Personal data watch — February 2026

Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!

‍

To receive it, please fill in This form.

‍

‍

1. FRANCE

‍

1.1. Practical fact sheet: the CNIL publishes an English version of its sheets for an AI in compliance with the GDPR

[January 9th] The CNIL has finalized and put online an English version of its “AI how-to sheets”, intended to guide professionals in the development of artificial intelligence systems in accordance with the GDPR. These sheets provide a practical framework covering the entire life cycle of an artificial intelligence project involving personal data, from the definition of the applicable legal regime to the implementation of data protection principles by design.

Source: AI how-to sheets | CNIL

1.2. Insufficient security measures: the CNIL sanctions Free with a fine of 42 million euros

[January 13] The CNIL sanctioned the companies Free Mobile and Free with fines of 27 million euros and 15 million euros respectively for serious breaches of personal data security obligations. This decision follows a cyberattack in October 2024 that allowed unauthorized access to personal data concerning 24 million contracts. The restricted training of the CNIL considered that the security measures put in place were inadequate in view of the risks involved, in violation of article 32 of the RGPD. It should be noted that the CNIL does not sanction the violation itself but the fact that it was made possible or facilitated by the absence or inadequacy of security measures. The authority also identified shortcomings in the obligation to communicate with the persons concerned by the data breach and, for Free Mobile, excessive data retention in accordance with the principles of minimization and limited duration. The decision includes an injunction to definitively strengthen the security of treatments and to complete the corrective measures within specific deadlines.

Source: Data breach: penalty of 42 million euros against the companies FREE MOBILE and FREE | CNIL

1.3. Compliance tools: the CNIL maps certifications and codes of conduct available in Europe

[January 14] The CNIL has published two interactive maps listing the compliance tools related to the GDPR available in the Member States of the European Union, namely certifications and codes of conduct approved by national authorities or the European Data Protection Board. The purpose of these maps is to allow organizations to identify existing certifications and codes of conduct according to their field of activity or country, and to more easily consider their own compliance approach.

‍

Source: Certifications and codes of conduct: the CNIL maps the deployment of GDPR tools in Europe | CNIL

1.4. Multi-terminal consent: the CNIL publishes conditions for a single consent to cookies

[January 16] The CNIL has published recommendations on the collection of “multi-terminal consent”, which allows a user connected to an account to express their choices relating to cookies and other tracers at once for all their devices (computer, mobile, tablet, connected TV) for all their devices (computer, mobile, tablet, connected TV). This single consent should not restrict the exercise of the rights provided for by the GDPR, which should be able to be exercised with the same simplicity and produce the same effects on all devices. In addition, the CNIL recalls that multi-terminal consent should not be an obstacle to the prior information of the persons concerned. The CNIL also recommends the establishment of a temporary information banner during subsequent connections to remind you if choices associated with the user's account were previously recorded.

‍

Source: Cookies and other trackers: under what conditions can you consent at once for several devices? | CNIL

For more information on this decision, see our article.

1.5. Targeted advertising: the CNIL sanctions the transmission of data from a social network to partners

[January 22] The CNIL sanctioned a social network for having transmitted the personal data of members of its loyalty program for advertising purposes, without a valid legal basis and without sufficiently clear information. The CNIL recalls that complex settings or information embedded in general conditions does not constitute informed consent within the meaning of the RGPD: users must concretely understand what data is transmitted, to whom and for what purpose. She also emphasizes that, when it comes to personalized advertising, consent must be real, free and as easy to refuse as to accept, otherwise the treatment becomes unlawful. This decision illustrates the increased vigilance of the CNIL on data monetization practices.

‍

Source: Transmission of data to a social network for advertising purposes: the CNIL pronounces a penalty of 3.5 million euros | CNIL

1.6. Marketing and RGPD: the CNIL launches a consultation on the proof of consent

[January 22] In the marketing sector, where a lot of data processing is based on the consent of individuals, the CNIL has opened a public consultation to develop a recommendation on the proof of consent required by the RGPD. The GDPR requires that consent be free, specific, informed and unequivocal, and that actors can legally justify that it was validly collected before any data is processed for commercial purposes.

This consultation aims to bring together marketing professionals, publishers of consent management technologies and civil society to identify existing practices and operational difficulties related to the proof of consent.

