The CNIL has simply imposed a effective on Free. Reasons: the operator didn’t adjust to the GDPR, by poorly securing the non-public data of its subscribers… and by recycling Freeboxes nonetheless containing knowledge from former customers!
Free is as soon as once more within the sights of the National Commission for Computing and Liberties (CNIL). After being sentenced in January 2022 by the digital policeman to pay a effective of 300,000 euros for not having sufficiently secured the non-public knowledge of its subscribers and never having revered their proper of entry to this data, the operator is doing it once more. for comparable causes. In a decision made public on December 8, 2022, the CNIL revealed that it had obtained 41 complaints from prospects between October 2018 and November 2019 – solely 10 of them had been retained inside the framework of the process – for not having revered the GDPR (General Data Protection Regulation). After investigation, it discovered a number of shortcomings, “in particular the rights of data subjects (right of access and right of erasure) as well as data security (weak password robustness, storage and transmission of passwords in plain text, recirculation of approximately 4,100 badly reconditioned “Freebox” boxes)“.
Free and the GDPR: poorly protected subscriber knowledge
The CNIL has recognized a number of breaches of the GDPR on the a part of Free. First of all, the operator didn’t respect the duty of the fitting of entry of its prospects, because it didn’t comply with up on their varied requests and complaints inside the stipulated time, or else gave them incomplete solutions. As a consequence, it additionally didn’t respect their proper to erasure. Then, the digital policeman raised a breach of the duty to make sure the safety of non-public knowledge, which itself consists of a number of issues.
For the administration, the passwords generated in the course of the creation of a consumer account on the corporate’s web site, a restoration process or a password renewal had been too weak, and the entire passwords generated throughout registrations had been saved in plain textual content within the firm’s subscriber database. In addition, these passwords, in addition to these related to the “free.fr” e-mail accounts, had been despatched by submit or by e-mail in plain textual content, without their having to be modified or are topic to a short lived restriction. Imagine the panic if somebody intercepted the message! Note, nonetheless, that Free has partially corrected this drawback since, because the starting of the 12 months, it presents a link to reset the password of its fixed and mobile subscribers on demand.
Freebox: packing containers with private recordsdata in nature
But subscriber passwords aren’t the one data that is not safe. Another criticism from the CNIL considerations Freeboxes which haven’t been reconditioned based on the foundations of the artwork. Indeed, as with all operators, Free often recovers packing containers both following a malfunction – a breakdown as a consequence of lightning, for instance – or following the departure of subscribers. However, fashions containing a tough drive, such because the Freebox Revolution, retain varied knowledge saved by their customers – movies, photographs, music, TV recordings but in addition generally private and confidential paperwork – in order that it’s used as a storage server in community. However, the fee famous that some 4,100 Freeboxes had been badly reconditioned, without erasing the info of their former customers earlier than returning to the circuit. As a consequence, subscribers who recuperate these packing containers find yourself with doubtlessly delicate recordsdata from former prospects…
In its protection, the corporate argued that the “seriousness of this incident must be nuanced given the nature of the data usually stored on the Freeboxes“. An opinion that the CNIL clearly doesn’t share, which considers “that this common usage does not rule out the possibility that some of the badly refurbished Freebox boxes contain personal photos or videos, which have a highly personal character.” Finally, the documentation established by the operator didn’t make it doable to concentrate on all of the measures taken to treatment this incident, which constitutes a breach of the duty to doc a breach of non-public knowledge.
It is subsequently due to all these offenses that the CNIL introduced, on November 30, 2022, that it had imposed a effective of €300,000 on Free. This takes under consideration the scale and monetary scenario of the corporate and the truth that it has taken measures in the course of the process to appropriate the shortcomings. The Commission additionally ordered him to adjust to the administration of requests for the fitting of entry of people and to justify them inside 3 months, below penalty of getting to pay 500 euros per day of delay. This determination was revealed to most people by “the need to recall the importance of processing personal rights requests and securing user data“. Let’s hope that the operator has lastly realized the lesson!