Skip to content
World Watch/France/Data & Privacy

Data & Privacy · France

Data protection & GDPR compliance in France (2026)

Comprehensive lawEU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) as implemented nationally by the Loi n° 78-17 du 6 janvier 1978 'Informatique et Libertés' (as recast by Ordonnance 2018-1125 and amended through Loi 2024-449), supervised by the Commission Nationale de l'Informatique et des Libertés (CNIL).Country index 90 · A+

France shaded by its data & privacy status

Data protection in France: comprehensive law, under EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) as implemented nationally by the Loi n° 78-17 du 6 janvier 1978 'Informatique et Libertés' (as recast by Ordonnance 2018-1125 and amended through Loi 2024-449), supervised by the Commission Nationale de l'Informatique et des Libertés (CNIL)..

France has a comprehensive personal-data protection regime built on the directly applicable EU GDPR, supplemented by its long-standing national law, the Loi Informatique et Libertés of 1978 (substantially recast in 2018-2019 to align with the GDPR and updated since). The independent supervisory authority is the CNIL, which enforces both the GDPR and national rules through investigations, formal notices, corrective orders and administrative fines.

GDPR & data protection in France

In France, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Commission Nationale de l'Informatique et des Libertés (CNIL).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Commission Nationale de l'Informatique et des Libertés (CNIL)
Applies to
any organisation processing the personal data of people in France, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; France supplements it with a national data-protection act and its own supervisory authority.

GDPR in France: FAQ

Does the GDPR apply in France?

Yes. As an EU/EEA member, France applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Commission Nationale de l'Informatique et des Libertés (CNIL).

Who enforces data protection law in France?

The Commission Nationale de l'Informatique et des Libertés (CNIL).

What are the GDPR fines in France?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in France?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in France?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive legal basis

Data protection rests on the directly-applicable GDPR plus the national Loi n° 78-17 of 6 January 1978 ('Informatique et Libertés'), which predates the GDPR and was recast to clarify and supplement it; the consolidated text is maintained on Légifrance and was last amended by Loi n° 2024-449 of 21 May 2024.

Supervisory authority (CNIL)

The Commission Nationale de l'Informatique et des Libertés, created in 1978, is France's independent administrative authority for data protection; it handles complaints, runs inspections, issues guidance and acts as the lead/competent supervisory authority for France under the GDPR.

Enforcement powers and fines

CNIL can issue warnings, formal notices, compliance orders, processing bans, and administrative fines up to €20 million or 4% of worldwide annual turnover under the GDPR; since December 2022 it can also use a 'simplified' sanction procedure for straightforward cases.

Recent enforcement scale

Enforcement has intensified sharply: in 2025 the CNIL issued 83 sanctions totalling roughly €486.8 million (cookies, employee monitoring and data security dominating), versus 87 sanctions for about €55.2 million in 2024.

Data-subject rights

Individuals enjoy the full set of GDPR rights, access, rectification, erasure, restriction, objection and data portability, and may contact the CNIL for assistance, for example where a controller has denied a right of access.

National specifics beyond the GDPR

The Loi Informatique et Libertés adds national rules on sensitive categories such as health and criminal-offence data, sets the digital-consent age for minors at 15, and includes provisions on 'digital death' (post-mortem instructions on personal data).

Timeline - major decisions & events

Jan 22, 2026enforcementofficial
CNIL fines France Travail €5 million over 43-million-record breach

The CNIL sanctioned the national employment agency France Travail (formerly Pôle Emploi) €5M for failing to secure job-seeker data after a 2024 breach exposed personal data of up to 43 million people. It shows continued aggressive enforcement of GDPR security obligations against public bodies.

CNIL
Jan 1, 2026enforcementofficial
CNIL's record 2025 enforcement year: 83 sanctions, €486 million

The CNIL reported 83 sanctions totalling roughly €487M in 2025, nearly nine times the 2024 total, driven by cookies, employee surveillance and data-security cases. It signals a sustained intensification of France's enforcement posture and 2026 priorities including generative AI and minors' data.

CNIL
Dec 22, 2025enforcementofficial
CNIL fines NEXPUBLICA France €1.7 million for data-security failures

The CNIL penalised NEXPUBLICA France €1,700,000 for failing to implement sufficient security measures in its PCRM software. The case reinforces that Article 32 GDPR security duties are a primary enforcement target.

CNIL
Jan 23, 2024enforcementofficial
CNIL fines Amazon France Logistique €32 million for intrusive employee monitoring

Following a 27 December 2023 decision, the CNIL announced a €32M fine over a scanner-based system that tracked warehouse workers' productivity and inactivity in excessive detail, plus inadequate video surveillance. A landmark on the limits of workplace surveillance under GDPR.

CNIL
Oct 17, 2022enforcementofficial
CNIL fines Clearview AI €20 million over facial recognition

The CNIL imposed its maximum penalty on Clearview AI for unlawfully processing biometric data scraped from the web without a legal basis and ignoring data-subject rights, ordering it to stop collecting and to delete French residents' data. A defining European stance on facial-recognition scraping.

CNIL
Dec 10, 2020enforcementofficial
CNIL fines Google €100M and Amazon €35M over cookies

The CNIL issued then-record fines totalling €135M for placing advertising cookies without prior consent and without adequate information, applying France's ePrivacy/cookie rules. It cemented strict French cookie-consent enforcement, later upheld by the Council of State.

CNIL
Jan 21, 2019enforcementofficial
CNIL fines Google €50 million, first major GDPR sanction

Acting on complaints from NOYB and La Quadrature du Net, the CNIL's restricted committee fined Google LLC €50M for lack of transparency, inadequate information and invalid consent for ad personalisation. It was the first multi-million-euro GDPR fine in Europe.

EDPB / CNIL
Jun 20, 2018lawofficial
Law No. 2018-493 adapts French law to the GDPR

France enacted Law No. 2018-493 to align the 1978 Data Protection Act with the GDPR and transpose Directive 2016/680 for criminal-justice processing, strengthening the CNIL and setting national rules for sensitive data. The Act was later recodified by Ordinance 2018-1125 (in force 1 June 2019).

Vie-publique (Gouvernement)
May 25, 2018lawofficial
GDPR becomes directly applicable in France

EU Regulation 2016/679 took effect across all member states, becoming the directly applicable backbone of French data protection and supervised domestically by the CNIL. It introduced turnover-based fines, breach notification and strengthened data-subject rights.

EUR-Lex (EU)
Jan 6, 1978lawofficial
Loi Informatique et Libertés creates the CNIL

Prompted by the SAFARI file-interconnection scandal, France enacted Law No. 78-17, one of the world's first data-protection laws, and created the CNIL as its first independent administrative authority. It remains the foundation of French data protection and influenced the later GDPR.

Légifrance

France - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →