Personal data watch — March 2026
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. Automatic analysis of video surveillance images: the Council of State requires an express legal basis
[January 30] The Council of State confirmed that a local authority cannot automatically analyze video surveillance images of public roads without a specific legal basis. In this case, the municipality of Nice wanted to deploy an algorithmic device detecting irregular parking in front of schools using existing cameras, in order to alert the municipal police. The CNIL considered that this processing constituted an automated processing of personal data requiring an impact assessment and, for certain modules, its prior opinion. The administrative judge validated this position: while the Internal Security Code authorized video protection, it did not allow the systematic automated analysis of images in the absence of a text expressly authorizing it.
Source: Decision No. 506370 - Council of State
1.2. Municipal elections 2026: the CNIL publishes its action plan to protect personal data
[January 30] The CNIL has unveiled its action plan for the 2026 municipal elections, aimed at legally regulating the use of personal data in the electoral context and at guaranteeing compliance with the RGPD and the Data Protection Act. This plan includes recommendations for political actors, parties and service providers in order to secure data processing (electoral lists, membership files, digital campaigns) and to avoid the risks of breaches that may affect the confidentiality or integrity of data. The CNIL highlights the importance of clear information for the persons concerned about the purposes of the treatments, in particular for profiling or electoral targeting. The CNIL plans control and dialogue actions with the actors concerned throughout the electoral cycle to ensure the compliance of practices with data protection law.
Source: Municipal elections 2026: the CNIL's action plan to protect voters' data | CNIL
1.3. Data economy: the CNIL publishes its 2026-2028 work program
[February 2nd] The CNIL has unveiled its work program for 2026-2028 concerning its economic analysis mission, aimed at better understanding business models related to personal data and to measure the economic impact of its regulatory decisions. The CNIL will continue the work already launched, in particular on the cross-regulation between data protection and competition, and on the economic effect of the RGPD in terms of benefits for companies and persons concerned. In addition, it wishes to deepen the economic analysis of sanctions in order to integrate quantitative elements, in order to legally justify the amounts pronounced. Among the new areas that the authority wishes to address during the next two years of its program are the doctrine applicable to “consent or pay” models as well as the economics of health data warehouses, in connection with the European framework.
Source: Data economy: the CNIL publishes its work program for 2026-2028 | CNIL
1.4. Hypertricage and Deepfake : the CNIL alerts on the risks to privacy and digital trust
[February 3] The CNIL publishes a warning on hyperrigging and deepfakes, audio, video or visual content altered by artificial intelligence, recalling that these can damage reputation, privacy and trust in information. She highlights the importance of obtaining explicit consent for the use of images, voices, or other biometric data in creations generated or modified by AI, especially when this data reveals sensitive information. The authority also encourages platforms and developers to integrate technical and organizational guarantees (Privacy by design, source verification, content reporting) to prevent illicit uses and protect the persons concerned.
Source: Hypertricage (deepfake): how to protect yourself and report illegal content? | CNIL
1.5. Scientific research excluding health: when and how to contact the CNIL?
[February 4] The CNIL recalls the rules applicable to data processing for the purposes of scientific research or the development of public policies outside the field of health, specifying that certain projects must be the subject of prior referral, in particular when they involve high risks for the rights and freedoms of individuals, without an explicit legal basis or when it is an innovative or large-scale treatment. She recommends entering it during the design phases of the project to avoid non-conformities, by providing a file describing the objectives, categories of data, recipients and planned guarantees, but also the research protocol, the research contract, or any other document explaining the research process.
1.6. Generative AI and cybersecurity: ANSSI provides a summary of current threats
[February 4] ANSSI is publishing a summary of the threat posed today by the integration of generative AI into the cyber attack landscape, examining both its offensive use and the risks to which these systems are exposed. According to this report, generative AI models are already being exploited at various stages of cyberattacks to profile victims, generate social engineering content, or develop malicious programs, which can increase the ability to automate and extend malicious campaigns. However, ANSSI notes that at this stage no generative AI system has demonstrated the ability to independently conduct a comprehensive attack, which tempers the assumed magnitude of immediate operational risk.
The summary also highlights that the models themselves become targets: they can be subject to alteration or compromise, potentially affecting the integrity of the results and the security of the data they handle. ANSSI calls for continuous vigilance and a regular reassessment of the threat, taking into account the rapid evolution of the uses and capabilities of attackers.
