France

France Data Privacy Laws: GDPR & CNIL Compliance Guide (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202622 min read

France regulates personal data under two overlapping frameworks: the EU General Data Protection Regulation, which applies directly since May 2018, and the Loi Informatique et Libertés (Law No. 78-17), France's foundational 1978 statute that created the CNIL as Europe's first independent data protection authority.

France's Data Privacy Framework at a Glance

France occupies a singular place in the global data privacy landscape. It enacted the Loi Informatique et Libertés (Law No. 78-17) on January 6, 1978, making it one of the first nations in the world to adopt comprehensive data protection legislation. That law created the Commission nationale de l'informatique et des libertés, known as the CNIL, Europe's first independent data protection authority.

Today France's data privacy framework rests on two pillars. The EU General Data Protection Regulation (GDPR) applies directly across all member states since May 25, 2018, providing the core rights and obligations. The Loi Informatique et Libertés, substantially amended in 2018 and updated by Decree No. 2019-536, governs areas where EU law grants member states discretion. The result is a dual-layer system: the GDPR sets the baseline, and French national law adds sector-specific requirements that organizations must also satisfy.

Consult an attorney for advice specific to your situation. The information here is general legal information, not legal advice.

Constitutional Basis for Data Privacy

France's right to privacy has constitutional status, rooted in the Declaration of the Rights of Man and of the Citizen of August 26, 1789, which forms part of the French constitutional bloc. The Constitutional Council (Conseil constitutionnel) held in 1999 that the freedom guaranteed by Article 2 of the 1789 Declaration encompasses the right to respect for private life.

In its decision No. 2012-652 DC, the Constitutional Council clarified that "the collection, recording, retention, consultation and communication of personal data of a personal nature must be justified by a reason of general interest and implemented in an adequate and proportional manner to the objective pursued." This proportionality standard sits at the apex of the French legal order and constrains both legislative and executive action on data processing.

The Conseil constitutionnel reviewed the 2018 data protection reform law (Law No. 2018-493) in decision No. 2018-765 DC and confirmed its constitutionality, validating France's approach of using national legislation to exercise GDPR derogations. This constitutional footing gives data privacy rights in France a durability that goes beyond statute.

The Loi Informatique et Libertés: France's Foundational Law

The Loi Informatique et Libertés was a direct response to the SAFARI affair. In 1974, the French newspaper Le Monde revealed the SAFARI project (Système automatisé pour les fichiers administratifs et le répertoire des individus), a government initiative to link tax, social security, and police databases using a single national identification number.

Public backlash was immediate. The government abandoned SAFARI and instead commissioned the Tricot Commission, whose 1975 report led directly to the drafting of Law 78-17. The opening article declared that informatics must serve each citizen and must not harm human identity, human rights, privacy, or individual or public freedoms. That principle remains in the law today.

Key Provisions of the Original 1978 Law

The Loi Informatique et Libertés introduced concepts that were groundbreaking at the time. It established the right to know whether personal data is being processed and to access that data. It required that data collection serve a defined, legitimate purpose. It created the CNIL as an independent administrative authority with investigative and enforcement powers.

Amendments and Modernization

The law has undergone several major revisions. A 2004 amendment transposed the EU Data Protection Directive (95/46/EC), shifting from a prior authorization model to a notification-based regime. The most significant overhaul came in 2018, when Law No. 2018-493 adapted the legislation to complement the GDPR. Ordinance No. 2018-1125 of December 12, 2018 restructured and rewrote the law for clarity. Decree No. 2019-536 of May 29, 2019 completed the implementation by harmonizing procedural rules and clarifying data subject rights.

The current Loi Informatique et Libertés does not duplicate the GDPR but fills areas where the GDPR explicitly allows or requires member state legislation. These include health data processing rules, the digital age of consent for minors, criminal data processing, and post-mortem data directives.

The CNIL: Structure, Powers, and Enforcement

The CNIL is an independent administrative authority composed of 18 members drawn from the National Assembly, the Senate, the judiciary, and qualified individuals appointed for their expertise. The commission operates with full independence from the French government and publishes its decisions publicly.

