Personal data watch — April 2026
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. Session replay tools: the CNIL is consulting on a draft recommendation to regulate these tracers
[February 25, 2026]
On February 25, 2026, the CNIL launched a public consultation on its draft recommendation relating to “session replay” tools. These technologies make it possible to reconstruct the complete journey of a user on a website or a mobile application (mouse movements, clicks, scrolls, or even form entries) in the form of replayable videos. Very common among SaaS publishers and e-commerce players to detect bugs or improve ergonomics, these tools involve detailed monitoring of online behavior likely to reveal personal and even sensitive data.
The draft recommendation clarifies the legal qualification of the solution provider (subcontractor, separate data controller or joint controller), the eligible purposes (limited and defined in advance), as well as the information obligations and the methods of collecting consent via a Consent Management Platform. The CNIL recalls that these tools are subject to article 82 of the Data Protection Act. The consultation is open until April 22, 2026.
Source: Session replay: the CNIL launches a public consultation on its draft recommendation | CNIL
1.2. Apple Music: the Paris Court of Appeal sanctions unfair terms and a lack of transparency on data
[February 27, 2026]
In a judgment of February 27, 2026, the Paris Court of Appeal confirmed Apple's conviction following an action initiated in 2016 by UFC-Que Choisir concerning the general conditions of use of Apple Music. The court upholds the abusive or unlawful nature of several stipulations, in particular relating to the responsibility of the company and the exploitation of content generated by users, considered likely to create a significant imbalance to the detriment of consumers.
The Court also notes breaches of information and transparency obligations in the field of personal data: the contractual conditions did not allow users to have sufficiently clear information on the nature of the data collected, the purposes of their processing and the methods of their use, in violation of the requirements of consumer law and the RGPD. The penalty was increased to 50,000 euros in damages in favor of UFC-Que Choisir. This decision reminds publishers of digital services, SaaS, platforms, applications, that contractual transparency on data is not an option but an obligation whose non-compliance may be the subject of collective actions.
Source: Apple Music: confirmation of unfair terms | Paris Court of Appeal, Paris, 27 Feb. 2026, no. 21/00128
1.3. The CNIL publishes the 2026 edition of the “Tables Informatique et Libertés”
[March 2, 2026]
The CNIL is putting online the 2026 edition of its “Tables Informatique et Libertés”, a reference document that summarizes case law and decision-making practice in the field of data protection. The book lists and classifies, by main themes of the RGPD (principles, legal bases, legal bases, rights of individuals, security, sanctions, etc.), the main decisions of the CNIL, French and European courts as well as the European Data Protection Board. The objective is to create a useful tool to identify case law trends and anticipate regulatory compliance expectations.
Source: Tables Informatique et Libertés: the CNIL publishes the 2026 update | CNIL
1.4. IA and RGPD: the CNIL and the ANSSI launch a call to test a model confidentiality audit tool
[March 2, 2026]
The CNIL and the ANSSI, with PEren and Inria, are developing PANAME (“Privacy Auditing of AI Models”), a tool intended to audit the confidentiality of artificial intelligence models. This software library will make it possible to test whether a model can reveal personal data from its training.
The authorities are launching a call for expressions of interest so that companies and administrations participate in a test phase in real conditions. The objective is to improve the tool and to assess its effectiveness on various use cases.
From a legal perspective, this initiative aims to facilitate the assessment of the compliance of AI systems with the GDPR, in particular with regard to the protection of training data.
For tech players, these audit tools could become an important lever to demonstrate the compliance of their models.
Sources:
Call for expressions of interest for the testing of a RGPD audit tool for AI models | ANSSI
1.5. B2B commercial prospecting: the CNIL closes the injunction against Kaspr after compliance
[March 4, 2026]
By a decision of 4 March 2026, the CNIL noted the compliance of the company Kaspr and put an end to the injunction issued against him in December 2024. As a reminder, Kaspr offers a commercial prospecting tool that allows you to extract professional contact details from social networks, mainly LinkedIn, in order to feed prospecting databases. The initial injunction aimed at breaches related to the collection and reuse of professional data from social networks, in particular with regard to the information of the persons concerned and the legality of the treatments.