‍

Source: Marketing: the CNIL opens a consultation on the proof of consent | CNIL

1.7. Social networks: a controversial bill to ban social networks for those under 15

[January 26th] A bill tabled in the National Assembly aims to ban access to social networks for minors under 15 years of age, in order to better protect their mental health and digital safety. Initially presented as a general ban, the text was amended to adapt to European law, in particular the Digital Services Act, which regulates the regulation of digital platforms. On January 26, a first step was taken with the adoption at first reading, by the National Assembly, of the principle of prohibition for children under 15, marking a tightening of the system. Rather than requiring an absolute and uniform ban, the text provides for the prohibition of certain platforms “likely to harm the development of minors”, defined by decree after advice from ARCOM. The other networks would be accessible under parental authorization, which mitigates the effect of a strict ban while maintaining a control framework.

‍

Sources:

• Social networks: Towards a ban for children under 15 in France, an explosive project for the executive

• Social networks banned for children under 15: the National Assembly votes in principle

1.8. Data breach: the CNIL pronounces a 5 million euro penalty against France Travail

[January 29] The CNIL sanctioned France Travail with a fine of 5 million euros following a personal data breach. The authority accuses the organization of inadequate security measures in view of the risks, while the RGPD requires data controllers to guarantee the confidentiality and integrity of the data they process. The decision also recalls that a cyberattack or a leak is not, in itself, an excuse: compliance is also assessed through prevention, access control and security organization. It also confirms that public actors are subject to the same requirements as private companies and can be sanctioned when data protection is not effectively ensured.

‍

Source: Data breach: penalty of 5 million euros against FRANCE TRAVAIL | CNIL

1.9. Data transfers: the CNIL and the Canadian Privacy Commissioner strengthen their cooperation

[January 30] The CNIL and the Privacy Commissioner of Canada (OPC) have consolidated their cooperative relationships to strengthen the application of the respective laws on the protection of personal data. This agreement aims to facilitate the exchange of information and best practices between the two authorities, in particular on emerging topics such as artificial intelligence, cybersecurity and international data transfers. Formalized cooperation will make it possible to increase the effectiveness of joint investigations, in particular when the same violation affects persons located on both sides of the Atlantic, in a legal context where national frameworks present comparable requirements. This initiative illustrates a trend towards practical harmonization between international regulators, in particular to deal with the challenges posed by cross-border data processing and innovative technologies.

‍

Source: The Privacy Commissioner of Canada and the CNIL signed a declaration of cooperation | CNIL

‍

‍

2. EUROPEAN UNION

‍

2.1. EU-US agreement: access to the biometric data of European citizens in exchange for maintaining the visa waiver

[January 6] European Union countries are preparing to allow American authorities to access national biometric databases containing fingerprints and facial scans of their citizens, under the so-called “Enhanced Border Security Partnerships” (EBSP) program, a condition imposed by the United States to maintain free visas for European nationals. This initiative stems from a request made in 2022 by Washington, which the EU is ready to meet in 2026 if a framework agreement is reached on the rules for the operation and sharing of this sensitive data, under the aegis of the European Commission. Possible access includes biometric data (fingerprints, facial recognition), considered sensitive, stored in national systems, beyond the biometric entry/exit system recently deployed at European level. This perspective raises legal concerns, particularly with regard to data protection, because these transfers to a third country must comply with the standards of the RGPD and require appropriate guarantees to regulate the use and security and rights of the persons concerned. The expected agreement should define the categories of data transferred, the precise purposes, the limits of access, as well as guarantees of protection equivalent to those required in the EU, in order to preserve the fundamental rights of the persons concerned.

‍

Source: EU countries gear up to let US tap their citizens' biometrics | EURACTIV

2.2. GDPR fines: the Irish sanctions machine blocked by procedures

[January 13] The Digital Factory has returned to the paradox of Irish regulation: in the space of 6 years, the Data Protection Commission (the Irish data protection authority) has imposed more than 4 billion euros in fines on the basis of the GDPR, mainly targeting large technology companies. However, less than 1% of these amounts would have actually been collected to date, due to almost systematic legal challenges. Indeed, the Irish legal framework suspends recovery until the sanctions are definitively validated by the courts. This situation considerably extends the deadlines, as some cases are also linked to issues pending before the Court of Justice of the European Union. However, the DPC recalled that the fines remain due until they are cancelled.

‍

Source: RGPD: Ireland sanctions with billions, but is cashing in by the trickle

2.3. Transfers to the United States: EDPB updates its “Data Privacy Framework” FAQ for businesses

[January 15] The EDPB has published an updated version of its FAQ for businesses on the EU-US Data Privacy Framework (DPF), the mechanism for transferring personal data to certified American organizations. This document recalls that the DPF can be used as a legal basis for transfer, but only if the recipient is on the official list of certified entities and if the scope of certification covers the data concerned, and that, when the DPF is not applicable, companies must use other tools (such as standard contractual clauses) and check the level of protection offered. The FAQ also insists on the fact that the GDPR obligations continue to apply (information for the persons concerned, contractual framework for subcontractors, data minimization). Finally, it provides operational responses to secure practices, in particular on how to document transfers and how to react in the event of a change in the status of the American recipient. At the same time, the EDPB has published a model complaint form (version 2.0) to facilitate the filing of complaints with data protection authorities when a DPF-certified company does not comply with the principles of the framework.