World stack of documents with embossed official seals on a marble surface, pen alongside

Investigative Powers

The CNIL conducts on-site inspections, online audits, and document requests. It can enter business premises during business hours, access IT systems, and copy data relevant to its investigations. Organizations must cooperate with CNIL investigations or face separate penalties for obstruction.

Ordinary and Simplified Sanction Procedures

The CNIL operates two enforcement tracks. Under the ordinary procedure, the restricted committee (a sub-body of the CNIL's full commission) hears cases through a formal adversarial process, including public hearings, and can impose the full range of GDPR penalties.

The simplified sanction procedure, introduced in 2022, handles cases that do not present particular difficulty. The CNIL president designates a single member of the restricted committee to rule alone, without a public hearing (unless the organization requests one). Fines under the simplified procedure are capped at EUR 20,000, and injunctions carry a maximum penalty of EUR 100 per day of delay. Simplified procedure sanctions are not published publicly. This track allows the CNIL to dispose of high volumes of complaints quickly without the resource burden of full hearings.

By 2024, the CNIL had used the simplified procedure for dozens of cases involving website operators, small businesses, and local authorities. There is no automatic threshold that routes a case to one procedure or the other; the choice remains with the CNIL president.

Enforcement Track Record: 2024 and 2025

The CNIL's enforcement activity has intensified significantly in recent years.

In 2024, the CNIL issued 87 sanctions totaling EUR 55.2 million. The sanctions included 75 fines (14 with injunctions under penalty), 8 decisions to liquidate an existing injunction, and 4 reminders of the law. Eleven organizations were penalized specifically for making cookie refusal mechanisms more complex than acceptance. On November 14, 2024, the CNIL fined ORANGE EUR 50 million for inserting advertising emails into users' inboxes without consent and continuing to read cookies after withdrawal of consent.

In 2025, enforcement reached a new scale. The CNIL issued 83 sanctions totaling EUR 486.8 million, nearly nine times the 2024 total. The jump was driven by several landmark decisions. Cookies, employee monitoring, and data security were the three dominant enforcement themes. Twenty-one entities were sanctioned for tracker-related breaches, 16 organizations for non-compliant employee video surveillance, and 14 for inadequate data security measures.

Notable CNIL Enforcement Decisions

The CNIL has established itself as one of the most active data protection authorities in Europe. The following decisions illustrate its enforcement priorities across the 2023-2026 period.

Google: EUR 325 Million (September 2025)

The CNIL imposed a combined fine of EUR 325 million on Google LLC (EUR 200 million) and Google Ireland Limited (EUR 125 million). Google placed cookies when users created Google accounts without obtaining valid consent, affecting more than 74 million accounts. Google also inserted advertising messages between Gmail users' private emails without consent when users activated the smart features setting. The CNIL ordered Google to implement corrective measures within six months.

Shein: EUR 150 Million (September 2025)

The CNIL fined Infinite Styles Services Co. Limited (Shein's Irish subsidiary) EUR 150 million. Advertising cookies were placed on user devices as soon as they arrived on shein.com, before users could interact with any consent banner. Because cookies were deposited before consent could even be expressed, any subsequent consent mechanism was rendered meaningless.

Orange: EUR 50 Million (November 2024)

Orange was fined EUR 50 million for two separate violations. First, the company displayed advertisements formatted as emails in users' inboxes without obtaining consent, violating Article L. 34-5 of the French Postal and Electronic Communications Code. Second, after users withdrew cookie consent on the orange.fr website, the previously placed cookies continued to be read. Orange subsequently brought its practices into compliance; the CNIL closed the associated injunction in September 2025.

Criteo: EUR 40 Million (June 2023)

French adtech company Criteo was fined EUR 40 million for GDPR violations related to personalized advertising. The CNIL found that Criteo collected user data for ad targeting without demonstrating valid consent and that the cookie refusal option was buried behind a button misleadingly labeled "Accept cookies" in a secondary window.

Amazon France Logistique: EUR 32 Million (December 2023)

The CNIL fined Amazon France Logistique EUR 32 million for operating an excessively intrusive employee monitoring system. Amazon used handheld scanners to track warehouse workers with second-by-second precision, measuring idle time between tasks, scanning speed, and stowing rates. Measuring work interruptions with such granularity effectively required employees to justify every pause, which the CNIL ruled violated the principle of proportionality.

