作中遵守GDPR要求。
-
尋求專業法律意見:鑒於GDPR的複雜性和不斷變化的執法實踐,中資企業應積極尋求專業的法律和合規咨詢服務,確保其數據處理活動符合最新的監管要求。
結論
法國CNIL對Free Mobile和Free的巨額罰款再次證明了GDPR的強大威懾力。這一案例不僅是對電信行業的警示,更是對所有在歐洲市場運營的企業,尤其是中資企業,在數據保護合規方面提出了更高的要求。通過深入分析此次事件,中資企業應引以為戒,全面審視並強化自身的數據保護體系,將GDPR合規融入企業運營的各個環節,從而有效規避法律風險,維護企業聲譽,並為可持續發展奠定堅實基礎。
GDPR Enforcement Trends in 2026 (Part I): French CNIL Fines Telecom Giant Free Mobile €42 Million
Introduction
On January 13, 2026, the French National Commission for Informatics and Liberties (CNIL) imposed a hefty fine totaling €42 million on French telecom giants Free Mobile and its parent company, Free, with Free Mobile being fined €27 million and Free €15 million. This penalty stems from a large-scale data breach in October 2024, affecting over 24 million user data records. The CNIL’s decision once again highlights the strict enforcement stance of the EU General Data Protection Regulation (GDPR) and serves as a warning to all enterprises operating in Europe or handling data related to Europe. This case offers particularly valuable lessons and forward-looking insights for Chinese-funded enterprises.
Background and Details of the Incident
In October 2024, the information systems of Free Mobile and Free were attacked, leading to the leakage of personal data related to approximately 24 million subscriber contracts, including IBANs for some users. This breach triggered numerous user complaints, prompting the CNIL to launch an investigation. The investigation revealed that both companies had multiple violations in data security and failed to adequately fulfill their data protection obligations under the GDPR.
The CNIL’s investigation found that Free Mobile and Free had not implemented sufficient basic security measures to effectively resist the attack at the time of the data breach. Specifically, the VPN authentication procedures used by both companies for remote work by employees were not robust enough, and their measures for detecting abnormal behavior in their information systems were also ineffective. Furthermore, the CNIL pointed out that Free Mobile failed to promptly clean up and delete personal data of former subscribers, violating data retention period regulations.
Analysis of GDPR Violations
The CNIL’s fine decision was primarily based on the following GDPR violations:
1. Breach of the Obligation to Ensure Personal Data Security (GDPR Article 32)
GDPR Article 32 requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The CNIL found that Free Mobile and Free failed to implement adequate security measures, such as weak VPN authentication and ineffective abnormal behavior detection, which allowed attackers to infiltrate their systems and obtain a large amount of user data. The CNIL emphasized that while it is impossible to eliminate all risks, enterprises must take reasonable measures to reduce the likelihood of risks and limit their severity.
2. Breach of the Obligation to Notify Data Subjects of a Data Breach (GDPR Article 34)
GDPR Article 34 stipulates that when a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay. The CNIL noted that the email notifications sent by Free Mobile and Free to affected users did not contain all the necessary information required by Article 34(2) of the GDPR, preventing users from directly understanding the consequences of the breach and how to take measures to protect themselves.
3. Breach of the Obligation to Retain Personal Data for a Limited Period (GDPR Article 5(1)(e))
GDPR Article 5(1)(e) states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The CNIL found that, at the time of the inspection, Free Mobile had not implemented measures to sort and promptly delete the personal data of former subscribers, retaining millions of data records that were no longer needed for accounting purposes, exceeding the reasonable retention period.
Potential Impact on Chinese-funded Enterprises
The Free Mobile case serves as a significant warning for Chinese-funded enterprises operating in Europe or involved in data exchanges with Europe:
-
Increased Compliance Risks: The CNIL’s strict enforcement demonstrates that European data protection authorities have extremely low tolerance for GDPR violations. Chinese-funded enterprises that fail to fully comply with GDPR will face significant fines, reputational damage, and even business disruption risks.
-
Enhanced Emphasis on Data Security: This case highlights the importance of data security measures. Chinese-funded enterprises should review their data security protection systems to ensure they can effectively respond to increasingly complex cyber threats, especially concerning critical aspects such as VPN authentication, intrusion detection, and response mechanisms.
-
Challenges in Data Breach Response Mechanisms: The CNIL’s requirements for the content of Free Mobile’s data breach notification remind Chinese-funded enterprises to establish comprehensive data breach incident response plans, ensuring timely, accurate, and transparent notification to affected data subjects and regulatory authorities in the event of a breach, as required by GDPR.
-
Higher Requirements for Data Lifecycle Management: Free Mobile’s violation of data retention periods reminds Chinese-funded enterprises that they must establish sound data lifecycle management systems, clarifying the collection, use, storage, archiving, and deletion strategies for various types of data to avoid unnecessary long-term data retention.
Compliance Recommendations
To cope with the increasingly stringent GDPR enforcement environment, Chinese-funded enterprises should adopt the following compliance measures:
-
Comprehensive Assessment and Strengthening of Data Security Measures: Conduct a comprehensive security audit of existing information systems, especially focusing on remote access, identity authentication, intrusion detection, and response. Invest in advanced security technologies, and regularly conduct security drills and employee training to enhance overall security protection capabilities.
-
Establish a Sound Data Breach Incident Response Mechanism: Develop a detailed data breach incident response plan, clarifying responsibilities, response processes, and communication strategies. Ensure that in the event of a data breach, it can be promptly identified, contained, remedied, and affected data subjects and regulatory authorities can be notified in a timely and accurate manner, as required by GDPR.
-
Optimize Data Retention and Deletion Strategies: Review and optimize enterprise data retention policies based on GDPR’s data minimization and storage limitation principles. Set reasonable retention periods for different types of data and establish automated data deletion mechanisms to ensure that data no longer needed is promptly and securely destroyed.
-
Strengthen Employee GDPR Awareness Training: Regularly conduct GDPR compliance training for employees to make them aware of the importance of data protection, the core principles of GDPR, and the company’s internal data protection policies and procedures. Ensure that all employees comply with GDPR requirements in their daily work.
-
Seek Professional Legal Advice: Given the complexity of GDPR and evolving enforcement practices, Chinese-funded enterprises should actively seek professional legal and compliance consulting services to ensure that their data processing activities comply with the latest regulatory requirements.
Conclusion
The substantial fine imposed by the French CNIL on Free Mobile and Free once again demonstrates the powerful deterrent effect of GDPR. This case serves not only as a warning to the telecom industry but also imposes higher requirements on all enterprises operating in the European market, especially Chinese-funded enterprises, in terms of data protection compliance. By thoroughly analyzing this incident, Chinese-funded enterprises should learn from it, comprehensively review and strengthen their data protection systems, and integrate GDPR compliance into all aspects of their operations, thereby effectively mitigating legal risks, safeguarding corporate reputation, and laying a solid foundation for sustainable development.
聲明
本文僅為交流探討之目的,不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容,請與本所溝通授權事宜,並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討,或需要專業的法律支持,歡迎與本所聯系。
聯系人:葉文女士
期待與您的進一步交流!
廣悅律師事務所介紹
廣悅律師事務所成立於2008年,是一家立足大灣區,堅持一體化管理的涉外綜合性律師事務所。發展至今,廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊,打造了多元化的業務體系,可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略,廣悅已擁有廣州、中國香港、深圳,以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室,客戶遍及境內外多個國家和地區。
供稿丨廣悅米蘭辦公室
編輯丨吳寶渲
審核丨蘇 冰
審定丨品牌宣傳與市場拓展委
