Matthieu Mélin interviewed by Lexology on CNIL’s record fine against Free and Free Mobile

The CNIL recently imposed fines totaling €42 million on Free and Free Mobile following a cyberattack in 2024 that exposed the personal data of 24 million subscribers.

For Lexology, the UK-based legal media platform, Matthieu Mélin provides an analysis of the lessons arising from this decision. While the occurrence of a data breach does not in itself constitute a GDPR violation, the CNIL identified serious security shortcomings—insufficient VPN protections and the absence of mechanisms to detect suspicious activity—even though these measures had been recommended by both the CNIL and ANSSI.

According to Matthieu Mélin :

"Although these recommendations are not legally binding, the French Council of State confirmed in 2024 that the CNIL may refer to them when assessing a violation. Data controllers must now treat such recommendations as akin to strict obligations, or be prepared to justify any decision to deviate from them."

The case underscores the growing importance of alignment with recognised security best practices as a key element of effective data governance.