On December 30, 2025, the CNIL fined an unnamed company EUR 3.5 million for transmitting the email addresses and telephone numbers of over 10.5 million loyalty programme members to a social network for advertising targeting purposes without valid consent. The decision was adopted in cooperation with 16 European counterparts because data relating to individuals from those countries was involved.

NEXPUBLICA France: EUR 1.7 Million (December 2025)

On December 22, 2025, the CNIL fined NEXPUBLICA France (formerly INETUM SOFTWARE FRANCE) EUR 1.7 million for failing to implement sufficient security measures in its PCRM social services software. Security flaws that exposed sensitive disability-related data had been identified in internal audit reports but were not corrected until after breaches occurred.

2026 Enforcement Actions

On January 13, 2026, the CNIL fined FREE Mobile and FREE a combined EUR 42 million (EUR 27 million and EUR 15 million respectively) after an attacker accessed personal data from 24 million subscriber contracts, including IBANs. Both companies had failed to implement adequate security measures. On January 22, 2026, France Travail (formerly Pôle Emploi) was fined EUR 5 million for failing to secure job seekers' data; the breach exposed data of all individuals registered over the past 20 years, including National Insurance numbers, addresses, and phone numbers.

The GDPR requires that every processing activity rest on one of six lawful bases: consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interest. French organizations must identify and document the applicable basis for each processing activity before beginning.

Consent in France follows the GDPR standard: it must be freely given, specific, informed, and unambiguous. It cannot be inferred from silence, pre-checked boxes, or continued browsing. Consent must be as easy to withdraw as to give. Where legitimate interest is the chosen basis, the CNIL expects organizations to conduct and document a balancing test demonstrating that the interest outweighs the data subject's rights.

Special categories of data, including health, biometric, genetic, religious, political, and union membership data, require either explicit consent or one of the narrower derogations listed in Article 9 of the GDPR.

Data Subject Rights

French residents whose data is processed hold the full set of GDPR rights. They can request confirmation that their data is processed and access a copy (right of access). They can correct inaccurate data (right to rectification). They can request deletion in certain circumstances (right to erasure). They can restrict processing pending resolution of a dispute (right to restriction). They can receive their data in a portable format (right to data portability). They can object to processing based on legitimate interest or for direct marketing (right to object). They cannot be subject to fully automated decisions with significant effects without human review (rights regarding automated decision-making).

Organizations must respond to requests within one month. Extensions of two additional months are permitted for complex or high-volume requests, but the data subject must be notified within the first month.

Breach Notification Requirements

France follows the GDPR's breach notification framework, enforced by the CNIL.

Organizations must report a personal data breach to the CNIL within 72 hours of becoming aware of it, when the breach is likely to pose a risk to individuals' rights and freedoms. Notification is submitted through the CNIL's online portal. A personal data breach covers any event resulting in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data, including cyberattacks, ransomware incidents, accidental exposure, and lost devices.

When a breach is likely to result in a high risk to the rights and freedoms of individuals, the organization must also inform affected data subjects without undue delay. The communication must describe the nature of the breach, provide contact details for the Data Protection Officer, describe the likely consequences, and outline the measures taken or proposed.

The 2026 fines against FREE and France Travail illustrate that the CNIL treats insufficient security as a standalone violation, separate from and in addition to the breach itself. Organizations that cannot demonstrate adequate preventive measures face penalties even when a breach results from an external attacker.

Data Protection Officer Requirements

The GDPR requires certain organizations to appoint a Data Protection Officer. In France, nearly 30,000 people serve as DPOs for approximately 80,000 organizations. The public administration, education, and healthcare sectors have the highest rates of DPO designation.

A DPO must be appointed when the organization is a public authority or body, when core activities involve large-scale systematic monitoring of individuals, or when core activities involve large-scale processing of special categories of data (health, biometric, genetic) or criminal conviction data.

DPOs must not receive instructions regarding the exercise of their tasks, must be involved in all data protection matters at an early stage, and must have adequate resources including access to training. The CNIL offers a voluntary certification scheme for DPO skills and knowledge, though certification is not required. DPO designations must be registered with the CNIL's online notification system.

