Each month, we deliver the essential data news in the newsletter Data4Coffee. Don't miss out on key insights!
To receive it, please fill out this form.
[June 3, 2026] In a ruling dated June 3, 2026, the Court of Cassation rejected requests for deletion, anonymization, and de-referencing made by a former sports executive found guilty of complicity in breach of trust, whose conviction was reported in a 20 Minutes article published in 2009. Applying the seven criteria established by the ECHR in the Hurbain v. Belgium judgment (2023), the Court of Cassation prioritized freedom of the press over the right to erasure provided by the GDPR, deeming the individual's identity inseparable from the informational value of the article. Anonymization was thus considered as detrimental to freedom of information as the deletion of the content. This case highlights that requests addressed to press publishers are subject to a different assessment than those targeting search engines.
Sources:
[June 8, 2026] During France's G7 presidency, ANSSI intensified its efforts on the diplomatic and operational fronts of cybersecurity. Notably, it hosted in Paris the plenary meeting of the Cybersecurity Working Group, which focused on post-quantum transition, artificial intelligence, and cybersecurity for SMEs and the telecommunications sector. Two deliverables were welcomed: a framework establishing guidelines for the transparency of the AI software supply chain ("SBOM for AI"), and a declaration on migration to post-quantum cryptography, intended for businesses. Furthermore, as part of the Evian Summit (June 15-17, 2026), ANSSI supported the organizers in addressing increased risks of espionage, destabilization, and extortion, amidst a context of strong geopolitical tensions. ANSSI's collaboration during the G7 demonstrates the importance of cybersecurity.
Source :
[June 9, 2026] The NIS 2 directive, which extends cybersecurity obligations to over 15,000 entities across 18 sectors (compared to 300 entities under NIS 1) and mandates cyber risk management, strict incident notification deadlines, and personal liability for executives, has still not been transposed into French law. Twenty months after its transposition deadline expired in October 2024, the European Commission is preparing to refer France to the CJEU, following an infringement procedure initiated in 2024. The transposition bill, already adopted by the Senate, has been stalled for many months before the National Assembly due to a disagreement with the DGSI. While some MPs are warning of the urgency of its adoption, France now faces a lump-sum fine and/or a daily penalty payment of several million euros, and a loss of influence in upcoming negotiations on the revision of NIS 2. Paradoxically, in April 2026, the government presented a cybersecurity roadmap largely aligned with the principles of NIS 2.
[June 9, 2026] Tchap, the French inter-ministerial messaging service, recently fell victim to a cyberattack involving account impersonation. The attackers claim to have accessed over 643,000 messages, 59,000 files, and 73,000 agent accounts from a single compromised account. However, the Inter-ministerial Digital Directorate (Dinum) assures that the encryption of private conversations was not affected, and that the exfiltrated data is limited to " public channels ". A few days later, the volunteering platform JeVeuxAider.gouv.fr was affected, with 550,000 accounts compromised. These incidents occur amidst a surge in attacks against public services, following the ANTS incident in April 2026. In response to this threat, the state urgently released 200 million euros last month to bolster its cybersecurity, an amount that the Minister Delegate for AI and Digital Technology already considers insufficient.
Sources:
[June 10, 2026] Through two practical guides, the CNIL (French Data Protection Authority) reiterates the rules governing business communications with prospects and clients. For electronic communications, the CNIL distinguishes three regimes based on the message's purpose: commercial prospecting (prior consent in B2C, or legitimate interest in B2B), transactional communications (based on contract execution), and relational communications (based on legitimate interest). In all cases, data subjects must be clearly informed about the use of their data and be able to consent or object easily. Second aspect: as of August 11, 2026, B2C telemarketing will also shift to a prior consent regime, except for calls related to an ongoing contract. The B2B regime, however, will remain based on legitimate interest, coupled with a right to object. These reminders urge companies to audit all their communication practices immediately.
Sources:
[June 10, 2026] Following a call for tenders launched by ANSSI in August 2025, the CCI Lyon Métropole Saint-Étienne Roanne was mandated to operate the Auvergne-Rhône-Alpes CSIRT, named "Cyber Assistance Auvergne-Rhône-Alpes", in technical partnership with Orange Cyberdefense. Open to all regional entities (VSEs, SMEs, mid-caps, local authorities, associations), it provides a first level of cyber incident management: alert qualification, initial diagnosis, and assistance with filing a complaint, before escalation to Orange Cyberdefense for complex incidents. This initiative is part of the national deployment of regional CSIRTs led by ANSSI, serving organizations lacking resources to face the cyber threat.
