Data & Privacy - France

Data protection rests on the directly-applicable GDPR plus the national Loi n° 78-17 of 6 January 1978 ('Informatique et Libertés'), which predates the GDPR and was recast to clarify and supplement it; the consolidated text is maintained on Légifrance and was last amended by Loi n° 2024-449 of 21 May 2024.

The Commission Nationale de l'Informatique et des Libertés, created in 1978, is France's independent administrative authority for data protection; it handles complaints, runs inspections, issues guidance and acts as the lead/competent supervisory authority for France under the GDPR.

CNIL can issue warnings, formal notices, compliance orders, processing bans, and administrative fines up to €20 million or 4% of worldwide annual turnover under the GDPR; since December 2022 it can also use a 'simplified' sanction procedure for straightforward cases.

Enforcement has intensified sharply: in 2025 the CNIL issued 83 sanctions totalling roughly €486.8 million (cookies, employee monitoring and data security dominating), versus 87 sanctions for about €55.2 million in 2024.

Individuals enjoy the full set of GDPR rights — access, rectification, erasure, restriction, objection and data portability — and may contact the CNIL for assistance, for example where a controller has denied a right of access.

The Loi Informatique et Libertés adds national rules on sensitive categories such as health and criminal-offence data, sets the digital-consent age for minors at 15, and includes provisions on 'digital death' (post-mortem instructions on personal data).