After examining the corrective measures implemented by the company, the CNIL considered that they now make it possible to meet the requirements of the RGPD and decided to close the procedure.
Source: Deliberation SAN-2026-004 of March 4, 2026 - Légifrance
1.6. Adtech and pseudonymization: the Council of State confirms the fine of 40 million euros against Criteo
[March 4, 2026]
In a judgment of 4 March 2026, the Council of State rejected the appeal of Criteo and confirmed the 40 million euros penalty imposed by the CNIL in June 2023 for breaches of the RGPD in the context of its advertising retargeting activity. The High Court first validates the competence of the CNIL as a lead authority, since Criteo's main establishment is located in France. It then provides important procedural clarification: the right to remain silent does not apply during CNIL control and investigation operations carried out prior to the formal notification of grievances.
In substance, the Council of State confirms that the data collected by Criteo via cookies, in particular technical identifiers, IP addresses and browsing histories, constitute personal data despite their pseudonymization, as long as the re-identification of users remains possible. It also confirms Criteo's obligation to demonstrate the existence of valid consent from Internet users, regardless of agreements concluded with its partners. This decision, which concerns 370 million identifiers in Europe, including 50 million in France, is a strong signal for the entire ecosystem: pseudonymization alone is not enough to avoid the GDPR.
Source: Pseudonymized data and GDPR: the Council of State confirms the fine against Criteo
1.7. Data leak galore - case study: the City of Paris and the UNSS
[3 and 5 March 2026]
The City of Paris and the National Union of School Sport were recently victims of massive data leaks affecting users and licensees, revealing the vulnerability of public and school platforms. In Paris, personal information such as names, first names, dates of birth, dates of birth, addresses and contacts were extracted from the Adult Courses platform, while the UNSS saw more than 1.2 million licensees and 1.5 million photos exposed via its OPUSS tool, without compromising banking or sensitive data. In both cases, the organizations filed a complaint, alerted the persons concerned and strengthened the security of their systems, while notifying the competent authorities such as the CNIL and the ANSSI.
Sources:
The data of more than one million UNSS students exposed | L'Informaticien
1.8. Cyber threat in France
1.8.1. ANSSI sounds the alarm in its 2025 panorama
[March 11, 2026]
The latest publications by ANSSI and Cybermaliciance.gouv.fr confirm a cyber threat that is still high in France. Despite a decrease in the overall volume of events processed in 2025 (3,586, or -18%), the ANSSI recorded 1,366 incidents, including 196 data exfiltrations, mainly affecting education, administrations, health and telecommunications. The report highlights the growing convergence between state actors and cybercriminals, increasing the risks of espionage, destabilization and fraud. At the same time, Cybermaliciance.gouv.fr recorded a record of 504,810 requests for assistance (+20%), with an increase of 73% for companies and associations. The dominant threats remain account hacking, phishing, fake transfer orders, and ransomware. This situation is a reminder of the urgency for organizations to strengthen their cybersecurity measures and their compliance with the GDPR and to adopt a procedure for reporting data breaches.
Sources:
Overview of the cyber threat 2025: France still under pressure from cyber attackers | ANSSI
Requests for help in the face of cyber threats are exploding in France | The IT World
1.8.2. Security supervision: ANSSI consults the ecosystem on its new reference architectures
[March 19, 2026]
On March 19, 2026, ANSSI launched a call for comments on the reference architectures of its new security supervision doctrine. Security supervision refers to all the resources (human, organizational, technical and financial) contributing to the detection and qualification of security incidents, as well as to the choice of the appropriate reaction. The document submitted for consultation presents several reference architectures intended to cover most supervised information system contexts.