Source: The Auvergne-Rhône-Alpes region establishes a regional assistance center | L’Informaticien
[June 15, 2026] Names, addresses, IBANs, medical data: nearly 1.2 billion stolen personal data points were made accessible via Searcher, a search engine created by an 18-year-old. The platform aggregates data from cyberattacks, such as the one suffered by ANTS, then cross-references it with public sources to quickly retrieve information on millions of French citizens. CNIL denounced the handling of data from cyberattacks, in violation of GDPR and the Penal Code, and rejected the argument that stolen databases are "public" simply because they circulate online. The Minister Delegate for Digital Affairs has initiated legal proceedings, and a preliminary investigation has been opened. This case demonstrates that stolen personal data continues to circulate long after a cyberattack, permanently exposing victims.
[June 16, 2026] On the eve of the Vivatech exhibition opening, Prime Minister Sébastien Lecornu announced a 655 million euro package as part of the major France 2030 investment plan. This amount is intended to support AI-related infrastructure. The stated objective: to prioritize French and European solutions to limit dependence on foreign technologies. This commitment is notably reflected in the replacement of the American Palantir by the French ChapsVision as the data processing and exploitation platform for the DGSI, and the launch of "l’Assistant" (The Assistant), an AI designed by Dinum with Mistral AI for all state agents. This announcement comes as tensions surrounding digital sovereignty intensify and following the suspension of certain Anthropic models by the American government. For their part, the United States is already pursuing a massive AI investment strategy through Project Stargate, which plans up to 500 billion in investments over four years.
Sources:
[June 17, 2026] In a dispute concerning the election of the director representing Orange's employee shareholders, the company had submitted into evidence a report from EY analyzing email metadata and electoral lists containing personal data. Given Orange's failure to inform employees of this data processing, the plaintiffs argued its unlawfulness and consequently the inadmissibility of the evidence. After recalling the jurisprudential principle regarding unlawful or unfairly obtained evidence, which may be admitted when it is indispensable and the infringement is strictly proportionate, the Court of Cassation upheld the production of the report as evidence. In this instance, EY had pseudonymized all personal data used, destroyed the initial data, and conducted a purely volumetric analysis that did not result in any nominative files. Thus, the infringement on privacy and trade union freedom being extremely limited, the production of the report was justified and proportionate to the company's need to defend itself in court.
Source: Court of Cassation, Commercial Chamber, June 17, 2026, n°25-11.499
[June 18, 2026] A cybercriminal is offering over 250,000 copies of French passports and national identity cards, in an exploitable format, for sale on the dark web. The cybercriminal, who recently claimed responsibility for several attacks against French companies, reportedly accumulated these documents through multiple data breaches from platforms performing identity verification. Victims face lasting consequences: identity theft, loans taken out in their name, and targeted phishing. For any entity collecting such documents, this case serves as a reminder that retaining these documents poses a primary legal and operational risk, and that strict security measures must be implemented.
[June 19, 2026] In a practical guide, CNIL publishes twelve essential recommendations to remind organizations of their data protection obligations and their exposure to cyber risks, regardless of their size. These recommendations can be implemented without advanced technical means: strong passwords, two-factor authentication, automatic updates, and off-site backups. CNIL emphasizes the "GDPR reflex," which includes data minimization and limiting their retention period. In the event of a breach, the key responses are simple: isolate the affected machine without turning it off, do not pay a ransom, and notify CNIL if personal data is involved. The message is clear for businesses, which are urged to anticipate risks and promptly secure the tools they use.
Source: Data security: essential rules to protect data and your business | CNIL
1.12. Online child protection: G7 data protection authorities adopt key common principles
[June 26, 2026] The meeting of G7 data protection authorities, held on June 25 and 26, 2026, focused on key topics such as online child protection, emerging technologies, free flow of data, and cooperation in law enforcement. Following their meeting, these authorities adopted three documents: a general joint communiqué, a declaration on age verification, and a joint document on connected objects in the home and child protection. This documentation, which emphasizes key data protection principles and good privacy practices, strengthens international cooperation. Discussions were also held on the use of connected glasses, agentic AI, and the risks associated with automated decisions that reduce human intervention. The next roundtable will take place in the United States in 2027, under the chairmanship of the U.S. Federal Trade Commission (FTC).
[1st June 2026] The Spanish data protection authority fined Iberia €650,000 following a data breach in February 2023 at one of its subcontractors. This breach led to the unauthorized access and exfiltration of personal data belonging to employees and client representatives in several Member States. The authority found non-compliance with the GDPR's principles of integrity and confidentiality, and criticized the lack of sufficient risk analysis, shortcomings in identifier protection, and a failure of oversight that allowed access to the compromised infrastructure for over a month and a half. This decision serves as a reminder that a data controller cannot absolve itself of responsibility by invoking the fault of its subcontractor, and must demonstrate the implementation of appropriate security measures.
