Personal data watch — January 2026
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in this form.
1. FRANCE
1.1. Artificial intelligence: the Ministry of Justice creates a dedicated AI program department
[1]Er December] The Ministry of Justice announced the creation, within its general secretariat, of an Artificial Intelligence Program Department (DPIA) to structure, pilot and accelerate the integration of AI in judicial services while guaranteeing a legal, technical and ethical framework for projects. This direction, entrusted to Élise Farge Di Maria, will include a staff bringing together transversal expertise (compliance, security, R&D) and aims to develop operational use cases adapted to the needs of agents and magistrates. An initial experiment with an AI assistant designed to facilitate tasks such as documentary research, writing and synthesis has been launched. The approach is part of a wider strategy to modernize the public justice service, in cooperation with DINUM, the CNIL, the Court of Cassation, the Council of State, and private actors such as legaltechs and legal publishers.
1.2. CNIL and Caisse des Dépôts: partnership for the responsible use of personal data and AI
[1]Er December] The CNIL and Caisse des Dépôts have signed a cooperation agreement aimed at supporting digital projects carried out by the latter in a framework in accordance with the rules for the protection of personal data and the use of artificial intelligence. This structured collaboration makes it possible to integrate GDPR compliance and the ethical challenges of AI into the work of Caisse des Dépôts and its business departments. In particular, it includes support for the compliance of treatments, internal awareness-raising, contribution to the work of the CNIL and the implementation of joint projects on the impact of regulatory changes. An annual steering committee will monitor actions and develop new initiatives. This approach illustrates the importance of a responsible framework for data and AI in the service of public policies and the rights of individuals.
1.3. Non-compliance with cookie rules: 1.5 million euros fine for American Express
[December 3] After several site checks www.americanexpress.com/en-en, the CNIL sanctioned American Express up to 1.5 million euros for violating the rules governing trackers by depositing and reading cookies without valid consent or despite the explicit refusal of users. The CNIL sanction, pronounced on the basis of article 82 of the Data Protection Act, takes into account the knowledge of ancient and widely disseminated legal obligations concerning cookies, but also the fact that American Express has complied during the procedure. This decision recalls the requirements for prior and effective consent before depositing and reading non-essential cookies.
Source: Cookies: The CNIL sanctions AMERICAN EXPRESS with a fine of 1.5 million euros | CNIL
1.4. Minors and social networks: the CNIL launches FantomApp
[December 16] In a logic of supporting minors towards greater use
The CNIL provides FantomApp, a free application for minors aged 10-15 years old designed to help them better protect their personal data and secure their accounts on social networks. Developed collaboratively with middle school students, the application offers practical tools (password testing, photo blur, visibility settings) and guided tutorials to teach them how to master privacy settings. FantomApp also integrates information and trusted contacts to deal with problem situations (cyberbullying, piracy, etc.) and facilitate the exercise of the rights provided for by the RGPD. While 79% of children have access to a mobile phone before the age of 11, this project, funded by the European Union, makes it possible to raise awareness among minors towards a safer and more informed use of social networks.
Source: FantomApp: the CNIL application to help 10-15 year olds protect themselves on social networks | CNIL
1.5. Protection of student data: renewal of the partnership between the CNIL and the Ministry of National Education
[December 17] On December 16, 2025, the Ministry of National Education and the CNIL renewed their partnership initiated in 2018 to strengthen digital education and the protection of personal data in schools. This partnership aims to raise awareness and train students, teachers, parents and staff on the challenges of digital education and to support educational actors in their compliance with the RGPD. Together, the CNIL and the Ministry are committed in particular to promoting EdTech projects that respect privacy and to intensifying European and international cooperation in the field of data education. This initiative illustrates the importance given to the protection of the data of minors in a context of increased digitization of educational practices.
1.6. Cyber attack against the Ministry of the Interior
[December 17] The Ministry of the Interior has confirmed that it was the victim of a cyberattack targeting its professional email servers on the night of 11 to 12 December 2025, which allowed unauthorized persons to access a number of accounts and computer access codes. While the extent of the compromises is not yet known, sensitive files such as the Criminal Record Handling (TAJ) and the Wanted Persons File (FPR) could have been consulted. Two judicial and administrative investigations have been opened, and the CNIL has also been referred to the CNIL. The ministry has tightened lockdown and security measures on the affected systems, while claims have appeared on the cybercriminal forum BreachForums. The authors of the message say they had extensive access to the ministry's systems and large volumes of data, but there is no technical evidence to confirm the claims at this stage.