‍

Sources:

• EU-U.S. Data Privacy Framework FAQ for European Businesses - version 2.0 | European Data Protection Board

• EU-US Data Privacy Framework Template Complaint Form for Submitting Complaints to EU DPAs related to the Data Privacy Framework Principles - version 2.0 | European Data Protection Board

2.4. Digital Omnibus & IA: European authorities warn against simplification at the expense of rights

[January 21] The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the European Commission's proposal to simplify the implementation of the harmonized rules of the AI Act via the “Digital Omnibus on AI”. They support the general objective of easing certain practical obligations for operators, while insisting that this simplification does not undermine the protection of fundamental rights, in particular privacy and data protection. In particular, the opinion recalls that the use of “sensitive” data to detect and correct the biases of an AI system should only be authorized when it is strictly essential. However, the proposal would consider lowering this level of requirement (simple “necessity”), which the authorities recommend correcting in order to avoid using this data too widely. In addition, they call for clarifying and strengthening the involvement of data protection authorities in devices such as European “regulatory sandboxes” to ensure compliance with the GDPR during AI trials. Finally, although the EDPB and the EDPS recognize some possible objective reasons for delaying the application of rules for high-risk systems, both authorities recommend not compromising essential obligations such as those relating to transparency, in order to maintain a high level of legal protection in a context of rapid evolution of artificial intelligence technologies.

‍

Source: EDPB-EDPS Joint opinion 1/2026 on the Proposal for a Regulation as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) | European Data Protection Board

2.5. EU—Brazil data transfers: Commission adopts an adequacy decision

[January 27th] The European Commission and Brazil have adopted mutual adequacy decisions, recognizing that the level of protection of personal data in Brazil is essentially equivalent to that of the European Union. This decision is part of a dynamic of reinforced strategic cooperation between the EU and Brazil, promoting digital innovation and legal trust for companies and public authorities involved in international data transfers.

‍

Source: EU-Brazil Data Adequacy Agreement

‍

‍

3. INTERNATIONAL

‍

3.1. CCPA: California tightens data protection rules

[1]^Er January] California is deeply evolving the framework of the California Consumer Privacy Act (CCPA) with the entry into force of new provisions beginning on 1^Er January 2026. These reinforce the requirements on businesses, in particular through the gradual implementation of cybersecurity audits and risk assessments for certain treatments. They also introduce a stricter framework for automated decision technologies, in order to improve transparency and control by consumers. The system also specifies how to take into account the right to oppose the sale or sharing of data. In addition, the obligations to respond to requests from individuals are clarified, with an extended access requirement when data is retained over a long period of time. Some measures will be applied in a phased manner, in order to give organizations time to adapt their processes and governance.

‍

Source: CCPA - Effective January 1, 2026

3.2. UK GDPR: the ICO publishes an enhanced version of its guidelines on international transfers

[January 15] The Information Commissioner's Office (ICO) has published an updated version of its guidelines for international transfers of personal data under the UK GDPR. This update aims to clarify and simplify the applicable rules to help organizations understand when they make a “restricted transfer” and how to comply with it. A three-step test is introduced to determine whether an exchange of data with a foreign entity falls under the international transfer regime. The new guidelines also specify the respective roles and responsibilities of data controllers and subcontractors in these complex situations. For organizations less familiar with these rules, the ICO adds a short guide, FAQs, and a glossary, making it easy to access the content.

‍

Source: Updated guidance on international transfers published | ICO

3.3. United Kingdom: ICO sanctions two companies for unsolicited marketing communications

[January 20] The Information Commissioner's Office (ICO) has fined two companies a total of £225,000 in fines for sending millions of unsolicited advertising messages, in violation of UK Electronic Marketing Rules (PECR). Allay Claims Ltd received £120,000 for sending over 4 million promotional text messages without valid consent or compliance with “soft opt-in” conditions. In contrast, ZMLUK Limited was sanctioned for approximately 67 million marketing emails sent without informed consent, based on third-party data where recipients had no explicit choice. These sanctions were an opportunity for the ICO to recall that it is not enough to rely on generic consent or the display of a list of partners to legitimize the sending of direct marketing messages.

‍

Source: Fines of £225,000 for Nuisance Marketing Messages | ICO

‍

Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein