GDPR Enforcement in France

Trend: Have the national data protection authorities in France focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The French data protection authority (the “Commission nationale de l’informatique et des libertés” or the “CNIL”) does not make statements on the types of non-compliance it investigates. It could be said that, until now, the CNIL has focused its investigations on essential obligations, such as the legal bases for data processing (Articles 5, 6 GDPR) or security requirements (Article 32 GDPR).

All sectors are affected by the CNIL’s investigations.

Each year, the CNIL focuses a part of its investigations on certain specific sectors and themes.

For 2024, the CNIL’s enforcement actions focused on health data protection, data processing related to commercial prospecting, data relating to minors, data processing related to dematerialised sales receipts and loyalty programs and data subjects’ right of access.

In 2025, the CNIL announced that its enforcement actions will focus on:

1. data collected through mobile applications,
2. cybersecurity measures taken by local authorities,
3. data processing by the prison administration,
4. data subjects’ right to erasure.

In past years, the enforcement actions performed by the CNIL and its sanctions have mostly concerned the following sectors/areas: Advertising and e-commerce, security, vehicle geolocation, employee rights and health data processing.

In 2024:

• 87 sanctions were imposed by the CNIL, for a total of EUR 55,212,400. Among these 87 sanctions: 27 of them involved the failure to cooperate with the CNIL; 12 European decisions were studied by the CNIL; and 7 decisions were published in cooperation with the CNIL’s European counterparts.
   
• 180 formal notices have been issued by the CNIL. These formal notices also concerned a variety of sectors and issues, which overlap with those addressed in sanction procedures, such as video surveillance of employees in their workplace and the security measures implemented to protect personal data. Some of these formal notices specifically targeted the healthcare sector, particularly professionals using electronic health records (EHRs). The CNIL emphasised that these records, which primarily contain sensitive medical information, must be strictly protected to ensure that only authorised individuals can access them. Furthermore, the failure to respond to individuals’ requests to exercise their rights was a key focus. Numerous organisations were formally instructed to respond to requests for data access, rectification or erasure, with the CNIL initiating simplified sanction procedures against several non-compliant entities.

The year 2024 saw a further expansion of the simplified sanction procedure. 69 sanctions were issued, nearly three times more than in 2023. These sanctions included 50 fines, 12 fines accompanied by injunctions and 6 penalty payments, amounting to a total of EUR 715,500, along with a formal warning.
As with the previous year, the most frequently cited violation under the simplified procedure was the failure to cooperate with the CNIL, affecting 27 organisations – including companies and independent professionals — that failed to respond to the authority’s requests.
The second most common violation was non-compliance with data subjects’ rights, with 23 decisions addressing failures to honour requests for data erasure, rectification or access – 16 of which specifically concerned access requests.

Overall, what was the most significant fine in France to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in France to date was imposed on GOOGLE LLC and GOOGLE IRELAND LIMITED on 31 December 2021 for a total amount of EUR 150 million (EUR 90 million on GOOGLE LLC and EUR 60 million on GOOGLE IRELAND LIMITED).

The CNIL considered that the sites “google.fr” and “youtube.com” did not allow cookies to be rejected as easily as they could be accepted. According to the CNIL, an internet user was required to click on “Manage data settings” to reject cookies, thus biasing user consent.

How is the data protection authority organised in France? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The CNIL is an independent administrative authority; it does not report to the Government nor to a specific ministry. It is composed of 298 staff members and a College of 18 members, composed of:

• 4 members of Parliament (2 deputies, 2 senators).
• 2 members of the Economic, Social and Environmental Council.
• 6 representatives of the highest courts (2 Counsels from the Conseil d’Etat, 2 Counsels from the Cour de Cassation, 2 Counsels from the Cour des Comptes).
• 5 qualified persons appointed by the President of the National Assembly (1 person), the President of the Senate (1 person) and the Council of Ministers (3 persons).
• The President of the CADA (Commission for Access to Administrative Documents).

The CNIL has an annual budget of EUR 28 million ¹.

How does a fine procedure work in France? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines may be directly imposed by the CNIL as part of administrative proceedings.
   
• Following inspections or complaints, in the event of non-compliance with the provisions of the GDPR or the French Data Protection Act, the CNIL may impose sanctions on companies which do not comply with these legal provisions.
   
