Nous contacter
Presse
Télécharger le catalogue de formations

CNIL: towards a sustained intensification of its sanctions policy?

CNIL: towards a sustained intensification of its sanctions policy?

   News_english    3 March 2026  |  0

The decisions handed down by the CNIL between November 2025 and February 2026 reflects a clear shift in the exercise of its enforcement powers. It is no longer just a matter of guiding economic actors toward compliance, but of demanding effective, structured, and demonstrable compliance.

The amounts of the penalties, the precision of the breaches identified, and the deliberate publicity given to the decisions confirm a change of pace. The CNIL no longer penalizes only isolated incidents; it examines the maturity of the systems and processes put in place by the entities concerned. The amounts of the penalties, the precision of the breaches identified, and the deliberate publicity given to the decisions confirm a change of pace.

Data security at the heart of control (Article 32 GDPR)

The France Travail case perfectly illustrates this centrality of security. The authority imposed a fine of €5 million in November 2025 following an intrusion based on social engineering techniques. The attackers exploited organizational weaknesses and insufficient authentication mechanisms, allowing access to a massive volume of data. The breach was based on Article 32 of the GDPR, which requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

In its decisions concerning Free Mobile (€27 million) and Free (€15 million), the CNIL adopted a systemic approach. It noted not only security failures, including insufficiently robust VPN authentication and ineffective detection of abnormal behavior, and excessive data retention contrary to Article 5-1, but also a failure to provide information in accordance with Article 34 of the GDPR, which requires the controller to directly inform individuals whose data has been breached when the breach is likely to result in a high risk to their rights and freedoms. The authority no longer limits itself to noting the breach; it assesses the overall governance architecture, from risk prevention to post-incident management.

Security thus becomes an indicator of organizational maturity. Article 32 is no longer interpreted as an abstract obligation of means, but as a concrete requirement, assessed in light of the state of the art, the sensitivity of the data, and the volume involved.

The NEXPUBLICA case: software publishers as legal entities in their own right

The decision handed down in January 2026 against NEXPUBLICA (€1.7 million) is particularly instructive. The company developed software used in particular by MDPHs (local disability centers). Vulnerabilities had been identified by internal audits, but the fixes had not been implemented before the data breaches occurred. The CNIL found a breach of Article 32 of the GDPR, considering that the flaws were due to a lack of knowledge of the state of the art and basic security principles.

The key point of this decision lies in the choice of the recipient of the sanction. The CNIL did not turn to the MDPHs using the software, but to the publisher itself. This position is legally justified by Articles 28 and 32 of the GDPR. The processor is required to provide sufficient security guarantees and must implement appropriate measures. When the publisher controls the technical architecture of the processing and determines the security measures integrated into the software, its responsibility cannot be diluted.

The software publisher is therefore not simply a neutral technical service processor. It is a legal entity in the processing chain, fully subject to the obligations of the GDPR. This approach reinforces the responsibility of technology players in the digital ecosystem.

The sanction imposed on MOBIUS SOLUTIONS LTD in February 2026, with a fine of €1 million for a violation related to DEEZER, confirms this trend. The processor had retained data after the end of the contract, used it outside the instructions of the controller, and did not keep records in accordance with Article 30 of the GDPR. The breaches of Articles 28-3 and 29 were expressly upheld.

This decision marks the end of a form of indirect irresponsibility. The processor can no longer hide behind the controller. The principle of accountability, enshrined in Article 5-2, applies to each actor. The contractual chain does not mitigate responsibility; it structures it.

Data retention: an independent breach

Several recent decisions also show that excessive data retention now constitutes an independent basis for sanctions. Article 5-1 imposes a limitation on the retention period to what is strictly necessary for the purposes pursued. In the Free case, in December 2025, the CNIL expressly noted the lack of sorting and the retention of millions of data items beyond the justified periods. This point is essential. The volume of data retained may become an aggravating factor in assessing the amount of the fine. The governance of retention periods is no longer a mere documentary formality; it is becoming an indicator of risk control.

A strategic turning point as the AI regulation approaches

With the full implementation of the European regulation on artificial intelligence approaching on 2 August 2026, this intensification of control is unlikely to be an isolated case. The requirements we see today in terms of security, documentation, traceability and subcontractor management foreshadow those that will shape the regulation of AI systems.

The European regulation on artificial intelligence, which will come into full force on 2 August 2026, is likely to be followed by similar measures in other countries. The intensification of control measures in the United States and China is also likely to be a precursor to the regulation of AI systems.

The CNIL thus appears to be placing its actions within a broader framework of digital systems governance. Compliance is no longer limited to formal adherence to the text. It requires an internal organisation capable of identifying risks, documenting them, testing them and demonstrating the robustness of the measures put in place.

What these decisions mean for organisations

The change observed is both quantitative and qualitative. The amounts are increasing, but above all, the analysis is becoming more structured and more demanding. The CNIL no longer only penalises isolated incidents; it assesses the overall consistency of the compliance system.

The question for organisations is no longer whether they will be inspected. It is whether they are able to prove, in a documented and operational manner, that their data governance complies with the requirements of the GDPR.

Data Privacy Professional supports you in your GDPR compliance as an external DPO.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Archives article
Categories

Copyright © 2026 Data Privacy Professionals. All Rights Reserved. _______________________________________________ Follow us on LinkedIn, Facebook, YouTube