The year 2024 marked an intensification of the CNIL’s actions in response to the accelerating pace of digital transformations. From the rise of mobile applications and the deployment of artificial intelligence to the surge in personal data breaches and the evolution of public space usage, data protection challenges are multiplying. To address them, the authority published new practical guides, strengthened its cooperation with other institutions, and increased its number of inspections and sanctions. Here’s a look back at the year’s key priorities and the tools made available to both public and private stakeholders.
Support in line with sectoral and technological developments
Mobile applications: recommendations to better protect privacy
In 2023, the French downloaded an average of 30 applications to communicate, be entertained, get around, shop, and for many other purposes. One clear finding emerged: the mobile environment presents greater risks to data protection than the web. Applications have access to a wider and sometimes more sensitive range of personal information, such as real-time location, photos, or health data. Additionally, many actors are involved in the functioning of these apps, potentially increasing the number of people with access to users’ data.
Following a broad public consultation and cooperation with the Competition Authority, the CNIL ultimately published a set of recommendations. These are aimed at the entire ecosystem — app publishers, developers, and various service providers.
Video surveillance: a guide for the deployment of security cameras
A l’occasion du Salon des maires 2024, la CNIL et l’Association des maires de France ont publié un guide commun pour aiguiller les collectivités territoriales dans la mise en place de dispositifs vidéo conforme à la règlementation relative à la protection des données.
Ont également été publiées ou mises à jour certaines fiches pratiques sur le déploiement de dispositif vidéo dans l’espace public, notamment sur les caméras augmentées, la vidéo-verbalisation ou encore l’interdiction de la captation sonore.
A stepped-up repressive action
A new record number of complaints
The number of complaints received by the CNIL rose by more than 8% compared to 2023, increasing from 16,443 to 17,772. For the third consecutive year, the CNIL managed to process as many complaints as it received.
To achieve this, the CNIL first conducts a preliminary review of each complaint to determine whether it has jurisdiction to act and whether the information provided is sufficiently detailed. If the complaints are deemed admissible and include supporting evidence such as screenshots, the data protection authority may, depending on the nature and severity of the case, decide either to remind the organization concerned of the applicable regulations or to carry out more in-depth investigations. Where appropriate, a formal order to end the breach or a sanction may be imposed.
A number of sanctions that more than doubled
The year 2024 saw a significant increase in the overall corrective measures issued by the CNIL. The number of sanctions more than doubled. Warnings and reminders of legal obligations, on the other hand, have been steadily rising.
In total, there were 331 corrective measures, including 87 sanctions, 180 warnings, and 64 reminders of legal obligations issued by the President. Of the total number of sanctions, 69 were issued following a simplified procedure, nearly three times as many as in 2023. Common issues cited include: failure to cooperate with the CNIL (for 27 organizations), non-compliance with individuals’ rights (23), failure to minimize data (10), and security-related data breaches (11).
It is worth noting that more than half of the cases that resulted in sanctions originated from a complaint.
The necessary regulation of AI and algorithms
Given the extremely large number of systems relying on the use of personal data, the CNIL is actively preparing to be designated as the national market surveillance authority. Each member state is required to designate one by August 2, 2025, to ensure proper coordination between the various national authorities. The CNIL has already launched an action plan to assist companies developing AI systems in the proper application of the GDPR.
Additionally, the CNIL has published 12 practical guides to regulate the development of AI systems, following requests from numerous field actors who raised concerns about the application of the GDPR. The guides provide concrete answers, illustrated with examples, to the legal and technical issues related to the application of the GDPR to AI. For instance, they include guides to help determine the applicable legal framework, purpose, and legal basis.
Digital education and the protection of minors
The protection of minors is one of the key areas of the CNIL’s 2025-2028 strategic plan. Several partnerships have been established to address minors and their families.
In particular, the CNIL supports and participates in events and initiatives organized by the Ministry of National Education regarding digital education. It conducts sessions in classrooms across the country to promote a citizen-based culture of digital usage, raise awareness of the rights and responsibilities related to internet use, and explain how to protect privacy online.
Beyond initiatives aimed at raising awareness among minors and their families, the CNIL has reached out to all audiences, especially those most struggling with digital issues. Intergenerational workshops on data protection and sessions for people with disabilities have been organized with this goal in mind.
Data security in the face of increasingly high risks
2024 has been marked by not only a higher number of data breaches but also an unprecedented scale, leading to the theft of data from millions of French citizens. Indeed, the CNIL was notified of 5,629 data breaches, which is a 20% increase compared to 2023. More concerning, however, is that the number of breaches affecting more than one million people has doubled in a year, rising from around twenty to forty successful attacks.
All sectors are affected. In response to this challenge, the CNIL has made cybersecurity one of the major focuses of its 2025-2028 strategic plan. In practice, its efforts are reflected in supporting organizations, conducting inspections, and raising awareness.
Strengthened cooperation in France, Europe, and internationally
At both the national and international levels, the CNIL has intensified its partnerships throughout the year. It signed an agreement with Arcom and the DGCCRF to clarify the cooperation modalities between the three authorities in the implementation of the Digital Services Act (DSA). This agreement allows for better coordination of regulatory actions concerning digital platforms, with a focus on complementing each authority’s competencies.
The CNIL also renewed its partnership with the Départements de France association. This renewal, planned for the 2024-2027 period, is based on two key priorities: promoting data flow within local authorities and supporting the use of artificial intelligence in local public services, ensuring that projects comply with data protection rules.
At the European level, the CNIL continued its active involvement in the European Data Protection Board (EDPB), contributing to the harmonization of practices between national authorities. It notably participated in discussions about the “pay or consent” business model, within the context of opinion requests made by several authorities, strengthening cooperation on this sensitive issue.
Finally, this dynamic of European collaboration was reflected in significant sanctions. The CNIL worked closely with its Dutch counterpart in a joint procedure against Uber B.V., which was fined €290 million for non-compliant data transfers. This joint effort illustrates the effectiveness of the cooperation mechanisms established by the GDPR across the European Union.
For more information on data protection obligations or to receive personalized support, feel free to visit our website or contact us.