Sources:
1.7. Open source AI models: the CNIL provides a tool to trace their genealogy
[December 18] Together, the Digital Innovation Laboratory and the CNIL AI Department have developed a demonstration tool to explore the genealogy of an AI model present on the HuggingFace platform. With this tool, users will be able to identify the ascendants and descendants of the AI models they download. The objective of the CNIL is to facilitate the exercise of the rights of persons concerned whose personal data may have been integrated into an AI model and stored by the latter. The demonstration tool developed is an experimental step to understand the chains of transformation and memory of AI models and to better understand their impact on the rights of individuals.
Source: The CNIL publishes a tool for the traceability of AI models published in open source | CNIL
1.8. Political prospecting: the CNIL sanctions candidates for European and legislative elections
[December 18] The CNIL imposed five sanctions totalling 23,500 euros in fines against candidates in the 2024 European and legislative elections for having sent political prospecting messages in violation of the requirements of the RGPD. Among the shortcomings observed: unlawfulness of the processing due to a lack of consent of the persons concerned without justification of a legitimate interest, use incompatible with the initial purposes of collection, lack of information to the recipients of messages, failure to provide information to the recipients of messages, failure to comply with the obligation to allow and facilitate the exercise of the right of opposition or even failure to comply with a request to exercise their right to exercise their rights. In addition, a candidate had sent his prospecting messages to several hundred recipients without using the CCI function, thus failing in his obligation to ensure the confidentiality of the data.
This decision recalls that, even in an electoral context, political prospecting must comply with the principles of legality, transparency and security of personal data.
1.9. Ledger case: the Paris Judicial Court orders the dissemination of a non-public decision of the CNIL
[December 18] Following a data leak that occurred in 2020 and 2021, the CNIL condemned Ledger to the tune of 750,000 euros for not having implemented adequate security measures to protect the personal data of its users, without making the decision public. As phishing campaigns continued to target Ledger's customers, they referred the matter to the Paris Judicial Court in order to obtain the disclosure of the sanction decision in order to know the details of the grievances and obtain compensation for their harm. The only information currently under debate in this ongoing case belonging to the company Ledger, the pre-trial judge ordered the communication of the CNIL's decision. The next hearing, scheduled to take place in March, will address any elements of the decision covered by trade secrets.
Source: Ledger case: the Judicial Court orders the transmission of a non-public decision of the CNIL | CNIL
1.10. Subcontractor at the origin of a data breach: 1 million euros fine against Mobius Solutions Ltd
[December 19] The CNIL has imposed a fine of one million euros on Mobius Solutions Ltd, a subcontractor involved in the massive leak of personal data of Deezer users in 2022, which resulted in them being put online on the darknet. The restricted training of the CNIL identified several breaches by the company in its obligations as a subcontractor, namely: retention of data beyond the contractual relationship, use of data without instructions from the data controller and absence of a register of processing activities. The sanction highlights the application of the obligations of the GDPR to subcontractors, even established outside the European Union, and the importance of strictly complying with the contractual commitments and security measures provided for in the subcontractor/data controller relationship.
Source: Data breach: penalty of one million euros against MOBIUS SOLUTIONS LTD | CNIL
For more information on this decision, see our article.
1.11. Insufficient security measures: the CNIL sanctions Nexpublica France with a fine of 1.7 million euros
[December 24] The CNIL has imposed an administrative fine of 1.7 million euros against Nexpublica France for not having implemented appropriate technical and organizational security measures for its PCRM software package, used in particular by departmental houses for disabled people. This decision follows notifications of personal data breaches in 2022, revealing that users had been able to access third-party documents. The CNIL noted structural vulnerabilities that were known but not corrected before the incidents, constituting a breach of article 32 of the RGPD. The sanction takes into account the sensitivity of the data concerned, the number of persons concerned and the very role of the software publisher. This decision illustrates the increased requirement of the CNIL in terms of cybersecurity of treatments.
Source: Data security: penalty of 1,700,000 euros against NEXPUBLICA France | CNIL
For more information on this decision, see our article.