This call for comments is open until May 7, 2026 and is aimed at beneficiaries of supervision services, publishers of detection solutions as well as providers of managed services.
For cybersecurity service providers and start-ups in the sector, this is an opportunity to influence the doctrine that will structure future market requirements and audits.
1.9. Sovereign Cloud: SAP launches its offer in France via Bleu, waiting for the SecNumCloud visa
[March 19, 2026]
On the occasion of its Connect Day on March 19, 2026 in Paris, SAP formalized the launch of “SAP Sovereign Cloud” in France, operated via Bleu, the joint venture between Orange and Capgemini distributing Microsoft Azure services. The offer is aimed at organizations dealing with sensitive and strategic data. In this arrangement, SAP relies on a local operator in the process of obtaining the “SecNumCloud” visa from ANSSI, attesting to the highest level of cloud security in France.
This announcement illustrates a model that is becoming widespread: so-called “operational” sovereignty, based on the hosting and local exploitation of data rather than on complete technological independence from American hyperscalers.
Source : Sovereign cloud: SAP relies on Bleu | L'Usine Digitale
1.10 NIS 2: ANSSI publishes a framework to anticipate compliance
[March 23, 2026]
ANSSI is launching the “RECYF” standard to help organizations prepare for the requirements of the NIS 2 directive. This tool offers best practices for strengthening cybersecurity, especially in terms of risk management and resilience.
It is part of a proactive approach before the transposition of NIS 2 into French law, by allowing companies to initiate compliance.
From a legal perspective, RECYF facilitates the structuring of security procedures and documentation, thus reducing the risks of non-compliance and sanctions.
Source: ANSSI launches the ReCyF framework to anticipate NIS 2 | ANSSI
II. EUROPEAN UNION
2.1. Data brokers: the EDPB maps the market and lays the foundations for reinforced surveillance
[March 4, 2026]
On 4 March 2026, the European Data Protection Board (EDPB) published a market study on data brokers, carried out as part of the Support Pool of Experts program at the request of the Belgian data protection authority. The study proposes a methodology for identifying data brokers, a typology into eight categories, and an initial assessment of the risks associated with each category.
Although focused on Belgium, the methodology is designed to be transposable to all European authorities. This report sends a strong signal: activities for the collection, aggregation and commercial valorization of personal data are now under increased surveillance. Players in the sector must anticipate a strengthening of regulatory controls, in particular with regard to the legality of the legal bases invoked and transparency with respect to the persons concerned.
Source: Data brokers market study | EDPB
2.2. RGPD Omnibus: NOYB sounds the alarm against a reform disconnected from business needs
[March 5, 2026]
On 5 March 2026, the NOYB association (None Of Your Business) published a critical analysis of the proposed “RGPD Omnibus” regulation proposed by the European Commission. Based on a survey conducted among data protection officers (DPOs) from across Europe, NOYB notes that practitioners do not want a reduction in the protections granted to individuals, but a simplification of documentary obligations and a clarification of existing rules.
NOYB points out that several of the proposed changes would benefit large technology companies more than SMEs and start-ups that face concrete application difficulties. The association calls on the European Parliament to reject provisions that would reduce the scope of application of the GDPR or facilitate the processing of data for AI purposes without a clearly established legal basis. This issue is politically sensitive and should be followed very closely throughout the ongoing European negotiations.
Source: GDPR Omnibus: The “simplification” of the EU far from the real needs of businesses | NOYB
2.3. Cross-regulation in Europe: the EDPB asserts its role at the crossroads of major digital regulations
[March 17, 2026]
On 17 March 2026, the EDPB organized a conference in Brussels on inter-regulatory cooperation in the EU, focusing on the interactions between the GDPR and recent major digital texts: DSA, DMA, Data Act, AI Act. The event aimed to present the Committee's 2026-2027 work programme, which places transregulatory cooperation among its strategic priorities. Topics covered included synergies between data protection and competition law, as well as consistency in the supervision of digital platforms.
