Personal data watch — May 2026
Each month, we deliver most of the latest data news in the newsletter Data4Coffee. Don't miss out on key information!
To receive it, please fill in This form.
1. FRANCE
1.1. Towards a ban on social networks for minors under 15
[April 1st 2026]
The bill to protect minors from the risks associated with social networks, tabled by Deputy Laure Miller (Together for the Republic), was adopted by the National Assembly at first reading on January 26, 2026, then by the Senate with amendments on March 31, 2026. The text is currently under second reading in the National Assembly. It plans to prohibit access to social networks that may harm the development of minors under 15 years of age (“black list” to be determined by decree), with an exception for services accessible with the agreement of a legal representative. Platforms will be required to deploy age verification systems, under the control of Arcom. The framework for access to social networks will come into force on September 1, 2026.
This desire to protect minors seems to have gained momentum internationally: Turkey is also considering regulating social networks.
1.2. The 2026 CNIL control plan: recruitment, electoral register and sports federations
[April 3, 2026]
On April 3, 2026, the CNIL unveiled its three priority control themes for the year 2026: recruitment, the single electoral register (REU) and sports federations.
- With regard to recruitment, controls will primarily target large companies and recruitment agencies in order to verify compliance with the GDPR in terms of automated decision-making, candidate information and data retention periods.
- With regard to the REU, managed by INSEE, the verifications will focus on the legality of uses and the absence of misuse of purpose.
- Finally, for sports federations, the rise in post-Olympic 2024 registrations justifies a check on the relevance of the data collected, their retention period and the security of the systems, as this sector processes sensitive data concerning many minors.
-
Source: Checks in 2026: recruitment, unique electoral register and sports federations | CNIL
1.3. The 2026 work program of the CNIL: AI, consent and cybersecurity
[April 7, 2026]
On April 7, 2026, the CNIL presented its work program for the year, detailing the projects planned to support the compliance of professionals. Among the priorities are “multi-property” consent (“cross-domain” in English), allowing a single agreement valid on several sites in the same group, and the finalization of guides on AI in the workplace and in health (algorithmic biases, guarantees for people). The CNIL will also launch work on the automatic analysis of voice communications (call centers, videoconferencing) and will publish cybersecurity recommendations (electronic voting, messaging, remote identity verification).
This program, which is indicative, is part of the CNIL's preparation for its future responsibilities as market surveillance authority under the AI Regulation.
Source: Support for professionals: the CNIL's work program for 2026 | CNIL
1.4. ANSSI: Publication of the State's digital security roadmap 2026-2027
[April 9, 2026]
On April 9, 2026, ANSSI released the roadmap of the State's priority digital security efforts for 2026-2027. This decision to publish, which is unusual for this type of document, comes in a context of high threat and a deteriorated geopolitical situation, and aims to strengthen the scope of the measures imposed on ministries. The roadmap draws lessons from the multiple incidents and data breaches that affected state information systems in 2025, revealing persistent weaknesses.
It pursues three main objectives: strengthen the resilience of ministerial infrastructures, prepare for the compliance of administrations with the NIS 2 directive (transposition in progress), and begin the transition to post-quantum cryptography, with inventories as early as 2026-2027 and implementation aimed at 2030. Operational monitoring will be provided monthly by the Interministerial Committee for Monitoring Digital Security (CINUS), under the aegis of ANSSI.
1.5. The private cloud for sensitive government data
[April 14, 2026]
Adopted in application of the SREN law, Decree No. 2026-272 of 14 April 2026 regulates the use of private cloud by administrations and certain public interest groups operating in sensitive sectors (health, social data, prevention of radicalization). Beyond the mere location of data, the text imposes global risk management, in particular against unauthorized extraterritorial access, by referring to an ANSSI technical reference system, compliance with which will condition the compliance of service providers. A temporary derogation regime makes it possible to continue certain ongoing projects. This decree enshrines a doctrine of “sovereign cloud under conditions”: it does not prohibit private service providers but subjects their use to reinforced control, meeting the expectations resulting from the SREN law, with a two-year wait.
Sources:
For more information on this decree, consult our article.
1.6. Tracking pixels in e-mails: the CNIL requires consent
[April 14, 2026]
On April 14, 2026, the CNIL published the final version of its recommendation on tracking pixels in e-mails (decision no. 2026-042 of March 12, 2026). These invisible images, integrated into emails, make it possible to trace the opening of a message without the recipient's knowledge. The CNIL now subjects them to the same regime as cookies: any use for marketing, personalization or profiling purposes requires prior, free and informed consent. A supervised exemption is provided for measuring the “deliverability” of transactional messages. Professionals have three months to inform their existing databases of the use of this technology and offer them the opportunity to oppose it. CNIL controls are expected as of mid-July 2026.
