Cybersecurity, AI, subcontractors: Data news for June 2026
Each month, we deliver the essential data news in the newsletter Data4Coffee. Don't miss out on key insights!
To receive it, please fill out this form.
1. FRANCE
1.1. Cybersecurity: Action Plan to Strengthen the State's Digital Protection
[April 30, 2026] During a visit to the National Agency for Secure Documents (ANTS), Prime Minister Sébastien Lecornu announced an action plan to address the intensification of cyberattacks targeting state information systems, which have been experiencing an alarming average of three data thefts per day since early 2026. The plan is structured around three pillars: new governance, with the creation of a state digital authority; strengthened resources, notably through the allocation of fines imposed by the CNIL to a fund for modernizing state digital infrastructures; and a refined protection doctrine, including self-attack exercises and the use of AI to detect vulnerabilities. In total, €200 million in immediate investment. This plan demonstrates the Prime Minister's commitment to responding to the growing cyber threat through a strengthened framework equipped with unprecedented resources.
1.2. ANSSI 2025 Report: Towards an Ambitious and Strategic Strengthening of French Cybersecurity
[May 4, 2026] ANSSI published its 2025 activity report on May 4, 2026, which highlights the intensification of cyber threats and the strengthening of national cybersecurity measures in a deteriorating geopolitical context. On the regulatory front, two major advancements include the first reading adoption of the European NIS2 directive and the implementation of the Cyber Resilience Act, aiming to establish increased requirements for digital security and the use of trusted cybersecurity solutions. The report emphasizes the development of ANSSI's support services and its role in overseeing the AI Act, particularly through the PANAME project launched in collaboration with CNIL. Key figures: 1,366 security incidents recorded in 2025, a 0.4% increase compared to 2024.
Source: Publication of ANSSI's 2025 Activity Report | ANSSI
1.3. G7 2026: CNIL Chairs the International Roundtable on Data Protection
[May 6, 2026] From June 23 to 26, CNIL will host in Paris the Roundtable of Data Protection and Privacy Authorities, as part of France's G7 presidency in 2026. Established in 2021, this annual meeting brings together the competent authorities of G7 member states and the European Union, to strengthen international cooperation and promote high-level personal data protection in the face of digital challenges. The 2026 agenda includes: emerging technologies, cooperation on law enforcement, and free flow of data. In the age of artificial intelligence, France intends to favor a dialogue-based approach to contribute to digital governance that respects fundamental rights and freedoms.
Source: G7 2026: CNIL Hosts the Roundtable of Data Protection and Privacy Authorities in Paris | CNIL
1.4. Mirakl Launches Trust & Safety: AI Module for Detecting Illicit Content
[May 6, 2026] Mirakl, a marketplace specialist, is launching its "Trust & Safety" feature for AI-powered automatic detection of illicit products, sensitive content, and fraudulent behavior on these platforms. Amid content moderation and consumer safety obligations stemming from the Digital Services Act, and recent scandals surrounding the sale of sex dolls on Shein and AliExpress, Mirakl aims to offer a proactive risk management solution. More than just a standalone moderation tool, "Trust & Safety" is natively integrated into catalog management tools and operates both upstream (analyzing listings before they go live) and downstream (continuously monitoring active catalogs). This initiative highlights the responsibilities now borne by intermediary market players.
Sources:
1.5. Credit Granting: CNIL publishes recommendations on solvency assessment
[May 7, 2026] The CNIL has published its recommendations on the use of personal data for solvency assessment in the context of credit granting. In a context where the applicant's solvency assessment is often automated (scoring), or even involves the use of artificial intelligence, these recommendations aim to strengthen the transparency of decisions made by financial institutions. In line with recent CJEU decisions, confirming that the scoring is an automated decision when it plays a decisive role in credit granting, the CNIL seeks to regulate the data processed, their retention periods, and the guarantees applicable to this practice (transparency, human intervention, and explainability).
1.6. GDPR Non-Compliance: Grounds for Contract Annulment
[May 7, 2026] The Douai Court of Appeal, on May 7, 2026, annulled a contract due to a mistake regarding its essential qualities, specifically the GDPR non-compliance of the website created under the contract. A client had entrusted an IT service provider with the design of their website, but the latter did not, in practice, comply with regulatory requirements concerning consent for advertising cookies. The Court held that the client, by engaging a professional, could legitimately expect the delivery of a GDPR-compliant website, thereby elevating this compliance to an essential quality of the contract. This decision is consistent with a jurisprudential trend that positions GDPR compliance as a tacitly agreed condition between parties and sends a strong signal to digital service providers, who must deliver GDPR-compliant products and services, failing which the contract may be annulled.