Source: Conference on cross-regulatory cooperation in the EU (17 March) - Programme available now | EDPB
2.4. GDPR and transparency obligations: the EDPB is launching a coordinated enforcement action on transparency in 2026
[March 19, 2026]
On 19 March 2026, the EDPB officially launched its coordinated enforcement action, the theme of which is compliance with the transparency and information obligations provided for in Articles 12, 13 and 14 of the GDPR. These provisions require data controllers to inform data subjects in a clear, accessible and comprehensive manner about how their data is processed. The national authorities participate on a voluntary basis and will conduct their investigations at the national level throughout 2026.
This action is a continuation of the previous editions of the “Coordinated Enforcement Framework” (CEF), which focused on DPOs (2024) and the right of access (2025). For start-ups, scale-ups and SaaS platforms, this is a clear warning signal: privacy policies, cookie banners and information notices will receive increased attention.
2.5. DSA: X (ex-Twitter) settles his fine of 120 million euros
[March 19, 2026]
The social network X has agreed to pay the fine of 120 million euros imposed by the European Commission in December 2025 for breaches of the Digital Services Regulation (DSA). Three offenses were alleged: the paid blue check mark system considered misleading for users, the opacity of the register of advertisers, and the insufficient access granted to researchers to the platform's data. At the same time, X submitted corrective proposals on advertising transparency, which the Commission has yet to assess. The platform can present comprehensive remedies until April 28, 2026.
This case is the first sanction pronounced under the DSA against a very large platform and sets an important precedent: the transparency obligations imposed by the DSA give rise to concrete and dissuasive sanctions.
Source: X agrees to pay 120 million euros to Europe | Siècle Digital
2.6. Sexualized deepfakes: Europe reinforces regulation, Grok sanctioned by Dutch justice
[March 27, 2026]
Faced with the proliferation of sexualized deepfakes, the European Union is intensifying its initiatives to better regulate this content, which is considered particularly harmful for victims. At the same time, the Dutch justice ordered measures against Grok, with a penalty of 100,000 euros per day in case of non-compliance.
The case illustrates the growing desire of European authorities to impose concrete obligations on AI actors, in particular in terms of the rapid removal of illegal content and the prevention of abusive uses. It also highlights the use of dissuasive financial sanctions to ensure the effectiveness of judicial decisions.
At the legal level, these developments confirm the strengthening of the responsibilities of platforms and publishers of AI tools, in particular with regard to the protection of fundamental rights and the dignity of people.
III. INTERNATIONAL
3.1. Dismantling LeakBase: an international operation targets a major cybercrime hub
[March 3, 2026]
An operation coordinated by international authorities, including the FBI and Europol, led to the closure of the LeakBase forum, a major platform used for the exchange and sale of pirated data. Created in 2021, the site had more than 142,000 members and hosted a vast catalog of compromised databases, including usernames, passwords, and banking information. Cybercriminals bought and sold this data there in order to facilitate fraud or account takeovers.
Between 3 and 4 March 2026, a joint action carried out in several countries resulted in the seizure of the forum's domains and database, as well as a hundred interventions (searches, arrests, interviews). In particular, the authorities targeted 37 of the most active users.
The retrieval of internal site data (user accounts, messages, technical logs) should make it possible to identify individuals who thought they were acting anonymously online.
The operation illustrates the intensification of international cooperation to fight cybercrime and dismantle infrastructures that facilitate the dissemination of stolen data. It also recalls the criminal risks incurred by actors involved in the resale or use of compromised data.
3.2. Industrialized phishing: Europol dismantles Tycoon2fa, the platform that bypassed double authentication
[March 9, 2026]
On 4 March 2026, Europol coordinated the dismantling of Tycoon2fa, one of the largest global phishing-as-a-service (PHAAs) platforms. This service allowed cybercriminals to rent, on a subscription basis, a turnkey kit capable of bypassing multi-factor authentication (MFA) by intercepting login sessions in real time using adversary-in-the-middle (AiTM) techniques. Over 330 domains have been entered and the main developer has been formally identified. The operation involved six European countries as well as private partners (Microsoft, Cloudflare, Trend Micro).