France has become the focal point of cookie enforcement in Europe. The CNIL launched its cookie action plan in 2019, publishing guidelines and recommendations that set clear, specific expectations.

World filing cabinet drawer pulled halfway open showing neatly organized hanging folders

Under both the GDPR and France's transposition of the ePrivacy Directive (Article 82 of the Loi Informatique et Libertés), cookies and other tracking technologies require prior, informed, freely given consent before being placed on a user's device.

Refusing cookies must be as easy as accepting them. If a website provides a single-click "Accept All" button, it must also provide a single-click "Refuse All" button at the same level of the interface. Burying the refuse option behind additional clicks or in smaller text violates the requirement of freely given consent. Pre-checked consent boxes are invalid. Cookie walls that block access unless the user accepts all cookies are generally prohibited unless a genuine alternative is offered.

Essential vs. Non-Essential Cookies

Cookies strictly necessary for a service requested by the user do not require consent. All other cookies, including analytics, advertising, and social media tracking pixels, require consent unless they meet narrow exemptions. The CNIL provides specific guidance on audience measurement tools: first-party analytics configurations can qualify for a consent exemption if they meet strict data minimization and purpose limitation conditions.

Between 2020 and 2025, the CNIL sanctioned dozens of organizations for cookie violations. The enforcement pattern is consistent: investigation, formal decision, public publication. The 2025 Google (EUR 325 million) and Shein (EUR 150 million) fines, combined with the 2024 Orange fine (EUR 50 million), confirm that cookie compliance remains the single largest enforcement priority for the CNIL.

While the GDPR provides the core framework, France has used its national discretion to adopt several provisions that supplement or deepen the EU baseline.

Health Data and HDS Certification

France imposes strict requirements on health data processing. Organizations that host health data must use providers that hold Health Data Hosting (HDS) certification, administered by the Agence du Numérique en Santé. The HDS certification process, which replaced earlier authorization schemes in 2018, requires certified providers to meet specific technical and organizational standards. Non-French companies processing health data of French residents must use HDS-certified providers or demonstrate equivalent guarantees.

France set the digital age of consent at 15, using the GDPR's allowance for member states to set this threshold between 13 and 16. Children under 15 cannot independently consent to data processing by online services. The holder of parental authority must give consent jointly with the child. Children 15 and older can independently manage cookie preferences, social media privacy settings, and similar digital choices.

Post-Mortem Data Directives

France is one of the few countries that has legislated what happens to personal data after death. Article 85 of the Loi Informatique et Libertés allows individuals to define directives concerning the retention, deletion, and communication of their data after death. Directives can be general (registered with a CNIL-certified digital trusted third party) or specific (registered directly with a particular data controller). In the absence of directives, heirs may exercise the deceased's data rights. The CNIL's 10th Innovation and Foresight Report (2025), titled "Our Data After Us," explored the expanding implications of digital death.

Employee Privacy and Workplace Monitoring

France applies particularly strong protections to employee data. Continuous video surveillance of employees at their workstations is not justified even for accident prevention. Continuous GPS tracking of employee vehicles must allow employees to suspend tracking during break times. Monitoring systems that measure activity with excessive precision, as the Amazon France case demonstrated, violate the proportionality principle. In 2025, 16 organizations were sanctioned for non-compliant employee video surveillance, making workplace monitoring one of the CNIL's top enforcement priorities.

Cross-Border Data Transfers

As an EU member state, France applies the GDPR's framework for international data transfers. Personal data flows freely within the European Economic Area. Transfers outside the EEA require one of the following safeguards.

An adequacy decision by the European Commission confirms that the receiving country provides adequate protection. The EU-US Data Privacy Framework, adopted in July 2023, provides an adequacy basis for transfers to certified US companies. Standard Contractual Clauses (SCCs) approved by the European Commission are the most widely used mechanism for transfers to countries without adequacy decisions. Binding Corporate Rules (BCRs) serve intra-group transfers. Specific derogations, including explicit consent and contractual necessity, are available for limited circumstances.

Following the Schrems II ruling (CJEU, July 2020), organizations relying on SCCs or BCRs must conduct a Transfer Impact Assessment (TIA) to evaluate the level of protection in the destination country and determine whether supplementary measures are needed. The CNIL has published guidance on conducting TIAs and participates actively in EDPB working groups on transfer tools. The CNIL has also flagged specific concerns about US-based cloud services used by French public institutions, calling for additional contractual safeguards where adequacy cannot be presumed.