Source: Summary of the threat to generative AI in the face of computer attacks — ANSSI
1.7. The CNIL is launching an online course to support users of banking incident files
[February 6] The CNIL announced the establishment of a new online user journey intended to support people registered in the banking incident files managed by the Banque de France, such as the Individual Credit Repayment Incident File and the Central Checks File. It is an educational system designed to guide users more effectively towards appropriate procedures and services, based on concrete situations. This experimental service may evolve and be extended to other types of files managed by the State, strengthening the accessibility of information and the ability of citizens to exercise their rights independently.
Source: Banking incident files: the CNIL informs you and supports you in your procedures | CNIL
1.8. GDPR sanctions: the CNIL takes stock of its year 2025
[February 9th] In 2025, the CNIL announced that it had issued 259 decisions, including 83 sanctions, confirming sustained and targeted law enforcement activity. The total amount of fines imposed reached nearly 487 million euros, a reflection of large-scale cases and breaches considered particularly serious under the GDPR. In addition, an increase in the individual amounts of fines should be highlighted. Sanctioned offenses include breaches of data security, breaches of cookie and consent rules, as well as violations of individuals' rights. The CNIL has also issued 143 formal notices, aimed at obtaining rapid compliance when the deficiencies observed can be corrected.
Source: Sanctions and corrective measures: the CNIL presents the 2025 report | CNIL
1.9. DGFiP: 1.2 million accounts exposed after fraudulent access to the national bank account file
[February 18] The Ministry of the Economy has revealed that fraudulent access to the national bank account file (FICOBA) has allowed the potential consultation of the data of 1.2 million bank accounts since the end of January 2026. The attack results from the usurpation of the identifiers of an official with access in the context of interministerial exchanges, allowing a malicious actor to consult part of this database listing all the accounts opened in France. The data concerned includes RIB and IBAN, the identity of the holders, their address and sometimes their fiscal ID, without access to balances or the possibility of carrying out banking transactions. As soon as the incident was detected, the Directorate-General for Public Finances (DGFiP) affirmed that it had implemented access restriction measures to contain the attack and prevent any further illegitimate consultation and that the persons concerned will be informed individually, in accordance with the requirements of the GDPR. This case is part of a context of increasing data leaks within public administrations, as illustrated recently by the sale of the data of more than 377,000 candidates on the “Choosing the Public Service” platform following a cyberattack via a management account or the recent sanction pronounced by the CNIL against France Travail due to the agency's faulty information system.
Sources:
1.10. Right to erasure: what to remember from the CNIL's balance sheet
[February 18] As part of a coordinated action by the European Data Protection Board (EDPB), in 2025, the CNIL carried out checks on six organizations in order to verify the implementation of the right to erasure provided for in article 17 of the RGPD. In a dedicated article, the CNIL takes stock of this action. In particular, the investigations show that requests for deletion are generally taken into account and that the opposing refusals are based, in most cases, on the legal exceptions provided for by the regulation (legal obligation to preserve, freedom of expression, etc.). Many structures have put in place good practices, including internal training, to ensure the processing of requests from the persons concerned. However, the CNIL notes persistent shortcomings, in particular the absence of formalized internal procedures, incomplete responses to individuals and difficulties in determining retention periods or in deleting data from backups. The EDPB identified similar challenges at the European level, stressing also that the complexity of data exchanges, the absence of harmonized tools and the difficulties of coordinating with other rights constitute obstacles to a fully effective implementation of the right to erasure. It should be noted that at the end of this coordinated action, the CNIL has already issued two formal notices and is continuing to investigate other cases.
Sources:
2. EUROPEAN UNION
2.1. GDPR penalty: after its fine of 225 million euros, WhatsApp is relaunching its tug of war with the EDPB
[February 10] In 2021, WhatsApp was fined 225 million euros by the Irish Data Protection Authority for breaches of the GDPR, in particular in terms of transparency and information to users about the processing and sharing of their data within the Meta Group. Initially set at 50 million euros, this fine was increased at the request of the EDPB, which considered that the consolidated turnover of the parent company (Facebook) should be included in the calculation of turnover. The company wanted to challenge this EDPB decision and brought the case before the General Court of the European Union. In an order issued in December 2022, the court rejected this appeal, considering that the EDPB decision was an interim measure, included in a procedure that should end with a national decision. In turn, the Court of Justice of the European Union finally declared WhatsApp's appeal admissible. Indeed, contrary to the regulator's arguments, the Court considers that the EDPB's decision is indeed an act that can be attacked by the company, as it obligingly imposes on the national authorities to increase sanctions. In essence, if the Court validates the European procedure, it thus recognizes the right of companies to challenge the legitimacy of central data protection directives directly before the European Union judge. However, the Court did not question the amount of the fine imposed by the Irish authority.