In mid-2025, Tycoon2fa accounted for around 62% of phishing attempts blocked by Microsoft, with nearly 100,000 organizations compromised worldwide. In France, 6,823 victims have been identified. This operation illustrates the industrialization of cybercrime and recalls an essential reality for SaaS and cloud companies: MFA is not an absolute protection. The security of authentication sessions must be accompanied by mechanisms for detecting suspicious sessions, active supervision of access and, for data controllers, a reassessment of security measures under article 32 of the GDPR.
Source: Tycoon2fa dismantled by Europol | L'Usine Digitale
3.3. Cyberwar and MedTech: the American giant Stryker paralyzed by a pro-Iranian malware
[March 12, 2026]
On March 11, 2026, Stryker Corporation, one of the world's largest manufacturers of medical equipment (56,000 employees, presence in 79 countries), confirmed that it was experiencing a global disruption to its Microsoft environment as a result of a cyberattack. The attack was claimed by the hacktivist group Handala, affiliated with Iranian intelligence services, in retaliation for an American military strike. The group claims to have deployed a wiper - a malware whose objective is to erase data - erasing more than 200,000 systems, servers, and mobile devices, and having exfiltrated 50TB of data.
Stryker said it had “no indications of ransomware or malware” and considered the incident to be contained within its internal Microsoft environment. The incident illustrates the extension of cyberspace to civilian critical infrastructures in contemporary geopolitical conflicts, and the specific vulnerability of the health sector. As a reminder, in terms of GDPR, such an attack involves an urgent analysis of the personal data breach, a notification to the competent supervisory authority within 72 hours if the risk for individuals is proven, and a communication to the persons concerned if this risk is high.
Source: Pro-Iranian cyberattack against Stryker | Digital Factory
To find out more about data breaches in health as well as the legal and regulatory provisions applicable to health software publishers: you can consult This article.
3.4. Protection of minors online: sanctions from social networks
3.4.1. The ICO inflicts 14.47 million pounds on Reddit for illegally processing children's data
[February 24, 2026]
On February 24, 2026, the personal data protection authority in the United Kingdom - Information Commissioner's Office or ICO - fined Reddit £14.47 million for unlawfully processing the personal data of users under the age of 13, in violation of the UK GDPR. The investigation established two main shortcomings: the absence of any robust age verification mechanism, making it impossible to identify a valid legal basis for processing the data of minors, and the absence of a data protection impact assessment before January 2025, despite treatment presenting high risks for vulnerable persons. In the absence of effective control, a significant number of children were thus able to access the platform and be exposed to inappropriate content, without being able to understand or control the use of their data.
This sanction is part of a series of coordinated actions: the Imgur platform (MediaLab) was sentenced to 247,590 pounds the same day for similar breaches, and TikTok was fined 12.7 million pounds in 2023. The ICO's message is unambiguous: simply declaring your age is not enough. The authority has expressly indicated that it is now extending its investigations to all platforms that rely primarily on this mechanism.
Source: Reddit issued with £14.47m fine for children's privacy failures | ICO
3.4.2. Meta sentenced to 375 million dollars in the United States
[March 24, 2026]
An American jury has fined Meta $375 million for exposing minors to online risks, due to protective measures deemed insufficient. The company was allegedly aware of certain dangers and did not act appropriately with regard to minors. In particular, she should have disclosed the risks of her platforms for children.
This decision marks a tightening of requirements on platforms in terms of user safety, especially vulnerable audiences. It confirms the extension of their responsibility for the content and interactions hosted.
Source: Meta sentenced to 375 million dollars for putting children at risk | Siècle Digital
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
