Data Breach: CNIL imposes a €42 million fine on Free Mobile and Free (13 January 2026)
In October 2024, an attack compromised the information systems of Free Mobile and Free, exposing the personal data of 24 million subscribers, including IBANs for shared customers. Following more than 2,500 complaints, the CNIL found breaches of the GDPR attributable to each of the companies for the processing of their subscribers’ personal data.
Firstly, the CNIL noted that Free Mobile and Free had not implemented sufficient security measures in accordance with Article 32 of the GDPR, in particular for VPN authentication and the detection of abnormal activity, exposing subscribers’ data. The companies were ordered to finalise their security enhancements within three months.
The CNIL also noted that Free Mobile and Free had informed subscribers of the breach by email and via a toll-free number/internal system, but that the email did not contain all the information required by Article 34 of the GDPR, preventing those affected from fully understanding the consequences of the breach and the protective measures to be taken.
Finally, the CNIL found that Free Mobile was storing millions of pieces of personal data belonging to former subscribers without justification, beyond the period necessary for accounting purposes. The company has begun sorting and deleting the excess data and has been ordered to complete this operation within six months.
- For more information on this subject, click here.
The report on “Influence and social networks” was submitted to the government (13 January 2026)
Two and a half years after the enactment of Law No. 2023-451 of 9 June 2023 regulating commercial influence, a parliamentary report presented on 13 January 2026 gives an overall positive assessment of the existing system. The law has had a real educational effect, increasing the transparency of commercial communications and confidence in the digital economy, while combating misleading practices more effectively.
However, the report highlights the persistence of new abuses linked to the rapid evolution of uses and technologies. Monetised live streams, particularly on certain platforms such as TikTok, are identified as a major area of concern, notably due to the integrated financial mechanisms, the risks of aggressive commercial practices and the increased exposure of minors.
In response, French parliamentarians have formulated 78 recommendations, including several key measures:
- the creation of a mandatory registration system for influencer agents in order to professionalise the sector, which will involve criminal background checks;
- the strengthening of the supervision of online training courses promoted by influencers, with the introduction of a prior authorisation system;
- strengthening the obligations imposed on platforms, particularly with regard to user protection, transparency of financial flows and limiting minors’ access to certain content;
- increased supervision of sensitive promotions (alcohol, health, gaming, adult content), including when these are based on tools using generative AI.
The report highlights the insufficient operational resources of the supervisory authorities, in particular the DGCCRF (French authority for competition, consumer affairs and fraud control), ARCOM (French authority for audiovisual and digital communication) and AMF (French financial markets authority), which are faced with the considerable volume of content disseminated daily on platforms. It recommends strengthening automated monitoring and detection capabilities, improving coordination and information sharing between public actors, and creating a one-stop portal for reporting “digital disorder” attached to the Prime Minister’s office in order to structure and centralise the public response.
This work should feed into the forthcoming submission of a draft “influencers 2” bill, aimed at adapting the legal framework to technological developments and new economic models of influence.
- For more information on this subject, click here.
Airbnb does not have the status of a hosting provider and can be held liable for illegal subletting. (7 January 2026)
In two rulings handed down on 7 January 2026, the French Court of Cassation ruled on the liability of the Airbnb platform in cases of subletting without the landlord’s authorisation.
In the first case, a social housing tenant had sublet her flat, located in a tourist area, without her landlord’s consent. In the second case, a tenant of a Parisian property had also sublet the property on a short-term basis without the written authorisation of the owner, in violation of Article 8 of the Law of 6 July 1989. In both cases, the landlords sought the return of the rent received and held Airbnb liable.
The lower courts adopted differing analyses. In the first case, the Court of Appeal recognised Airbnb as a host within the meaning of the Law on Confidence in the Digital Economy (LCEN), thereby excluding any liability on the part of the platform. In the second case, however, the Court of Appeal considered that Airbnb played a role that went beyond that of a mere technical intermediary and could, as such, be held liable.
The Court of Cassation points out that the benefit of the liability exemption regime provided for by the LCEN is strictly reserved for operators who adopt a neutral, purely technical and passive role in the storage and provision of content supplied by users. Such status presupposes a lack of knowledge and control over the offers disseminated.
However, the Court of Cassation noted that Airbnb actively organises and supervises the operation of its platform. It imposes rules on users, intervenes in the publication and transaction process, and promotes certain offers or hosts. These elements reflect interference in the relationship between hosts and travellers and give the platform a capacity for influence that is incompatible with the neutrality required of a host.
Consequently, the Court of Cassation ruled that Airbnb could not be classified as a hosting provider and therefore could not benefit from the exemption from liability provided for in this capacity. Airbnb may therefore be held liable in the event of illegal subletting.
-
- For more information on this subject, click here and here.
The European Commission is preparing the Digital Fairness Act
The European Commission is preparing the Digital Fairness Act (DFA), a future legislative initiative intended to complement the Digital Services Act (DSA) and the Digital Markets Act (DMA) by strengthening consumer protection in the digital environment.
The DFA is a follow-up to the “Fitness Check” launched in 2022 and published in October 2024, which assessed the effectiveness of three key directives (UCPD, CRD and UCTD). This analysis concludes that, although these texts remain relevant, they only partially achieve their objectives in the face of contemporary digital practices. Consumers today are exposed to misleading or addictive interfaces, forms of personalisation that exploit their vulnerabilities, difficulties in cancelling digital subscriptions, and unfair contract terms. The annual financial loss is estimated at least £7.9 billion for consumers in the European Union, without taking into account psychological damage (link).
In this context, the DFA will aim to combat dark patterns, the addictive design of digital products, misleading influencer marketing, abusive online profiling and certain subscription practices. Particular attention will be paid to the protection of minors and vulnerable consumers. The text will also seek to strengthen legal certainty and limit the risks of regulatory fragmentation, as several Member States are considering national initiatives.
The text will be formally proposed to the Parliament and the Council in the third quarter of 2026, after which its legal form (stand-alone regulation or targeted directive) will be specified.
- For more information on this subject: click here.
