top of page
Search

CNIL’s €42M Free Mobile Fine: When “Just in Case” Data Retention Triggers Disaster

  • awcollison8
  • 3 hours ago
  • 2 min read

Keeping past customer data “just in case” is no longer a neutral business choice—it’s increasingly treated as a security and compliance amplifier when things go wrong. France’s CNIL announcement on January 13, 2026, proves it: €27 million against FREE MOBILE and €15 million against FREE, totaling €42 million, tied to a 2024 breach exposing data from 24 million subscriber contracts (including IBANs).

The Findings


CNIL’s own sanction decision is unambiguous about the retention failure specific to Free Mobile: the company “had not implemented measures to sort the data of former subscribers in order to retain only those necessary for accounting purposes and then delete them when their retention was no longer necessary.”

The regulator called out:

  • No filtering/sorting mechanisms to distinguish data still needed (e.g., accounting) from data that should be deleted.

  • Millions of data points retained for excessive periods without justification.

  • No operational deletion process at the end of retention periods.


Free Mobile’s remediation during the investigation—starting to sort data for 10-year accounting retention and deleting excess—came too late to avoid the fine.

Why Retention Schedules aren’t Optional Anymore


This wasn’t a one-off. A retention schedule is now the only practical tool to operationalize GDPR Article 5(1)(e) “storage limitation” across complex environments. It translates messy reality—laws + business needs—into executable “keep until X, then delete” rules that IT systems can enforce.


The old myth of retention schedules as minimum periods (“keep everything at

7 years”) is dead. Modern schedules dictate maximum retention: data lives only as long as justified, then gets purged. When that fails, as with Free Mobile, regulators see “policies without teeth.”


The Real Complexity: Business vs. Compliance


Retention fights aren’t technical—they’re human. Legitimate business units clash over data lifespan:


Billing/Finance: Need 10 years for audits, disputes, and revenue recognition.

Customer Service: Keep account history for warranty claims and complaints.

Marketing: Historical trends, segmentation, churn prediction.

AI/ML: Training datasets, evaluation baselines, model provenance.


Without a schedule forcing these stakeholders to agree on purpose + duration, organizations default to indefinite. Free Mobile’s former-subscriber data sat around for years because no one defined when it stops being useful.

Every Extra Year is a Bet You’re Losing


CNIL’s logic is brutally clear:


  • Blast radius grows—24M contracts exposed, not just active ones.

  • Legacy systems weaken—old data hides in forgotten corners.

  • Regulators smell blood—storage limitation becomes proof of systemic failure.


Your Action: Build the Retention Schedule Now

  1. Map data by business purpose (billing? marketing? AI?).

  2. Set maximum retention (not minimum—when does it expire?).

  3. Operationalize deletion (auto-purge, audit trails, exceptions logged).

  4. Get business sign-off on the retention rules (finance, marketing, legal, AI teams agree).

  5. Test it works (quarterly validation: Did X data get deleted on schedule?).


Free Mobile shows what happens when you don’t manage information in accordance with pre-established retention rules and policies: €42M, plus a regulator-mandated cleanup under court supervision.


Primary source: CNIL official announcement: https://www.cnil.fr/en/sanction-free-2026cnil

 
 
 

Comments

    bottom of page