Home / Publications / GDPR Enforcement Tracker Report / France
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Enforcement Insights by Business Sector
  4. Enforcement Insights per Country
  5. Finance, Insurance and Consulting
  6. Accommodation and Hospitality
  7. Health Care
  8. Industry and Commerce
  9. Real Estate
  10. Media, Telecoms and Broadcasting
  11. Public Sector and Education
  12. Transportation and Energy
  13. Individuals and Private Associations
  14. Employment
  15. Methodology and Contacts
  16. Austria
  17. Bulgaria
  18. Belgium
  19. Croatia
  20. Czech Republic
  21. France
  22. Germany
  23. Hungary
  24. Italy
  25. Luxembourg
  26. Netherlands
  27. Norway
  28. Poland
  29. Spain
  30. Sweden
  31. United Kingdom

France

Main takeaways


  • No fines against authorities and public entities.
  • DPA enforcement in relation to publicly announced focus topics.
  • GDPR fines by DPA comparatively high.
  • Limited transparency regarding the publication of fines (however, there is an annual report with aggregated figures).
  • Fines > Damages: Focus on fines, limited litigation.

Fining practice in France

Trend: Have the national data protection authorities in France focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The French data protection authority (the “Commission nationale de l’informatique et des libertés” or the “CNIL”) does not make statements on the types of non-compliance they investigate. It could be said that, until now, the CNIL has focused its investigations on essential obligations, such as the legal bases for data processing (Art. 5, 6 GDPR) or security requirements (Art. 32 GDPR).

All sectors are concerned by the CNIL’s investigations.

Each year, the CNIL focuses a part of its investigations on certain specific sectors.

For 2023, the CNIL’s enforcement actions focused on the use of “augmented” cameras by public players, the use of the personal credit incident file, health file management and mobile applications.

In 2024, the CNIL announced that its enforcement actions will focus on:

  1. data relating to minors,
  2. data processing related to the Olympic and Paralympic Games,
  3. data processing related to dematerialized sales receipts and loyalty programs,
  4. data subject’s right of access.

In the past years, the enforcement actions performed by the CNIL, and the sanctions have mostly concerned the following sectors/areas: Advertising and e-commerce, security, vehicle geolocation, employee rights and health data processing...1

In 2023:

  • 42 sanctions were imposed by the CNIL, for a total of EUR 89,179,500. Among these 42 sanctions: one third involved a breach of security of personal data; 5 European decisions were studied by the CNIL; and 6 decisions were published in cooperation with the CNIL’s European counterparts.
  • 168 formal notices have been issued by the CNIL. These formal notices also concerned a variety of sectors and issues, which overlap with those addressed in sanction procedures, such as the exercise of rights, failure to cooperate with the CNIL and vehicle geolocation. Sanctions also concerned more specific sectors: On the one hand, injunctions were issued against 39 municipalities that had deployed automated license plate readers for administrative and judicial police purposes. On the other hand, in the realm of cybersecurity, a series of inspections focused primarily on the security of websites, particularly those belonging to public bodies popular among French Internet users (e.g., regional, municipal, or communal websites).

The year 2023 was also the one in which the simplified sanction procedure gained importance. Of the 42 sanctions adopted this year, 24 were rendered thanks to this new procedure (12 fines and 12 fines and injunctions), for a total of EUR 229,500. The main breach retained under the procedure was the failure to cooperate with the CNIL, followed by the breach related to the security of personal data.  

Overall, what was the most significant fine in France to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fine in France to date was imposed on GOOGLE LLC and GOOGLE IRELAND LIMITED on 31 December 2021 for a total amount of EUR 150 million (90 million on GOOGLE LLC and 60 million on GOOGLE IRELAND LIMITED).

The CNIL considered that the sites “google.fr” and “youtube.com” did not allow cookies to be rejected as easily as they could be accepted. According to the CNIL, an internet user was required to click on “Manage data settings” to reject cookies, thus biasing user consent.

Place De La Bourse and colourful sky in Bordeaux, France

Organisation of authorities and course of fine proceedings in France

How is the data protection authority organised in France? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The CNIL is an independent administrative authority; it does not report to the Government nor to a specific ministry. It is composed of 245 staff members and a College of 18 members, composed of:

  • 4 members of Parliament (2 deputies, 2 senators).
  • 2 members of the Economic, Social and Environmental Council.
  • 6 representatives of the highest courts (2 Counsels from the Conseil d’Etat, 2 Counsels from the Cour de Cassation, 2 Counsels from the Cour des Comptes).
  • 5 qualified persons appointed by the President of the National Assembly (1 person), the President of the Senate (1 person), by the Council of Ministers (3 persons).
  • The President of the CADA (Commission for Access to Administrative Documents).

