The CNIL published guidance on May 28, 2026, clarifying the roles of cloud actors (data controller, joint controller, processor) under GDPR. This affects how cloud contracts and compliance documentation should be structured, with emphasis on case-by-case analysis.
The French data protection authority (CNIL) fined IQVIA OPERATIONS FRANCE €5 million for non-compliance with authorization conditions for health data warehouses, including inadequate transparency, data subject rights, and security measures. The data was deemed pseudonymous, not anonymous, highlighting re-identification risks. CNIL issued injunctions to remedy violations within six months, with daily penalties of €10,000 for non-compliance.
The French CNIL has updated reference methodologies MR-001 and MR-003 for health research, effective May 23, 2026. The updates expand scope to studies abroad, introduce new security annexes, and require multi-factor authentication by January 1, 2027. Organizations conducting health research involving residents in France or abroad must comply.
The CNIL's 2025 annual report shows record fines of €487 million and increased enforcement actions, signaling heightened GDPR scrutiny in France. The authority is also actively preparing for EU AI Act enforcement, requiring companies to strengthen data protection and AI compliance.
France requires certain organizations to conduct carbon accounting under the Bilan Carbone framework, covering Scope 1, 2, and 3 emissions. Companies must comply with French law and align reporting with international standards like the GHG Protocol.
The French CNIL released new recommendations on using personal data for creditworthiness assessment, replacing the former AU-005 authorization. The guidance emphasizes data minimization, transparency, and conditions for fully automated credit decisions, following CJEU rulings.
The French CNIL published recommendations in May 2026 requiring credit professionals to limit data collection, allow masking of non-essential data, and provide transparency on automated decision-making and scoring. This reinforces GDPR principles in the credit sector.
France has published a roadmap to end coal by 2030, oil by 2045, and natural gas by 2050, with interim targets including 66% electric car sales by 2030 and a ban on gas boilers in new buildings by 2026. Companies in energy, transport, and construction sectors must align with these decarbonization goals.
The CNIL has approved a GDPR code of conduct for French clothing and footwear retailers, covering data protection obligations for customer data in-store and online. Adherents must comply with the code and undergo verification by an approved control body.
The French data protection authority (CNIL) updated its recommendation on electronic voting security, introducing revised risk levels, new transparency requirements (publication of technical specs and source code), and technology-neutral security objectives. Public and private entities using electronic voting systems must comply with the updated framework.
French police arrested a suspected hacker responsible for approximately 100 data breaches targeting public institutions and private organizations, including the French Ministry of National Education where 243,000 employee records were exposed. This enforcement action highlights active cybersecurity investigations and emphasizes the importance of data protection compliance under GDPR. Organizations must ensure robust security measures and timely breach notifications to avoid regulatory scrutiny.
French authorities are conducting a criminal investigation into X (formerly Twitter) for alleged production and distribution of child sexual abuse material involving AI-generated content. The case focuses on compliance with French law and involves international cooperation with U.S. and European prosecutors, signaling increased enforcement of AI governance and content moderation regulations.
The French data protection authority (CNIL) has issued new guidance on political targeting regulations for the 2026 municipal elections, addressing voter data protection and consent requirements. This webinar clarifies compliance obligations under existing transparency and targeting regulations, signaling increased enforcement focus on electoral data practices.
A French court has convicted Lafarge and sentenced former executives to jail for financing terrorism and violating sanctions through payments to the Islamic State in Syria. This enforcement action signals heightened scrutiny of corporate compliance with anti-terrorism financing laws and sanctions regimes, particularly for companies operating in high-risk regions. The ruling emphasizes the need for robust internal controls and due diligence to prevent such violations.
The French Data Protection Authority (CNIL) has published its plenary session agenda for April 16, 2026, detailing several regulatory items under review. These include recommendations on connected vehicle location data, opinions on decrees for traffic enforcement and military data processing, and guidance on soft law approaches, all shaping data protection compliance in France under the GDPR framework.
French Finance Minister Roland Lescure has called for increased development of euro-denominated stablecoins and tokenized deposits by EU banks, marking a significant policy shift from previous skepticism. This signals government support for European alternatives to counter U.S. dominance in digital payments, with endorsement of the Qivalis consortium's euro-pegged stablecoin planned for 2026.
The French data protection authority (CNIL) has published final binding recommendations clarifying legal requirements for tracking pixels in emails under French data protection law. The guidance distinguishes between pixels requiring user consent and exempt cases, providing practical compliance guidance for organizations using email tracking technology.
The French data protection authority (CNIL) issued recommendations in April 2026 to improve transparency and user control over tracking pixels in emails. These invisible files collect data on email opens, timing, devices, and location, requiring clear information and explicit consent for marketing uses. Organizations must ensure compliance with data protection laws, particularly for marketing activities where consent is mandatory.
The French data protection authority (CNIL) has published details of enforcement actions from 2025-2026, imposing significant fines up to €27 million for GDPR violations. This demonstrates active regulatory scrutiny across multiple sectors and highlights common compliance failures including data security deficiencies, breach notification violations, and inadequate data subject rights handling.
The French data protection authority (CNIL) has published its enforcement report for the 2026 municipal elections, marking the first application of new political advertising transparency regulations effective October 2025. CNIL processed 81 complaints, conducted four investigations, and initiated one sanction procedure against a candidate for non-compliance with data subject rights, signaling active enforcement of GDPR-based political communication rules.