2. EUROPEAN UNION
2.1. Online marketplace: the CJEU strengthens the GDPR obligations of platforms in the publication of ads
[December 2nd] A person concerned had brought an action against the company Russmedia Digital, belonging to a marketplace, on the grounds that an advertisement presented them as offering sexual services. The Court of Justice of the European Union accepted the qualification of the company as a joint data controller since it exerted a decisive influence on the purposes and means of the processing (architecture of the marketplace, parameter for publishing advertisements, distribution and withdrawal of ads, classification). This qualification involves the full application of the obligations of the RGPD, and in particular the implementation of proactive measures to prevent the posting of illicit, in particular sensitive, personal data online, regardless of the exemption regime applicable to hosting providers.
2.2. Limits of the right of access: the General Court of the European Union rules
[December 3] The Court of the European Union rejected two appeals by an applicant against two decisions of the European Personnel Selection Office (EPSO) that partially refused access to personal data concerning him under Regulation (EU) 2018/1725 (the “GDPR for European institutions”) (the “GDPR for European institutions”). In particular, the Court held that the log files provided contained the information available, that the applicant did not establish the existence of other data about him that was not provided, and that no obligation to restore data lawfully deleted by EPSO was imposed by the regulation. The European judges also rejected grievances relating to response times and alleged violations of processing principles, thus confirming the legality of EPSO's decisions.
Source: Tribunal of the European Union, WS v. European Commission, 3 December 2025, T-318/24 and T-362/24
2.3. International data protection: the CEDP meets the “appropriate” countries and organizations
[December 3] On 3 December 2025, the European Data Protection Board held an online meeting with data protection authorities and representatives of country organizations benefiting from an adequacy decision in order to strengthen international cooperation in the field of data protection. This initiative aims to promote regular dialogue on the concrete application of European standards, the evolution of national legal frameworks and the common challenges related to international data transfers. It is part of a more strategic approach of the CEDP, seeking to consolidate mutual trust and promote a high and consistent level of data protection on a global scale. After a first meeting in October 2024, this meeting in December 2025 allowed the EDPS to gather feedback from participants in terms of international cooperation for the application of data protection.
2.4. European Data Protection Board: recommendations on online accounts, review of the Digital Omnibus proposal and new Vice President
[December 4] In a press release dated December 4, 2025, the European Data Protection Board announced the adoption of recommendations on the obligation to create user accounts on e-commerce sites, recalling that this requirement must be based on a valid legal basis under the GDPR and strictly respect the principles of necessity and data minimization. These recommendations, open to public consultation, aim to encourage more transparent and privacy-friendly practices in e-commerce. In the same press release, the ECDP also indicated that it had had a preliminary discussion on the Digital Omnibus proposal, stressing the impact of the proposal on the fundamental rights of individuals and the need to maintain a high level of data protection as part of the regulatory simplification projects carried out by the European Commission. Finally, Jelena Virant Burnik, Information Commissioner of the Republic of Slovenia, was appointed as Vice President of the EDPS, marking a further step in affirming its institutional governance.
Sources:
2.5. Publication of the data of 6 million individuals on the darknet: penalty of 2.6 million euros against Sprinter Megacentros Del Deporte
[December 4] The Spanish Data Protection Authority (AEPD) has imposed a fine of 2.6 million euros on the company Sprinter Megacentros Del Deporte following the publication on the darknet of the personal data of around 6 million people. The Spanish authority notes serious breaches of the security and data protection obligations provided for by the RGPD, in particular the inadequacy of the technical and organizational measures put in place to prevent unauthorized access and limit the impact of the violation. This decision illustrates the increased severity of supervisory authorities in the face of large-scale security breaches and recalls the requirement for robust cybersecurity governance and the management of data breaches.
Source: AEPD (Spain) — EXP202401683 | GDPRhub
2.6. Violation of the Digital Services Act: the European Commission sanctions X up to 120 million euros
[December 5] The European Commission has fined company X 120 million euros for violating the Digital Services Act. It accuses the platform of structural breaches of its due diligence obligations, in particular in terms of system transparency. In particular, the European Commission sanctions the use of the “blue check mark” identifying verified accounts, which is misleading since anyone who pays can obtain this check mark without X verifying who is at the origin of the account. The Commission also notes breaches of the transparency of the advertising register and the obligation to provide researchers with access to public data. This sanction, one of the first major ones under the DSA, confirms the European Union's desire to ensure an effective and dissuasive application of the new regulatory framework for major digital platforms.