Source: Douai Court of Appeal, May 7, 2026, No. 22/05075
For similar decisions, see Lyon Court of Appeal, March 5, 2026, No. 24/023 ; Bordeaux Court of Appeal, May 13, 2025, No. 23/0244 and Grenoble Court of Appeal, January 12, 2023, No. 21/03701.
1.7. Smart Glasses: CNIL Launches Its Action Plan
[May 11, 2026] In response to the rise of smart glasses, the CNIL is launching an action plan to address the significant privacy issues they raise. These devices, capable of continuously capturing sounds, images, and contextual data via AI, present undeniable risks related to the discreet collection of information concerning both users and third parties filmed or recorded without their knowledge. The CNIL's action plan focuses on three main areas: legal and technical analyses of GDPR compliance, discussions with its European counterparts, and awareness-raising initiatives. The CNIL is also issuing initial practical recommendations for users, particularly regarding respect for the image rights of individuals appearing in captured photos or videos.
Sources:
1.8. Health Data and AI: Docapost Santé aims to become a sovereign reference player
[May 11, 2026] Docaposte, the digital subsidiary of La Poste group, is creating Docaposte Santé with the ambition of becoming the leading publisher and operator of digital health solutions. In response to the structural challenges of the healthcare system, Docaposte aims to better structure data, streamline care pathways, facilitate cooperation among stakeholders, and integrate artificial intelligence. This initiative introduces a new and innovative approach to health information systems, seeking to improve support and anticipate needs within a sovereign and trusted framework. Docaposte Santé has set 5 objectives by 2030, thus illustrating the growing desire of public and private stakeholders to reconcile technological innovation, digital sovereignty, and enhanced protection of health data.
Sources:
To learn more about the obligations of health software publishers, consult our article.
1.9. CNIL 2025 Report: Cybersecurity, AI, and Sanctions at the Heart of a Record Year
[May 18, 2026] In 2025, the CNIL's activities continued to intensify, with 20,150 complaints received, 323 inspections, 259 decisions, and 83 sanctions, totaling over 487 million euros in fines. The CNIL thus reported a new record for complaints and a 10% increase compared to 2024. Regarding cybersecurity, data breach notifications, half of which resulted from hacking, increased by 9.5%, with 6,167 data breaches notified to the CNIL in 2025. This annual report demonstrates increased vigilance regarding GDPR compliance and data protection. For 2026, the CNIL will dedicate half of its inspections and enforcement actions to cybersecurity shortcomings, strengthen its awareness campaigns, and continue its efforts to regulate AI.
For more information, please see our article.
Source: Annual Report: CNIL's 2025 Review and Key Actions | CNIL
1.10. Information System Security Support and Consulting Providers (PACS): Qualification Framework Update
[May 21, 2026] ANSSI announced on May 21, 2026, the update of the framework for PACS qualification, which assists beneficiaries in bringing their IT systems into compliance with specific security requirements (LPM, NIS2, etc.) or in achieving a certain level of security. In line with the Cybersecurity Act, this new framework introduces two qualification levels, aiming to adapt security requirements to the sensitivity level of the services provided. While the substantial level streamlines consultant evaluation procedures and reduces access times for services, the high level maintains strict evaluation requirements for managing strategic risks and threats. This update is part of the evolving regulatory framework for cybersecurity.
Source: Update of the PACS requirements framework version 2.0 | ANSSI
1.11. Use of AI tools at work: prior consultation with the CSE is mandatory
[May 21, 2026] The Paris Court of Appeal ruled that the deployment of AI tools in companies, such as Chat GPT or an internal assistant, constitutes the introduction of a new technology likely "to significantly affect employees' working conditions", thereby triggering the obligation for prior information and consultation with the CSE. Given that no office software could previously claim to reproduce intellectual capabilities in the manner of AI tools, the Court specified that this obligation applies regardless of whether employees had already informally used the AI in question or whether its use is optional. This decision confirms that the deployment of AI-enhanced tools in companies must comply with social dialogue rules.
Source: Paris Court of Appeal, May 21, 2026, No. 25/13232
1.12. Health research: expansion of the scope of reference methodologies 001 and 003
[May 26, 2026] Following consultation with industry stakeholders and to account for major developments in the health sector, the CNIL has updated reference methodologies MR-001 and MR-003 (research involving human subjects, a clinical drug trial, a clinical investigation of a medical device, or a performance study of an in vitro diagnostic medical device). These updates aim to broaden the scope of research that can benefit from a simplified procedure for accessing health data, while strengthening guarantees of security, completeness, and accuracy of collected and processed data. They reflect the CNIL's commitment to reconciling medical innovation, the value of health data, and the protection of patients' privacy.