Source: Tracking pixels in emails: you need to be better informed | CNIL
1.7. Priority question of constitutionality on the cumulation of CNIL/ARCEP sanctions
[April 17, 2026]
By a judgment of 17 April 2026 (no. 501268), the Council of State referred to the Constitutional Council a QPC concerning article L. 34-5 of the Postal and Electronic Communications Code. This question was raised by Orange SA during an appeal against a penalty of 50 million euros imposed by the CNIL for sending commercial solicitations without valid consent. The company maintained that the combination of the sanctioning powers of the CNIL and ARCEP allowed for the accumulation of proceedings for the same facts, in violation of the “non bis in idem” principle. The Council of State considered the matter serious and novel, as article L. 34-5 had never been declared constitutional, and transmitted it to the Constitutional Council. This decision to refer the question to the Constitutional Council highlights a structural tension in digital law: the superposition of the powers of the CNIL and ARCEP for the same triggering event creates a risk of double sanctions. We await the decision of the Constitutional Council on this point.
Sources:
1.8. Health Data Hub/ Health Data Platform: Scaleway succeeds Microsoft Azure for hosting health data
[April 23, 2026]
On April 23, 2026, the Ministry of Health announced that Scaleway (a subsidiary of Iliad) had been selected to host the health data of the Health Data Hub - henceforth the “Health Data Platform”. This decision puts an end to seven years of storing health data on Microsoft Azure, a choice contested in the name of digital sovereignty. Selected among several candidates (including Cloud Temple, Docaposte, OVH, Atos, S3NS) on the basis of 350 technical requirements, Scaleway was considered the most suitable in terms of security, scalability and resilience, although not yet having obtained the SecNumCloud qualification. The complete migration of the National Health Data System (SNDS) is planned between the end of 2026 and the beginning of 2027, and should unlock several research programs that were previously suspended. This decision embodies the obligation resulting from the SREN law requiring the Health Data Hub to use a sovereign host.
Source: Scaleway becomes the host of the Health Data Hub | The IT World
1.9. Serial cyberattacks: National Education, ANTS, French Basketball Federation
[April 2026]
The month of April 2026 marks a dark streak for the security of French information systems with several notable cyberattacks:
- The Ministry of National Education reported two incidents: a first leak affecting 243,000 agents and then a second affecting nearly 3.5 million underage students via eduConnect.
- The National Agency for Secure Titles (ANTS) suffered an intrusion on 15 April potentially affecting several million users (names, first names, dates of birth, email addresses); the Ministry of the Interior referred the matter to the CNIL and the Paris prosecutor's office.
- The French Basketball Federation (FFBB) saw the data of nearly 2.7 million people (licensees and parents, including many minors) exfiltrated and put up for sale.
-
These incidents reveal the growing vulnerability of public systems to credential theft.
Sources:
2. EUROPEAN UNION
2.1. The Court of Justice of the European Union sets limits on the right of access
[March 19, 2026]
By a judgment of 19 March 2026 (case. C-526/24, Brillen Rottler), the Court of Justice of the European Union places, for the first time, an explicit limit on the exercise of the right of access to personal data provided for in article 15 of the General Data Protection Regulation (GDPR). The facts reveal a phenomenon well known to practitioners: an individual subscribed to the newsletter of a German optician, quickly makes a request for access to his data, then claims compensation on the basis of article 82 of the RGPD after the company's refusal. It invokes an abuse of rights, based on elements documenting repetitive and identical behavior on the part of the requester with multiple data controllers.
The Court provides three valuable lessons:
- An initial request for access may be considered “excessive” within the meaning of the GDPR if the data controller demonstrates a malicious intent, aimed at artificially causing a violation in order to take advantage of it.
- The right to redress applies to any violation of the GDPR, including the sole unlawful refusal to respond to an access request, even in the absence of other irregular processing
- Moral damage, in particular the loss of control over one's data, is in principle compensable, except when the person concerned is himself at the origin of the situation.
European judges thus specify that the right of access is a tool for transparency and control, not a litigation lever for commercial use.
Sources:
For more information on the implementation of the right of access, consult our articles:
2.2. The Italian sanction of 15 million euros imposed on OpenAI by the data protection authority is canceled
[March 19, 2026]
On 19 March 2026, the Court of Rome cancelled the 15 million euro penalty that the Garante, the Italian data protection authority, had imposed on OpenAI in December 2024. In doing so, it upheld OpenAI's appeal, which described the measure as “disproportionate.” The sanction was pronounced following an investigation opened in March 2023, with Italy being the first Western country to temporarily suspend ChatGPT, after the Guarantor noted an absence of a legal basis for the processing of personal data, deficiencies in the protection of minors and a lack of transparency towards users.
The Tribunal had already suspended the penalty provisionally in March 2025, pending a decision on the merits. The full reasons for the judgment are not yet public, making it impossible, at this stage, to determine whether the annulment is based on substantive, proportionality, or procedural reasons.
2.3. A harmonized impact assessment model (DPIA) proposed by the EDPS
[April 14, 2026]
On 14 April 2026, the European Data Protection Board (EDPS) adopted a harmonized Data Protection Impact Assessment (AIPD/DPIA) model. This model, whose use is not mandatory, aims to standardize practices at European level. Subject to public consultation until 9 June 2026, it will then be adopted by each national supervisory authority as the only standard or as a “meta-model”. For organizations operating in several Member States, this model puts an end to the divergence of national requirements and is a concrete lever for simplifying GDPR compliance.