EU AI Act Overlay

The EU Artificial Intelligence Act (Regulation 2024/1689) was published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024. It applies in France in a staged rollout.

Prohibitions on AI practices presenting unacceptable risk, including real-time biometric identification in public spaces for law enforcement and social scoring systems, became effective on February 2, 2025. Governance rules and obligations for general-purpose AI (GPAI) models became applicable on August 2, 2025. Full applicability, including requirements for high-risk AI systems and transparency obligations, takes effect on August 2, 2026. A separate transition period until August 2028 applies to high-risk AI systems embedded in regulated products, following the Digital Omnibus AI Act simplification political agreement of May 7, 2026.

France's National Competent Authority Designation

Each member state must designate one or more national competent authorities to serve as market surveillance authorities under the AI Act by August 2, 2025. European data protection authorities, including the CNIL, have argued publicly that they should be designated for high-risk AI systems that process personal data, given their existing expertise in fundamental rights assessments.

The CNIL has been clear that GDPR requirements, including purpose limitation, data minimization, and the right to explanation of automated decisions, apply fully to AI systems processing personal data. Organizations deploying AI must conduct Data Protection Impact Assessments for high-risk uses and ensure meaningful human oversight of automated decision-making.

CNIL AI Recommendations and the PANAME Project

In 2024 and 2025, the CNIL finalized a series of recommendations on AI development under the GDPR. These cover lawful bases for training data, transparency obligations when personal data may be memorized by models, and data minimization requirements in machine learning pipelines. The CNIL acknowledged that the way training data disclosures are provided can be adapted based on risks and operational constraints.

The CNIL launched the PANAME project (Privacy Auditing of AI Models) in partnership with the French cybersecurity agency ANSSI. PANAME aims to create a software library that assesses whether a model processes personal data and provides concrete compliance tools for AI developers. Sector-specific guidance for education and healthcare AI is expected in 2025-2026 as part of the CNIL's 2025-2028 strategic plan.

Penalties and Enforcement Powers

For the most serious violations, including breaches of data processing principles, consent requirements, data subject rights, and international transfer rules, fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. For less severe violations, including failures in record-keeping, data processor obligations, or certification requirements, fines can reach EUR 10 million or 2% of global annual turnover.

Other Corrective Measures

Beyond fines, the CNIL regularly issues formal warnings, orders to comply within specified timeframes, temporary or permanent processing bans, orders to communicate breaches to data subjects, and injunctions with periodic penalty payments for ongoing non-compliance. The CNIL can also certify organizations and products, approve codes of conduct, and authorize binding corporate rules.

Criminal Penalties Under French Law

France's Penal Code provides criminal penalties for certain data protection violations. Unlawful processing of personal data can result in up to five years' imprisonment and a fine of EUR 300,000 for individuals. For legal entities, the fine can reach EUR 1.5 million. Criminal prosecutions are separate from CNIL administrative sanctions and can run concurrently.

Recent Developments (2024-2026)

France's data privacy landscape has moved quickly in the period since early 2024.

The CNIL's 2024 annual enforcement record confirmed that cookie refusal mechanisms remained the dominant complaint category, with 11 cookie-specific sanctions among the year's 87. The Orange fine (EUR 50 million) in November 2024 reinforced that email inbox advertising without consent is treated on par with cookie violations.

The 2025 enforcement total of EUR 486.8 million across 83 sanctions represents a step-change in the CNIL's willingness to impose nine-figure fines against major multinational companies. The Google and Shein decisions in September 2025 set new records for individual CNIL sanctions.

In December 2025, the CNIL extended its social-network-advertising-targeting enforcement to the loyalty sector, signaling that data sharing for advertising without valid consent will be pursued across industries, not only adtech platforms.

The 2026 FREE and France Travail fines in January confirmed that data security failures at scale attract substantial sanctions even when a breach results from an external attacker rather than deliberate mishandling.