2.2. Digital omnibus: EDPB and EDPS support simplification while alerting to risks for the protection of people
[February 11] The EDPB and the European Data Protection Supervisor (EDPS) have adopted a joint opinion on the proposed “Digital Omnibus” regulation, intended to simplify the European Union's digital regulatory framework while strengthening the competitiveness of organizations. This text covers in particular provisions affecting the RGPD and the “e-Privacy” Directive, with the aim of reducing the administrative burden imposed by these texts and to clarify certain obligations. The authorities consider the project positive when it increases the risk threshold triggering the obligation to notify a data breach or when it harmonizes certain concepts such as that of “scientific research”, these changes strengthening legal certainty while easing the obligations for data controllers. However, they raise significant concerns about other areas of the text: several proposed amendments, in particular those relating to the definition of personal data, could reduce the level of legal protection offered to individuals, create legal uncertainty and complicate the application of Union law.
2.3. EDPB 2026-2027 program: the authority wants to simplify GDPR compliance
[February 13] The EDPB adopted its 2026-2027 work programme, based on the priorities of its 2024-2027 strategy and the commitments in the Helsinki Statement to make GDPR compliance more accessible for organizations. This program highlights the development of practical, ready-to-use tools, such as models for the assessment of legitimate interest, a record of processing activities, a privacy policy, as well as the already announced models for data breach notification and impact assessments. The objective is to reinforce the clarity and consistency of the legal obligations arising from the GDPR, by offering concrete resources (checklists, standard notices) to help data controllers and subcontractors demonstrate their compliance. The programme also reaffirms the importance of engaging with stakeholders and cooperating between supervisory authorities in order to reduce disparities in the interpretation and application of the law.
In parallel, the EDPB published a report consolidating the contributions received during its public consultation on models that could facilitate business compliance, providing direct lessons from organizations on the usefulness, expectations and possible adjustments of these documents.
Sources:
3. INTERNATIONAL
3.1. UK: entry into force of the Data Use and Access Act
[February 5] The Information Commissioner's Office (ICO) has published a statement on the occasion of the entry into force of the Data Use and Access Act (DUAA), a text that amends and complements the British data protection framework. This reform aims to facilitate the use and sharing of data while maintaining a high level of protection of people's rights, by adjusting some rules from the UK GDPR and the Data Protection Act. In its statement, the ICO states that it will support organizations in the gradual implementation of these new provisions, by publishing updated guidelines in order to ensure a consistent and legally secure application. The regulator underlines that, despite the developments introduced by the DUAA, the fundamental principles remain: lawful, transparent and proportionate processing of personal data, the principle of accountability and effective respect for individual rights. The entry into force of the text requires data controllers subject to the UK GDPR to analyze the impact of the new rules on their internal practices, in particular in terms of data governance and information sharing.
Source: Statement on the Commencement of the Data (Use and Access) Act (DUAA) | ICO
3.2. Personal data of minors: the ICO fines the operator of Imgur for breaches of privacy
[February 5] The ICO sanctioned MediaLab, owner of the Imgur platform, for failures in protecting the privacy of children, believing that the site did not comply with the UK GDPR obligations in terms of processing the data of underage users. The ICO found that some Imgur features exposed children's content and data without sufficient safeguards, and that age control and verification mechanisms were inadequate to prevent unauthorized access or sharing of their personal information. The ICO also pointed out that the absence of effective processes for obtaining valid consent or for restricting access to minors means that the particular risks associated with treatments concerning them have not been sufficiently taken into account.
Source: Imgur owner MediaLab Fined over Children's Privacy Failures | ICO
3.3. UK GDPR: ICO publishes practical advice for dealing with data protection complaints
[February 12] The ICO offers a guide to help organizations effectively manage data protection complaints submitted under the UK GDPR and the Data Protection Act. The document explains how to receive, register, and respond to a complaint, with an emphasis on reasonable response times and clear communication with the person concerned. It recalls that any complaint must be dealt with without undue delay and documented in such a way as to demonstrate that the organization has seriously and impartially examined claims relating to, for example, access to data, their correction or deletion.
Source: How to deal with data protection complaints | ICO
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