Source : AEPD (Spain) - PS-00437-2024 | GDPRHub
[3 June 2026] On 3 June 2026, the Irish High Court largely rejected TikTok's appeal against the decision of the Irish Data Protection Commission (DPC) of 30 April 2025, which had fined the platform €530 million for GDPR violations following transfers of European user data to China. The Court confirmed two GDPR infringements: absence of appropriate safeguards and lack of transparency. The Irish judges first reiterated that it is the data controller's responsibility to document its assessment of the effective level of data protection in the recipient country, particularly in the event of an audit by an authority that could sanction any shortcomings. Regarding transparency, the Court confirmed that the GDPR requires explicit identification of third countries receiving data in a privacy policy. For any company transferring data outside the EEA, this decision reiterates the requirement to "verify, guarantee, and demonstrate" the robustness of any transfer impact assessment, under penalty of severe sanctions.
Sources :
[June 4, 2026] By order of June 4, 2026, the President of the CJEU admitted the admissibility of Microsoft's application to intervene in support of the European Commission, in the appeal lodged by MEP Philippe Latombe against the Data Privacy Framework (Case C-703/25 P), the third adequacy decision governing data transfers between the EU and the United States. While the EU General Court had rejected the action for annulment of this mechanism in September 2025, Philippe Latombe recently appealed this decision. It is in the context of these proceedings that Microsoft sought to intervene to support the European Commission's conclusions. Microsoft, demonstrating a direct and current interest in the outcome of the dispute, as it bases many transfers to the United States for its own needs and those of its clients on the Data Privacy Framework, had its intervention admitted by the President of the CJEU. Microsoft will thus have access to all procedural documents, submit its own written submissions, and participate in oral hearings. Through this intervention, one of the GAFAM companies significantly strengthens the defense's position in an attempt to maintain the Data Privacy Framework.
Sources:
[June 9, 2026] The Austrian Federal Administrative Court confirmed the decision of the national data protection authority sanctioning a Viennese press publisher for unlawful data transfer to the United States, via its email marketing provider. Although the data controller had implemented standard contractual clauses and supplementary measures for encryption, terms of use, and storage management, these were deemed insufficient. Indeed, at the time of the events, no adequacy decision covered transfers to the United States (invalidation of the Privacy Shield and Data Privacy Framewok not yet adopted), meaning that the measures in place addressed neither the risk of US authorities accessing data nor the lack of effective judicial remedy for data subjects. Furthermore, the Court reiterates that the mere existence of an online privacy policy is not sufficient to establish that the necessary information has been provided; it must also have been actively communicated. This case highlights that compliance with international transfers requires a concrete and documented analysis, not merely the formal implementation of a transfer mechanism.
Source: BVwG - W171 2302513-1 | GDPRHub
[June 10, 2026] The European Commission has published its Code of Practice on the Transparency of AI-generated Content, following a multi-stakeholder process led by the AI Office since November 2025. This voluntary Code aims to help providers and deployers of generative AI systems comply with the transparency obligations set out in Article 50 of the AI Act, applicable from August 2, 2026. It comprises two sections, dedicated respectively to providers (rules for marking and detecting AI-generated content) and deployers (rules for labeling deepfakes and AI-generated or manipulated text). This Code will soon be supplemented by guidelines on the scope of these obligations. For providers and deployers of generative AI, the key challenge now is to achieve compliance before the August 2 deadline.
Source: Code of Practice on the Transparency of AI-generated Content | European Commission
[June 11, 2026] Cybersecurity solutions provider Proofpoint joins the Internet Security Advisory Group of Europol's European Cybercrime Centre ("EC3"). The EC3 brings together experts and organizations to provide Europol with strategic expertise, intelligence, and operational analysis in the face of cybercrime threats. Proofpoint's integration follows its participation in Operation Endgame, one of the largest successful international operations against cybercrime. This development also highlights the growing role of public-private partnerships in combating digital threats.
Source : Proofpoint joins Europol's advisory committee | L’Informaticien
2.7. Digital Omnibus: Uneven Progress
[June 16, 2026] The European Parliament has adopted the AI component of the "Digital Omnibus" package, postponing the application of obligations for high-risk AI systems until December 2, 2027 (autonomous systems) and August 2, 2028 (safety components in regulated products), while strengthening prohibited practices, which now include systems generating non-consensual sexual content and child pornography. Regarding the GDPR component, the Legal Affairs Committee opposes certain proposed amendments and advocates for maintaining the obligations of the Data Act (smart contracts, interoperability, cloud portability), requirements applicable to data intermediation services, data access mechanisms, and the Platform-to-Business Regulation. The Parliament is thus pursuing a logic of adjustment rather than deregulation: more time to comply with new obligations, without questioning the requirements of the European digital framework or undermining the legal certainty of the stakeholders involved.