Source : Health Research: CNIL Updates and Broadens Scope of Reference Methodologies 001 and 003 | CNIL
1.13. Data Processors and Data Breaches: CNIL Increases Scrutiny and Issues Recommendations
[May 27, 2026] Through a fictional case of a cyberattack involving a data processor, the CNIL highlights the central role of this actor in the security of personal data. It points out that cybersecurity incidents frequently affect service providers who have access to their clients' information systems or data, leading to major consequences for the entire contractual chain. In response, the CNIL outlines an action plan in the event of a breach, specifies the data processor's role in informing and assisting, and emphasizes the need to choose data processors who offer sufficient guarantees regarding security and GDPR compliance. This stance confirms the importance of rigorous contractual frameworks for relationships between data controllers and data processors, as the latter are on the front line in the event of a cyber incident.
Source : Cyberattack: The Data Processor at the Heart of the Crisis | CNIL
1.14. Health Data Warehouse Management: €5 Million Fine Against IQVIA
[May 28, 2026] The CNIL imposed a fine of 5 million euros against IQVIA Operations France, a company specializing in conducting studies for pharmaceutical laboratories, for failing to comply with safeguards aimed at limiting risks in the management of health data warehouses for tens of millions of people. In its decision, the authority noted breaches of the obligation to comply with the conditions of the authorizations issued (security flaws, lack of connection logging) as well as the obligation to inform data subjects. Notably, the CNIL rejected IQVIA's argument that the GDPR was not applicable because the data in question was anonymous, considering it to be merely pseudonymous since re-identification was possible by reasonable means. This decision reiterates the requirement for enhanced protection applicable to health data.
For more information, please consult our article commenting on the decision.
Source : Health Data : 5 million euro fine against IQVIA | CNIL
1.15. Cloud Computing : the CNIL clarifies the qualification of cloud actors
[May 28, 2026] Given the multitude of actors and the importance of correctly distributing responsibilities, the CNIL has published guidelines to help cloud actors identify their qualification under the GDPR (data controller, joint controller, or processor). The CNIL provides guidance on three aspects : service provision, service improvement, and security "of" the cloud and "in" the cloud. For each case, a concrete analysis must be conducted, as the distribution of roles varies depending on the initiative and the determination of means. In this context, the CNIL illustrates its points with several concrete examples related to IaaS, PaaS, and SaaS. For cloud actors, this framework provides a concrete analytical tool to secure their GDPR compliance.
Source : What qualifications for cloud computing actors (cloud) ? | CNIL
2. EUROPEAN UNION
2.1. Data Transfers to China: Irish Data Protection Authority Opens Investigation into Shein Ireland
[May 5, 2026] Following TikTok, the Irish Data Protection Commission (DPC) has opened an investigation into Shein Ireland regarding the transfer of European users' personal data to China. Focusing on several major GDPR obligations (fundamental principles of GDPR Article 5, user information, and transfer frameworks), the DPC's investigation aims to determine whether Shein has implemented sufficient mechanisms to regulate these flows outside the EU and ensure data security. In its statement, the Irish authority specifies that this inquiry is a major strategic priority and is part of enhanced cooperation with other European authorities, who are particularly attentive to data transfers to countries without an adequacy decision.
Sources:
2.2. User Manipulation and Profiling: Ireland Investigates Meta for Potential DSA Violations
[May 5, 2026] The Irish Media Commission, the broadcasting and online media regulator, has opened two investigations targeting Meta under Articles 25 and 27 of the Digital Services Act. The objective of the investigation: to detect potential dark patterns and manipulative and deceptive interfaces on Facebook and Instagram, which may prevent users from choosing a recommendation system that does not rely on profiling. The Commission acknowledges the concerns associated with these systems and the harm caused by these algorithms, which can repeatedly disseminate harmful content in users' feeds. This action highlights the increased obligations of online platforms to ensure user safety.
Source: Two investigations commenced into Meta, in respect of Facebook & Instagram | Coimisiún na Meán
2.3. AI and Digital Omnibus: postponement of certain obligations related to high-risk AI systems
[May 7, 2026] Unveiled in November 2025 by the European Commission, the "Digital Omnibus" digital package, aimed at simplifying rules related to artificial intelligence, cybersecurity, data, and privacy protection, is expected to notably amend certain provisions of the AI Act. In this context, the Council of the European Union and the European Parliament have reached a provisional agreement designed to simplify and streamline several obligations applicable to artificial intelligence systems, while also adjusting the regulation's implementation timeline. Obligations applicable to standalone high-risk AI systems are now expected to come into force in December 2027 (compared to August 2026 currently), while those related to high-risk AI systems integrated into products would be postponed to August 2028 (compared to August 2027). Should these deadlines be pushed back, affected organizations must nevertheless anticipate their compliance efforts now.