2.7. Automated decision making and credit scoring
[December 10] In the context of a legal request sent by a person concerned to a credit institution, the Austrian supreme administrative court specified the applicable requirements and the outlines of the taking of automated credit scoring decision in accordance with Article 22 of the GDPR. She believes that a credit score entered manually as a neutral reference value was in no way an automated decision. As such, the credit institution was not required to provide the person concerned with accurate information about the method of calculating this score and the influence of the underlying data on it.
Source: vWGH — From 2023/04/0271 | GDPRhub
2.8. Public interest reason and data minimization: excessive publication of personal data in an online article
[December 11] LThe Spanish Data Protection Authority (AEPD) recalled that the reason of public interest does not exempt from compliance with the principle of data minimization. The authority sanctioned the publication, in an online press article, of a complete copy of a document sent by a data subject to a public authority, resulting in the excessive disclosure of personal data in view of the information purpose pursued. The AEPD emphasizes in its decision that even in the presence of a legitimate public interest, only information that is strictly necessary can be disclosed. This decision confirms the need for a rigorous balance between freedom of information and the protection of personal data.
Source: AEPD (Spain) - EXP202518088 | GDPRhub
2.9. United Kingdom: the European Commission renews its adequacy decisions
[December 19] The Commission renewed the two adequacy decisions of 2021 allowing the free movement of personal data with the United Kingdom. This renewal follows technical extensions taken in June 2025, which were due to expire on December 27, 2025. During these six months of extension, the Commission was able to carry out an in-depth assessment of the British legal framework, modified by the entry into force of the Data (Use and Access) Act. With these new decisions, data transfers from the European Union to the United Kingdom will be able to continue to take place without a specific framework until December 27, 2031.
2.10. Cybersecurity incident at the European Space Agency: compromise of external servers
[December 31] The European Space Agency (ESA) has confirmed that it has suffered a cybersecurity incident affecting a very limited number of external servers, located outside its internal network and dedicated to unclassified scientific collaborative activities. ESA has launched a forensic analysis and security measures, but has not confirmed at this stage the number of servers and the volume and nature of the data affected. However, the confirmation of this intrusion comes a few days after a security researcher announced on December 26, 2025, the sale of ESA data on the dark web, without this being validated by ESA. The incident highlights the security risks associated with external infrastructures even when they do not support critical systems.
Sources:
3. INTERNATIONAL
3.1. Age verification in the United Kingdom: Ofcom fines AVS Group 1 million pounds for violating the Online Safety Act
[December 4] Ofcom, the British telecommunications regulator, has fined AVS Group 1 million pounds for failing to implement highly effective age control mechanisms on its 18 pornographic sites, as required by the Online Safety Act. The AVS system was based on a simple photo upload, without real presence detection technology, easily bypassed by minors. Since then, the company has implemented new mechanisms at each of its sites. This decision illustrates the intensification of the application of legal age verification obligations on online platforms in order to limit children's access to inappropriate content.
Source: Ofcom Fines Porn Company £1 million for not having Robus Age Checks | Ofcom
3.2. Gemini: Google launches User Alignment Critic to control unauthorized actions
[December 8] Faced with the security risks associated with integrating Gemini AI into Chrome, including prompt injection attacks that could trigger unwanted actions, Google deployed a second surveillance AI model to analyze and validate actions generated by Gemini before execution in the browser: User Alignment Critic. To mitigate these attack vectors, the company is also implementing origin filtering and user confirmation mechanisms to limit automatic access to external or sensitive content. With this tool, Google seeks to prevent actions that are potentially malicious or not aligned with user intent in order to improve the security of AI-assisted browsing.
Sources:
3.3. Minors and social networks: Australia prohibits access to social networks for those under 16
[December 9th] Australia marks a key milestone in digital history by establishing for the first time a legal ban for minors under 16 from holding or accessing social media accounts. Facebook, Instagram, Threads, X, YouTube, YouTube, Snapchat, Reddit, Reddit, Kick, Twitch and TikTok must now take the necessary steps to delete all accounts owned by people under 16 in Australia, and prevent them from creating new ones through reasonable age verification measures or face significant fines of up to $49.5 million. The stated objective of protecting children from the risks associated with addictive content and algorithms could encounter technical and legal challenges, as well as the use by minors of applications not covered by the ban. France could follow this initiative, Emmanuel Macron having indicated during his Wishes to the French for 2026 that he wanted to protect children and adolescents from social networks and screens.
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