Source: Enhancing compliance and consistency: EDPB adopts DPIA template | EDPB
2.4. Launch of an age verification application for the European Union
[April 15, 2026]
On 15 April 2026, the President of the European Commission Ursula von der Leyen announced that the European age verification app was technically ready and would be available soon. Based on a “zero-knowledge proof” cryptographic protocol, this open source tool would allow users to prove their age without transmitting personal information to the platforms. Seven member states, including France, Spain and Italy, plan to integrate it into their national digital identity wallets. This system aims to harmonize divergent national approaches to the minimum age for access to social networks and to provide platforms with a tool in accordance with the GDPR.
Its widespread deployment across the EU is planned for the end of 2026.
Sources:
2.5. New guidelines on scientific research and anonymisation adopted by the EDPS
[April 16, 2026]
During its plenary session on 16 April 2026, the EDPS adopted guidelines 1/2026 on the processing of data for scientific research purposes, providing the clarifications expected since 2018. In particular, the text defines six indicative criteria for qualifying an activity as “scientific research” within the meaning of the GDPR, specifies the conditions for broad and dynamic consent, the limitations on the rights to erasure and opposition, as well as the distribution of responsibilities within consortia. Subject to public consultation until June 25, 2026, it constitutes a welcome operational framework for actors in health research and Artificial Intelligence.
At the same time, the EDPS has created a “sprint team” to finalize its long-awaited anonymization guidelines by summer 2026, as the distinction between anonymized and pseudonymised data remains a source of major legal uncertainty.
For more information on the pseudonymization and anonymization of personal data, see our article: Pseudonymization: a legal lever under certain conditions
2.6. A first European data transfer label adopted by the EDPS
[April 16, 2026]
On 16 April 2026, the European Data Protection Board (EDPS) adopted two opinions concerning Europrivacy certification:
- Extension of the label: the Europrivacy criteria — the first European data protection label, approved in 2022 — are updated. Their scope of application extends to companies established outside Europe but subject to the RGPD (art. 3§2): those that target European residents or monitor their behavior.
- An unprecedented transfer tool: for the first time, Europrivacy is recognized as an appropriate guarantee within the meaning of articles 42 and 46 of the GDPR. Importers established outside the EEA, not subject to the RGPD, will now be able to obtain this certification. European exporters will thus have a new tool to manage their transfers to third countries.
-
2.7. Sovereign cloud: the European Commission awards a contract of 180 million euros to four European consortia
[April 17, 2026]
On 17 April 2026, the European Commission awarded a contract worth 180 million euros over six years to four European consortia for sovereign cloud services intended for European Union institutions and agencies:
- Post Telecom, with its partners Clever Cloud and OVHcloud, StackIt, Scaleway;
- Proximus, associated with S3NS, the joint venture between Thales and Google Cloud;
- Clarence;
- Mistral.
The selection was based on the Cloud Sovereignty Framework, based on eight criteria covering in particular the strategic, legal and compliance with European law dimensions. The presence of S3NS, a hybrid architecture combining Thales and Google Cloud, illustrates the pragmatic approach adopted: non-European technologies are accepted within a strictly regulated framework.
Sources:
3. INTERNATIONAL
3.1. Adoption of legislation prohibiting access to social networks for minors and warnings from Google and Meta
[April 2, 2026]
Since March 28, 2026, Indonesia has prohibited access to social networks for minors under the age of 16. The Ministry of Communications sent a first, then a second formal notice to Meta (Facebook, Instagram, Threads) and Google (YouTube) for non-compliance with this law, accusing them of not having deactivated underage accounts, or deployed effective age verification systems.
The government said it did not tolerate “any room for compromise” and announced administrative sanctions up to and including restrictions on activity. This case illustrates the growing tension between sovereign states and global digital platforms over the effective application of local regulations for the protection of minors online.
[April 22, 2026]
On April 22, 2026, the Turkish Parliament passed a law prohibiting minors under 15 years of age from accessing social networks. The text still needs to be approved by President Erdoğan before it comes into force.
Platforms will have three obligations: set up age verification systems, offer parental control tools, and react in less than an hour to any harmful content.
Turkey is joining a growing global legislative movement. Australia and Indonesia have set the digital age of majority at 16. France and several European states have retained the 15-year threshold — now shared by Ankara.
Source: Turkey has adopted a law to ban social networks for people under 15 | Franceinfo
3.2. Opening of an investigation against Telegram in the United Kingdom for not protecting minors
[April 21, 2026]
On April 21, 2026, Ofcom, the British online safety regulator, opened a formal investigation against Telegram under the Online Safety Act, after receiving evidence of the presence of child sexual abuse material (CSAM) on the platform. Ofcom simultaneously launched investigations against two teen chat sites (Teen Chat and Chat Avenue) for potential use for grooming purposes, i.e. soliciting children for sexual purposes. In the event of a proven breach, platforms face fines of up to 18 million pounds sterling or 10% of their global turnover.
Source: Ofcom investigates Telegram and teen chat sites | Ofcom
Caroline Chancé, Jeannie Mongouachon, Clémentine Beaussier, Victoire Grosjean and Juliette Lobstein
.png)
