Data & Privacy · France
Data protection & privacy laws in France (2026)
France shaded by its data & privacy status
France has a comprehensive personal-data protection regime built on the directly applicable EU GDPR, supplemented by its long-standing national law, the Loi Informatique et Libertés of 1978 (substantially recast in 2018-2019 to align with the GDPR and updated since). The independent supervisory authority is the CNIL, which enforces both the GDPR and national rules through investigations, formal notices, corrective orders and administrative fines.
Key points
Data protection rests on the directly-applicable GDPR plus the national Loi n° 78-17 of 6 January 1978 ('Informatique et Libertés'), which predates the GDPR and was recast to clarify and supplement it; the consolidated text is maintained on Légifrance and was last amended by Loi n° 2024-449 of 21 May 2024.
The Commission Nationale de l'Informatique et des Libertés, created in 1978, is France's independent administrative authority for data protection; it handles complaints, runs inspections, issues guidance and acts as the lead/competent supervisory authority for France under the GDPR.
CNIL can issue warnings, formal notices, compliance orders, processing bans, and administrative fines up to €20 million or 4% of worldwide annual turnover under the GDPR; since December 2022 it can also use a 'simplified' sanction procedure for straightforward cases.
Enforcement has intensified sharply: in 2025 the CNIL issued 83 sanctions totalling roughly €486.8 million (cookies, employee monitoring and data security dominating), versus 87 sanctions for about €55.2 million in 2024.
Individuals enjoy the full set of GDPR rights — access, rectification, erasure, restriction, objection and data portability — and may contact the CNIL for assistance, for example where a controller has denied a right of access.
The Loi Informatique et Libertés adds national rules on sensitive categories such as health and criminal-offence data, sets the digital-consent age for minors at 15, and includes provisions on 'digital death' (post-mortem instructions on personal data).
Timeline - major decisions & events
The CNIL sanctioned the national employment agency France Travail (formerly Pôle Emploi) €5M for failing to secure job-seeker data after a 2024 breach exposed personal data of up to 43 million people. It shows continued aggressive enforcement of GDPR security obligations against public bodies.
CNIL ↗The CNIL reported 83 sanctions totalling roughly €487M in 2025 — nearly nine times the 2024 total — driven by cookies, employee surveillance and data-security cases. It signals a sustained intensification of France's enforcement posture and 2026 priorities including generative AI and minors' data.
CNIL ↗The CNIL penalised NEXPUBLICA France €1,700,000 for failing to implement sufficient security measures in its PCRM software. The case reinforces that Article 32 GDPR security duties are a primary enforcement target.
CNIL ↗Following a 27 December 2023 decision, the CNIL announced a €32M fine over a scanner-based system that tracked warehouse workers' productivity and inactivity in excessive detail, plus inadequate video surveillance. A landmark on the limits of workplace surveillance under GDPR.
CNIL ↗The CNIL imposed its maximum penalty on Clearview AI for unlawfully processing biometric data scraped from the web without a legal basis and ignoring data-subject rights, ordering it to stop collecting and to delete French residents' data. A defining European stance on facial-recognition scraping.
CNIL ↗The CNIL issued then-record fines totalling €135M for placing advertising cookies without prior consent and without adequate information, applying France's ePrivacy/cookie rules. It cemented strict French cookie-consent enforcement, later upheld by the Council of State.
CNIL ↗Acting on complaints from NOYB and La Quadrature du Net, the CNIL's restricted committee fined Google LLC €50M for lack of transparency, inadequate information and invalid consent for ad personalisation. It was the first multi-million-euro GDPR fine in Europe.
EDPB / CNIL ↗France enacted Law No. 2018-493 to align the 1978 Data Protection Act with the GDPR and transpose Directive 2016/680 for criminal-justice processing, strengthening the CNIL and setting national rules for sensitive data. The Act was later recodified by Ordinance 2018-1125 (in force 1 June 2019).
Vie-publique (Gouvernement) ↗EU Regulation 2016/679 took effect across all member states, becoming the directly applicable backbone of French data protection and supervised domestically by the CNIL. It introduced turnover-based fines, breach notification and strengthened data-subject rights.
EUR-Lex (EU) ↗Prompted by the SAFARI file-interconnection scandal, France enacted Law No. 78-17, one of the world's first data-protection laws, and created the CNIL as its first independent administrative authority. It remains the foundation of French data protection and influenced the later GDPR.
Légifrance ↗France - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →