CNIL 2025 Annual Report: Increased Controles, Priorities to Anticipate for 2026

The CNIL published its annual report on 18 May 2026.  

‍

The message is clear: oversight is intensifying, penalties are reaching unprecedented levels, and data security is emerging as the dominant priority of regulation.

‍

Below, we offer a selective overview of this report, focusing on the key takeaways and priority actions for 2026.

‍

A 2025 report marked by three records

‍

2025 was marked by three records: the number of complaints, the amount of fines, and the number of data breach notifications.

‍

The CNIL received a record number of complaints, more than 20,000, representing an increase of around 10% over one year, mainly concerning data processing in the fields of employment, commerce, real estate and social media.  

‍

The total amount of fines reached nearly €487 million, compared to €55 million in 2024; a nearly tenfold increase largely attributable to two decisions.  

‍

In raw data, the CNIL received 17,802 notifications of personal data breaches, but deliberately excluded two massive incidents involving two software providers (one in wealth management, the other in private healthcare) that alone had generated more than 11,600 notifications from their data controller clients. The final figure is therefore 6,167 breaches, representing a 9.5% increase in 2025.  

‍

The CNIL confirms a trend: hacking remains the leading cause (half of all cases), ahead of sending data to the wrong recipient, theft or loss of equipment, and the unintentional disclosure of information.

‍

A stable number of fines but a record total of 487 million euros

‍

Two decisions handed down on 1^st September 2025, both relating to breaches of cookie regulations, account for the bulk of the total amount: €325 million against Google and €150 million against Shein. In both cases, the CNIL noted the placement of advertising trackers (and the display of advertisements in Google’s case) without valid consent and a failure to inform users.  

‍

Beyond these two cases, the report emphasizes that the penalties target companies of all sizes and across all sectors: no organization can consider itself outside the Authority’s scope of action.

‍

One factor reinforces the significance of these decisions: in 2025, the French Council of State upheld 97.5% of the CNIL’s decisions that were challenged.

‍

Data security and outsourcing at the heart of the findings

‍

The President of the CNIL draws three lessons from the notifications received, which summarize the Authority’s approach: “no one is spared; beaches are becoming increasingly widespread; they often involve a service provider.”

‍

The subcontracting chain is thus explicitly identified as a weak link. The report also reiterates the specific obligations of data processors: implementation of adequate security measures, processing data only on the instructions of the controller, and deletion of data at the end of the contractual relationship.

‍

The measures expected by the CNIL are very concrete:  

‍

generalize multi-factor authentication for external access (nearly 80% of major breaches in 2024 originated from an account protected by a simple password),  

• log, analyze, and set limits on data flows,  

• regularly raise user awareness, and  

• contractually regulate security among subcontractors.

‍

Artificial intelligence: a new role for the CNIL

‍

2025 marks a turning point for the CNIL in the field of AI. It has been designated as the supervisory authority for prohibited uses of AI under the European regulation and is set to become, subject to parliamentary confirmation, the market surveillance authority for a large portion of high-risk systems, particularly in the fields of biometrics, employment, migration, law enforcement and education.

‍

To support stakeholders, the CNIL has finalized thirteen practical guides covering all stages of AI system development, accompanied by checklists, and has clarified the conditions for invoking legitimate interest as a legal basis. Organizations that develop or deploy AI solutions processing personal data must immediately incorporate these guidelines into their governance and impact assessments, in line with both the GDPR and the AI Regulation.

‍

The CNIL’s priorities for 2026

‍

Cybersecurity has been made a top priority: in the press release accompanying the report’s publication, the CNIL announced that, in 2026, it will devote half of its inspections to data security, on the basis of Article 32 of the GDPR, in conjunction with the NIS2 Directive for critical sectors.

‍

It will work in conjunction with ANSSI and, for criminal proceedings, with the Paris “cyber” public prosecutor’s office. Inspections will primarily target organizations affected by a breach or complaints, as well as sectors that process large volumes of data, including sensitive or highly personal data.

‍

Alongside this cross-cutting priority are the sector-specific inspection themes announced on 3 April 2026, which outline the risk areas to be monitored:

• Recruitment: The CNIL will prioritize large companies and recruitment agencies, verifying automated decision-making systems, information provided to candidates, and data retention periods. The guidelines on HR data retention periods, published in April 2026, provide a useful framework for planning ahead.

• The single electroal register, whose uses and potential misuse will be examined.

• Sports federations and clubs, which process large volumes of data, including health data and data relating to minors, and have been particularly vulnerable to cyberattacks.

• Transparency of information: the CNIL and its European counterparts will carry out checks on the transparency and completeness of the information provided to data subjects. This work will be coordinated with the European Data Protection Board (EDPB).  

If you have any questions or need assistance, please do not hesitate to contact our IT/Data team.

‍

‍

Jeannie Mongouachon, Partner & Juliette Lobstein, Associate