The CNIL has an annual budget of EUR 21,8 million.2

How does a fine procedure work in France? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?


  • Fines may be directly imposed by the CNIL as part of administrative proceedings.
  • Following inspections or complaints, in the event of non-compliance with the provisions of the GDPR or the French data protection Act, the CNIL may impose sanctions on companies which do not comply with these legal provisions.
  • The CNIL may impose a fine without providing a prior notice on compliance.
  • If the CNIL decides to initiate fine proceedings following audits or inspections, the company shall be notified to this effect. A report proposing the imposing of an enforcement measure shall be sent to the company and the latter may submit its observations to the CNIL.
  • The fines may be made public or not. 
  • Companies are able to appeal decisions with the Council of State (Conseil d’Etat) within  two months following the notification date for the decision made by the CNIL.

As of 2022, a major reform of the CNIL’s corrective measures has been carried out, leading to the adoption of the first sanctions under simplified sanction proceedings for cases of lower complexity. The maximum amount of a penalty imposed under this procedure is EUR 20,000. The fines imposed to date range between EUR 5,000 and EUR 20,000, half of which were imposed for injunctions under penalty (i.e., financial penalties for late compliance). They target various actors (for example, a university and doctors). They also deal with a variety of issues and concern the use of administrative files for political communication purposes, video surveillance of employees, disregard of data subject’s rights or failure to cooperate with the CNIL.3

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The CNIL does not collect fine amounts; these are paid directly into the state treasury. 

Is there a common, official calculation methodology for fines in France (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. Fines are calculated in light of the criteria mentioned in Article 83(5) and (6) of the GDPR.

Can public authorities be fined in France? If they can: Where does this money go?

Enforcement action may be taken against public authorities, but no administrative fines may be imposed for the processing of personal data carried out by the State.

In France, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The CNIL does not publish all imposed fines pending proceedings or investigations. The CNIL decides, taking into consideration the facts and violations, whether or not to publish its decisions or enforcement actions.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

Each year, the CNIL publishes an activity report in which it details all key numbers.  

For 2023:4

  • The CNIL conducted 340 investigations.
  • The CNIL issued 42 penalties including 36 fines totalling EUR 89,179,500; 14 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
  • The CNIL issued 168 orders to comply.
  • The CNIL issued 4 reminders.

For 2022:5

  • The CNIL conducted 345 investigations.
  • The CNIL issued 21 penalties including 19 fines totalling EUR 101,277,900; 7 of which were associated with injunctions subject to financial penalty and 2 liquidations under penalty.
  • The CNIL issued 147 orders to comply.
  • The CNIL issued 29 reminders.

For 2021:6

  • The CNIL conducted 384 investigations.
  • The CNIL issued 18 penalties including 15 fines totalling EUR 214,106,000; 5 of which were associated with injunctions subject to financial penalty.
  • The CNIL issued 135 orders to comply, including 2 public notices.
  • The CNIL issued 45 reminders.

For 2020:7

  • The CNIL conducted 247 investigations.
  • The CNIL issued 14 penalties including 11 fines totalling EUR 138,489,300 and one injunction under penalty not associated with a fine.
  • The CNIL issued 49 orders to comply including 3 public notices and 4 in cooperation with other European data protection authorities.
  • The CNIL issued 38 reminders and 2 warnings, notably following complaints.

For 2019:8

  • The CNIL conducted 300 investigations.
  • The CNIL restricted committee issued 8 penalties including 7 fines totalling EUR 51,370,000 and 5 injunctions.
  • The CNIL issued 42 orders to comply, including 2 public notices.
  • The CNIL issued 2 reminders and 2 warnings.
  • The CNIL also provides aggregate sets of data (open data) on its activity including fines from earlier periods.   

The CNIL also provides aggregate sets of data (open data) on its activity including fines from earlier periods.  

Bay of Cannes on the French Riviera

Other legal consequences of non-compliance in France

Does France have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Yes, several data subjects placed in similar situations and affected by damages resulting from a breach of data protection laws may file a complaint against the same data controller or data processor, a class action (“action de groupe”) may be filed before civil or administrative courts (article 37 II of the French Data protection Act).

A class action can only be filed by: 

  • associations with activities in the field of privacy and data protection for at least five years,
  • accredited consumer associations that are representative at the national level,
  • trade unions.

There have been very few class actions to date, most of these being against major tech companies.

What is more relevant in France: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines from data protection authorities are much more prevalent than claims for damages or injunctions, which are very rare in practice.

Read more


Key contacts

Anne-Laure Villedieu
Anne-Laure Villedieu
Partner
Member of the Management Board
Paris
T +33 1 47 38 55 00
Hanriot_Maxime
Maxime Hanriot
Counsel
Paris
T +33 1 47 38 55 08
Previous 22 / 32 Next