On the legislative front, a decree modifying Decree 2019-536 was submitted to the CNIL for opinion in March 2025 (Délibération No. 2025-025), indicating continued evolution of the implementing rules. Organizations should monitor legifrance.gouv.fr and cnil.fr for updates to the application decree.

The EU AI Act's full applicability date of August 2, 2026 will bring new obligations for any French organization deploying high-risk AI systems, including requirements for conformity assessments, human oversight mechanisms, and registration in the EU AI database.

Business Compliance Checklist

Organizations that process personal data of individuals in France should address the following.

World two-factor authentication device (small hardware token) on a desk beside a laptop

Establish a lawful basis for processing. Identify and document the legal ground for each processing activity, whether consent, contractual necessity, legal obligation, vital interest, public interest, or legitimate interest.

Implement compliant cookie consent. Deploy a consent mechanism that offers refuse and accept options with equal prominence. Do not deposit non-essential cookies before consent. Maintain records of consent, including which version of the notice was shown and when.

Appoint a DPO if required. Determine whether your organization must designate a Data Protection Officer and register the designation with the CNIL's notification system.

Conduct Data Protection Impact Assessments. For high-risk processing, including profiling, large-scale special category data, and systematic monitoring, complete a DPIA before beginning.

Prepare for breach notification. Establish internal procedures to detect, report, and investigate breaches within the 72-hour CNIL notification window. Maintain a breach register even for incidents not reported.

Address health data requirements. If processing health data of French residents, ensure hosting through an HDS-certified provider.

Secure international transfers. For data transfers outside the EEA, implement appropriate safeguards such as SCCs, conduct Transfer Impact Assessments, and document supplementary measures where needed.

Respect employee privacy. Limit workplace monitoring to proportionate measures, provide clear notice to employees, and avoid continuous surveillance.

Prepare for AI Act obligations. If deploying AI systems that process personal data, review the CNIL's AI recommendations, complete DPIAs for high-risk deployments, and track the August 2, 2026 full applicability date.

See also: France Recording Laws and the EU data privacy overview for related French and European legal context.

Frequently Asked Questions

What is the CNIL and what authority does it have in France?

The CNIL (Commission nationale de l'informatique et des libertés) is France's independent data protection authority, created in 1978 by the Loi Informatique et Libertés. It has broad powers to investigate data processing activities, conduct on-site inspections, impose fines of up to EUR 20 million or 4% of global annual turnover, issue injunctions, and order temporary or permanent processing bans. In 2025, the CNIL issued 83 sanctions totaling EUR 486.8 million, making it one of the most active data protection authorities in Europe.

How does French data privacy law differ from the standard GDPR?

France applies the GDPR directly but supplements it with national provisions under the Loi Informatique et Libertés. French-specific rules include a digital age of consent set at 15 (GDPR allows 13 to 16), mandatory Health Data Hosting certification for companies processing health data, post-mortem data directives that let individuals specify what happens to their data after death, and particularly strict rules on employee workplace monitoring. France also maintains criminal penalties for data protection violations, with up to five years' imprisonment and EUR 300,000 in fines.

What are France's cookie consent requirements?

France requires prior, informed, and freely given consent before placing non-essential cookies. Refusing cookies must be as easy as accepting them: a single-click refuse option must appear at the same level as the accept button. Pre-checked boxes and continued browsing do not constitute valid consent. Cookie walls are generally prohibited unless a genuine alternative exists. In 2025, the CNIL imposed EUR 325 million on Google and EUR 150 million on Shein for cookie violations, and EUR 50 million on Orange in late 2024.

What are the penalties for data privacy violations in France?

Administrative fines under GDPR reach EUR 20 million or 4% of global annual turnover for serious violations, and EUR 10 million or 2% for less severe breaches. The CNIL also issues injunctions, processing bans, and orders to notify individuals. France's Penal Code adds criminal penalties of up to five years' imprisonment and EUR 300,000 for individuals, or EUR 1.5 million for legal entities. For straightforward cases, the CNIL's simplified procedure can impose fines up to EUR 20,000 without a public hearing.

How does France handle data breach notification?

Organizations must notify the CNIL within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. Notification is submitted through the CNIL's online portal. When the breach poses a high risk, affected data subjects must also be informed without undue delay. The CNIL treats inadequate security as a standalone violation: FREE was fined EUR 42 million and France Travail EUR 5 million in January 2026 for security failures that enabled breaches, not just for the breaches themselves.