Sources:
2.4. Minors and social media: the European Commission could introduce a minimum age this summer
[May 12, 2026] Amid growing concerns about minors' exposure to inappropriate content and the risks associated with social media, exacerbated by artificial intelligence, the European Commission strongly encourages Member States to deploy a European age verification application. During an address in Copenhagen, Commission President Ursula von der Leyen announced the creation of a "special expert group on online child safety" which could present a legislative proposal as early as this summer. According to her, discussions regarding the introduction of a minimum age for accessing social media can no longer be dismissed. This initiative follows Australia's ban adopted in December 2025, preventing minors under 16 from holding or accessing social media accounts.
2.5. Retention of an employee's email inbox after their departure: the Belgian data protection authority imposes a fine of 176,000 euros
[May 12, 2026] The Belgian data protection authority fined a company 176,000 euros for illegally retaining the professional email account of a former employee. Citing a lack of legal basis and a breach of the transparency obligation, the authority ruled that the continued processing of personal data contained in this email account, six months after the end of the employment relationship, exceeded the scope permitted by the GDPR. While an employer may invoke a legitimate interest to keep an email account active, this is only permissible for a limited transitional period following the end of employment (between one and three months), which was long past in this case. This sanction reminds companies of the need to rigorously regulate the retention of professional email accounts after an employee's departure.
Sources :
2.6. AI Act : the European Commission publishes its draft guidelines on the classification of high-risk systems
[May 19, 2026] Highly anticipated with the entry into force of the AI Act's obligations applicable to high-risk AI systems, the European Commission published on May 19, 2026, a draft of guidelines intended to help value chain actors classify their AI systems. This document clarifies the interpretation of several key concepts and provides practical examples of systems that do, or do not, fall under the 'high-risk' qualification. The European Commission has opened a public consultation to gather feedback from stakeholders before the adoption of the final version of the text.
Source : Draft Commission guidelines on the classification of high-risk AI | Commission European
2.7. First VPN: Europol takes down cybercriminal VPN
[May 22, 2026] Following an investigation launched in December 2021, First VPN, a service advertised as guaranteeing total anonymity for cybercriminal users, was dismantled in a concerted international operation led by French and Dutch authorities, with the support of Europol and Eurojust. This VPN, exclusively promoted on cybercriminal forums, allowed its users to erase all traces by redirecting their connection through third-party servers. According to authorities, this service was deeply embedded in the cybercrime ecosystem, appearing in almost all major investigations conducted in recent years. It was notably used in ransomware attacks (such as Phobos) and online fraud schemes. The operation highlights the strengthening of international cooperation in the fight against cybercrime.
Sources:
2.8. The GDPR turns 10!
[May 24, 2026] To mark the tenth anniversary of the GDPR's entry into force, the European Commission celebrates the achievements of this landmark law, which harmonized data protection rules for Europeans and strengthened their rights. Since its entry into force, the European Union has become an international model and has inspired the adoption of similar laws worldwide. The Commission points out that the GDPR is not a standalone text, but rather part of a broader set of European digital regulations designed to protect citizens online (Digital Market Act, Digital Services Act, AI Act). On this occasion, the European Union reaffirms its ambition to build a secure digital environment that serves its citizens.
Source: Ten years of GDPR: your data, your rights | European Commission
3. INTERNATIONAL
3.1. United States: Persistent Vulnerabilities in Sensitive Data Protection on Government Websites
[May 21, 2026] While the Biden administration had adopted several measures aimed at preventing certain foreign states from purchasing commercial data collected from mobile phones at the most sensitive federal government sites, parliamentarians are raising concerns about the shortcomings of this system. 736 sensitive sites, including the White House, Congress, and CIA headquarters, were omitted and reportedly not among the areas benefiting from enhanced protection. Members of Congress denounce the risk that data brokers could commercialize information allowing the tracking of government officials' movements, with potential consequences for espionage and national security. Balancing privacy protection, sovereignty imperatives, and national security, these failures highlight the need for strict regulation of sensitive data transfers.
3.2. Project Glasswing: Anthropic Reveals 10,000 Critical Cybersecurity Vulnerabilities
[May 26, 2026] Launched a month ago, Project Glasswing is an initiative bringing together major digital players (including Amazon Web Services, Anthropic, Apple, Cisco, CrowdStrike, Google, and Microsoft) with the goal of securing the world's most critical software. In this context, Anthropic presents the first assessment of "Claude Mythos Preview," its experimental AI-powered automatic vulnerability detection system. The result: over 10,000 security flaws, observed across all major operating systems and web browsers. This initiative, which illustrates AI's growing ability to automate vulnerability research, aims to strengthen early detection capabilities for cyber risks and accelerate flaw remediation. However, the tool remains experimental and is limited to a small number of selected partners.
Sources:
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean & Juliette Lobstein
.png)