Sources :
[June 16, 2026] Italian authorities are leveraging European digital law tools to initiate two proceedings targeting Google and Apple. On the one hand, the Communications Regulatory Authority (AGCOM) has referred the matter to the European Commission under the DSA to assess whether the integration of Google's AI Overviews into its search engine constitutes a recommendation system and creates systemic risks for information pluralism that have been insufficiently evaluated. On the other hand, the Competition Authority (AGCM) has opened the first national investigation based on the DMA, targeting Apple for lack of interoperability between iOS/iPadOS and third-party cloud storage services. These two cases highlight the significant role played by national authorities in regulating large platforms, whose practices are increasingly scrutinized.
Sources:
[June 18, 2026] While the Austrian data protection authority had rejected an individual's complaint on the grounds that they had already brought the same erasure request before a civil court, the CJEU clarifies in its decision C-414/24 of June 18, 2026, the relationship between the right to lodge a complaint with a supervisory authority (Article 77 of the GDPR) and the right to an effective judicial remedy against a controller (Article 79 of the GDPR). According to the Court, these two avenues coexist autonomously: since the GDPR establishes no rule of priority between them, each can be exercised concurrently. Consequently, the rejection of a complaint by a supervisory authority solely on the grounds that judicial proceedings concerning the same subject matter are pending would deprive the data subject of all protection if the judicial action were to be dismissed for procedural reasons. To preserve the right to an effective remedy while avoiding contradictory decisions, the Court instead recommends that authorities suspend the examination of the complaint until the definitive conclusion of the dispute brought before the courts.
Sources:
[18 June 2026] In a case where an employer had used data from a former employee's private eBay account to bring an action against them, the CJEU clarifies the obligations of a judge processing personal data contained in evidence, including when it has been collected unlawfully. After reiterating that the examination of evidence by a court constitutes personal data processing falling under the GDPR, the CJEU recalls that the admissibility of evidence is a matter for the national court. In this regard, it allows a court to use data contained in evidence obtained illegally by a party, provided that the latter does not have a legitimate interest in the processing that outweighs the mere establishment of the alleged facts. While the principle of data minimisation does not preclude such processing and does not impose a proportionality test for every processing operation carried out by judges, they must nevertheless, before any disclosure to third parties, limit the data to what is necessary.
Sources:
[24 June 2026] On 10 June 2026, the European Data Protection Board (EDPB) adopted a common data breach notification template aimed at harmonising practices across Europe. This template, which is subject to public consultation until 5 August 2026, aims to ensure the compliance of notifications with the GDPR, particularly for small organisations without a DPO or in-house legal counsel. Furthermore, during its meeting with European Commissioner Michael McGrath, the EDPB reaffirmed its opposition to any modification of the definition of personal data within the framework of the Digital Omnibus, and defined common priorities with the European Commission. The discussions focused on the importance of inter-regulatory cooperation and crucial topics of common interest, such as the EDPB's future guidelines on processing children's data. Finally, with the same objective of strengthening dialogue, the EDPB announced on 24 June the launch of a contact form dedicated to reporting potential divergences in the interpretation of the GDPR across Europe.
Sources:
[June 15, 2026] By presidential executive order dated June 2, 2026, the Trump administration elevates AI to a national security and cybersecurity issue, while simultaneously asserting a refusal of " covered frontier model ": AI models whose cyber capabilities exceed a threshold defined by the Director of the National Security Agency. Centered around this category, the executive order establishes a framework for voluntary cooperation with developers, who can have their models evaluated by the federal government, grant it access up to 30 days before their release to other trusted third parties, and choose these partners. This framework reportedly saw its first application barely 10 days after its adoption, with the Secretary of Commerce ordering Anthropic to suspend access to its Fable 5 and Mythos 5 models, after a company managed to bypass their security safeguards. Anthropic disputes the measure, while this decision illustrates the Trump administration's determination to make AI a central issue of national security and strategic global competition.
Sources:
[June 15, 2026] Restrictions on social media use by minors are intensifying. This month, the British government announced a ban on social media platforms offering their services to under-16s, set to come into force in spring 2027. Inspired by the Australian model, the legislation goes further, also blocking livestreaming, exchanges with strangers across all online services (including video games), and AI chatbots with romantic or sexual intent. Its implementation will rely on strengthened age verification mechanisms, supervised by the telecommunications regulatory authority (Ofcom), and default restrictions for under-16s. This reform echoes the French debate, where a proposed social media bill that would ban access for under-15s is currently under review.
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)