How does the EU AI Act apply in France?

The EU AI Act entered into force on August 1, 2024. Prohibitions on highest-risk AI practices applied from February 2025. Governance rules and GPAI obligations applied from August 2025. Full applicability for high-risk AI systems is August 2, 2026. The CNIL is positioning itself as France's market surveillance authority for AI systems that process personal data and has published GDPR compliance recommendations for AI developers. Organizations deploying high-risk AI must complete Data Protection Impact Assessments and implement human oversight mechanisms.

What is France's digital age of consent?

France set the digital age of consent at 15 years, exercising the GDPR's option to allow member states to choose between 13 and 16. Children under 15 require joint consent from a parent or guardian and the child themselves for data processing by online services. Children 15 and older can independently consent to cookie settings, social media privacy choices, and similar digital data processing. The CNIL has published eight sets of recommendations specifically addressing children's digital rights.

What is Health Data Hosting (HDS) certification in France?

HDS certification is a mandatory requirement for organizations that host health data of French residents on behalf of health data processors. Administered by the Agence du Numérique en Santé, it replaced earlier authorization schemes in 2018. Certified providers must meet specific technical and organizational security standards. Non-French companies processing health data of French individuals must use HDS-certified providers or demonstrate equivalent guarantees. The certification registry is maintained by the Agence du Numérique en Santé.

Sources and References

Loi Informatique et Libertés (Law 78-17 of January 6, 1978) - CNIL Overview(cnil.fr).gov
Loi n° 78-17 du 6 janvier 1978 - Full Text on Legifrance(legifrance.gouv.fr).gov
Decree No. 2019-536 of 29 May 2019 - Application Decree for Loi Informatique et Libertés(legifrance.gouv.fr).gov
Conseil Constitutionnel Decision 2018-765 DC - Data Protection Law Constitutionality Review(conseil-constitutionnel.fr).gov
CNIL - The French National Data Protection Framework(cnil.fr).gov
CNIL - Sanctions and Corrective Measures: Actions in 2025(cnil.fr).gov
CNIL - Sanctions and Corrective Measures: Actions in 2024(cnil.fr).gov
Google Fined EUR 325 Million for Cookies and Email Advertising - CNIL(cnil.fr).gov
Shein Fined EUR 150 Million for Cookie Consent Violations - CNIL(cnil.fr).gov
Orange Fined EUR 50 Million for Email Advertising Without Consent - CNIL(cnil.fr).gov
Criteo Fined EUR 40 Million for Personalized Advertising Violations - CNIL(cnil.fr).gov
Amazon France Logistique Fined EUR 32 Million for Employee Monitoring - CNIL(cnil.fr).gov
FREE Mobile and FREE Fined EUR 42 Million for Data Breach - CNIL(cnil.fr).gov
France Travail Fined EUR 5 Million for Data Security Failure - CNIL(cnil.fr).gov
NEXPUBLICA FRANCE Fined EUR 1.7 Million for Data Security Failures - CNIL(cnil.fr).gov
Loyalty Programme Company Fined EUR 3.5 Million for Unlawful Social Network Data Transfer - CNIL(cnil.fr).gov
CNIL Simplified Sanction Procedure - Overview(cnil.fr).gov
CNIL Practice Guide - Security of Personal Data (2024 edition)(cnil.fr).gov
CNIL Practical Guide for Data Protection Officers(cnil.fr).gov
CNIL AI Recommendations for GDPR-Compliant AI Development(cnil.fr).gov
EU AI Act Entry into Force - CNIL Questions and Answers(cnil.fr).gov
CNIL Digital Rights of Children - Recommendations(cnil.fr).gov
EU General Data Protection Regulation - Rules for Business(europa.eu).gov
Article 85 - Loi Informatique et Libertés - Post-Mortem Data Directives(legifrance.gouv.fr).gov
CNIL 10th Innovation Report - Our Data After Us (Digital Death)(cnil.fr).gov
Council of the EU - AI Act Simplification Political Agreement (May 7, 2026)(consilium.europa.eu).gov

France's Data Privacy Framework at a Glance

Constitutional Basis for Data Privacy