• The CNIL may impose a fine without providing a prior notice on compliance.
   
• If the CNIL decides to initiate fine proceedings following audits or inspections, the company shall be notified to this effect. A report proposing the imposing of an enforcement measure shall be sent to the company and the latter may submit its observations to the CNIL.
   
• The fines may be made public or not.
   
• Companies are able to appeal decisions with the Council of State (Conseil d’Etat) within two months following the notification date for the decision made by the CNIL.

As of 2022, a major reform of the CNIL’s corrective measures has been carried out, leading to the adoption of the first sanctions under simplified sanction proceedings for cases of lower complexity. The maximum amount of a penalty imposed under this procedure is EUR 20,000. The fines imposed to date range between EUR 5,000 and EUR 20,000, half of which were imposed for injunctions under penalty (i.e., financial penalties for late compliance). They target various actors (for example, a university and doctors). They also deal with a variety of issues and concern the use of administrative files for political communication purposes, video surveillance of employees, disregard of data subject’s rights or failure to cooperate with the CNIL ².

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The CNIL does not collect fine amounts; these are paid directly into the state treasury.

Is there a common, official calculation methodology for fines in France (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. Fines are calculated in light of the criteria mentioned in Article 83(5) and (6) of the GDPR.

Can public authorities be fined in France? If they can: Where does this money go?

Enforcement action may be taken against public authorities, but no administrative fines may be imposed for the processing of personal data carried out by the State.

In France, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The CNIL does not publish all imposed fines pending proceedings or investigations. The CNIL decides, taking into consideration the facts and violations, whether or not to publish its decisions or enforcement actions.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Each year, the CNIL publishes an activity report in which it details all key numbers. 

For 2024 ³:

• The CNIL conducted 331 investigations.
• The CNIL issued 87 penalties including 75 fines totalling EUR 55,212,400; 14 of which were associated with injunctions subject to financial penalty and 8 liquidations under penalty.
• The CNIL issued 180 orders to comply.
• The CNIL issued 4 reminders.

For 2023 ⁴:

• The CNIL conducted 340 investigations.
• The CNIL issued 42 penalties including 36 fines totalling EUR 89,179,500; 14 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
• The CNIL issued 168 orders to comply.
• The CNIL issued 4 reminders.

For 2022 ⁵:

• The CNIL conducted 345 investigations.
• The CNIL issued 21 penalties including 19 fines totalling EUR 101,277,900; 7 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
• The CNIL issued 147 orders to comply.
• The CNIL issued 29 reminders.

For 2021 ⁶:

• The CNIL conducted 384 investigations.
• The CNIL issued 18 penalties including 15 fines totalling EUR 214,106,000; 5 of which were associated with injunctions subject to financial penalty.
• The CNIL issued 135 orders to comply, including 2 public notices.
• The CNIL issued 45 reminders.

For 2020 ⁷:

• The CNIL conducted 247 investigations.
• The CNIL issued 14 penalties including 11 fines totalling EUR 138,489,300 and one injunction under penalty not associated with a fine.
• The CNIL issued 49 orders to comply including 3 public notices and 4 in cooperation with other European data protection authorities.
• The CNIL issued 38 reminders and 2 warnings, notably following complaints.

For 2019 ⁸: 

• The CNIL conducted 300 investigations.
• The CNIL-restricted committee issued 8 penalties including 7 fines totalling EUR 51,370,000 and 5 injunctions.
• The CNIL issued 42 orders to comply, including 2 public notices.
• The CNIL issued 2 reminders and 2 warnings.

The CNIL also provides aggregate sets of data (open data) on its activity including fines from earlier periods.

Does France have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Yes, several data subjects placed in similar situations and affected by damages resulting from a breach of data protection laws may file a complaint against the same data controller or data processor. A class action (“action de groupe”) may be filed before civil or administrative courts (Article 37 II of the French Data protection Act).

A class action can only be filed by:

• associations with activities in the field of privacy and data protection for at least five years,
• accredited consumer associations that are representative at the national level;
• trade unions.

There have been very few class actions to date, most of these being against major tech companies.

What is more relevant in France: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines from data protection authorities are much more prevalent than claims for damages or injunctions, which are very rare in practice.