This newsletter presents a selection of news from April to June 2026 in the field of data protection.

1. CNIL decisions

Health data: €5 million fine for breaches of GDPR obligations

In a decision dated 26 May 2026, the CNIL imposed a fine of 5 million euros on IQVIA Operations France for breaches in the management of vast health data repositories supplied by pharmacies and doctors, intended for pharmaceutical companies. The authority noted, in particular, a failure to comply with the obligations set out in the authorisations granted, specifically regarding the provision of information to data subjects and the exercise of their rights, in a context involving sensitive data and tens of millions of people.

The CNIL has identified several breaches of the GDPR, relating in particular to transparency, data security and the safeguards governing such large-scale processing. It emphasises the seriousness of the breaches given the nature of the data processed and the volume involved, and has accompanied its decision with compliance orders subject to a daily penalty payment, reiterating the stricter requirements applicable to the processing of health data. Above all, in line with the case law of the Court of Justice of the European Union (CJEU, 4 September 2025, C-413/23), it reiterates that for data to be classified as anonymised—thereby falling outside the scope of the GDPR—it must be reasonably impossible to re-identify the data subject.

It is therefore recommended that organisations carry out internal checks on so-called ‘anonymisation’ processes, for example through an internal policy or regular re-identification tests, taking particular account of possible cross-referencing with other data sources.

2. CNIL documentation

Tracking pixels in emails: the CNIL clarifies the applicable rules

The CNIL has published a recommendation on regulating the use of tracking pixels embedded in emails; these invisible images make it possible, in particular, to determine whether a message has been opened and to collect technical information (date, device, IP address).

The CNIL reiterates that the use of such mechanisms generally requires the prior consent of recipients, particularly when they are used to measure campaign performance or to profile users. Only certain strictly necessary purposes, such as security or limited deliverability, may qualify for exemptions.

CNIL’s 2026 Programme: priority given to support and AI

In its 2026 work programme, published on 7 April 2026, the CNIL announced that it would continue to support public and private sector organisations in their efforts to comply with the GDPR, with a focus on transparency and consultation with industry professionals. The authority plans to publish new resources and consultations, in particular to anticipate regulatory developments and promote good operational practices.

Priorities include improving the process of obtaining consent, strengthening the regulatory framework for artificial intelligence, and producing practical tools for DPOs.

Credit granting: the CNIL regulates scoring and automated decision-making

In a recommendation published on 7 May 2026, the CNIL sets out the rules applicable to data processing in creditworthiness assessments, in particular the so-called scoring tools used by credit institutions. It reiterates the obligation to base such processing on an appropriate legal basis and to limit data to what is strictly necessary.

It also emphasises the framework for automated decision-making, as set out in Article 22 of the GDPR, which requires transparency regarding the criteria used, safeguards for individuals’ rights and the possibility of human intervention, in accordance with the GDPR.

2025 Annual Report: an intensification of inspections and sanctions under the GDPR

In its 2025 Annual Report, published in May 2026, the CNIL takes stock of a year marked by a sharp rise in activity, with a record number of complaints (over 20,000) and data breach notifications. The authority highlights the rise in concerns regarding the protection of personal data, against a backdrop of increased digitalisation and a surge in cyberattacks.

The CNIL also highlights an unprecedented level of fines, with 83 decisions totalling nearly 487 million euros, reflecting the GDPR’s growing effectiveness.

The CNIL provides a template for an activity report for DPOs

To support the management of GDPR compliance, it is recommended that the DPO draw up an activity report, to be updated over time, in order to provide a clear overview of actions completed and those still to be carried out.

To this end, the CNIL has drawn up a report template for DPOs. Whilst not mandatory, this is considered good practice.

3. Legal and case law news – France

Commercial canvassing: a QPC on the accumulation of CNIL and ARCEP sanctions

By a decision of 17 April 2026, the Conseil d’Etat (French Administrative High Court) referred a priority preliminary ruling on constitutionality (QPC) concerning Article L.34-5 of the Post and Electronic Communications Code to the Constitutional Council, in the context of an appeal by Orange SA against a fine of 50 million euros imposed by the CNIL for canvassing without consent. The company argued that the combination of the sanctioning powers of several authorities could lead to the same acts being prosecuted and penalised.

The Conseil d’Etat (French Administrative High Court) considered that the question raised a serious issue, particularly with regard to the principles of necessity and proportionality of penalties, in that it could allow for the accumulation of administrative sanctions for the same breach. The decision to be issued by the Conseil Constitutionnel (French High Court) will need to clarify the framework governing these powers and the risks of double punishment in the field of electronic marketing (CE, 17 April 2026, 501268).

The Conseil d’Etat (French Administrative High Court) sets out the framework for access to IP address data

The Conseil d’Etat (French Administrative High Court) has partially annulled the decree governing the French mechanism to combat illegal downloading, ruling that access to data relating to IP addresses must comply with strict safeguards laid down by European Union law. In particular, it noted that French law did not sufficiently regulate the retention of data by operators.

The court also ruled that a third access to the identity data of the same subscriber, as part of the ‘graduated response’ scheme, must be subject to prior authorisation by a judge or an independent authority. The decree was therefore deemed unlawful on these points (Council of State, 30 April 2026, 433539).

Website not compliant with the GDPR: contract void due to a fundamental defect

In a judgment of 7 May 2026, the Douai Court of Appeal set aside a contract for the creation of a website on the grounds that it did not comply with the GDPR. In particular, the website delivered contained advertising cookies installed without prior consent, made it impossible to withdraw that consent easily, and collected data via forms without providing information in accordance with the requirements of the GDPR.

The court held that compliance with personal data regulations constitutes an essential quality of a website, which the client expects, particularly when they entrust its creation to a professional. In the absence of information regarding such processing and in light of breaches of the obligations of consent and transparency (Articles 6, 7 and 13 of the GDPR), it considered that the client’s consent had been vitiated. The contract is therefore set aside (Douai Court of Appeal, 7 May 2026, Case No. 22/05075).

Misled consent: penalty for data collection for marketing purposes

In a judgment of 20 May 2026, the Conseil d’Etat (French Administrative High Court) largely upheld a penalty imposed on the company Tagadamedia, which collected personal data via online games in order to pass it on to commercial partners. The court ruled that the mechanisms for obtaining consent did not comply with the GDPR, as the interfaces emphasised acceptance (‘I accept’) at the expense of less visible or ambiguous alternatives, thereby preventing free, informed and unambiguous consent.

The court thus upheld the finding of a breach of Articles 6 and 7 concerning the lawfulness of processing, whilst partially setting aside the decision on procedural grounds relating to the rights of the defence. It reduced the fine to 50,000 euros but upheld the order to implement a compliant consent mechanism (CE, 20 May 2026, 492836).

The right to be forgotten and press archives: the primacy of freedom of information

In a judgment of 3 June 2026, the Cour de Cassation (French Civil High Court) dismissed the application by a former executive who had been convicted of a criminal offence, seeking the removal or anonymisation of a press article that was still accessible online. It upheld the analysis of the trial judges, who had balanced the right to data protection and privacy against freedom of expression and information, in accordance with Article 17 of the GDPR (right to be forgotten) and European case law.

The Court considers that the continued publication of the article remains justified by a public interest, relating in particular to the seriousness of the facts, the public role of the person concerned in the sporting arena and the topicality of the debate on the management of funds in this sector. It specifies that minor inaccuracies or changes in the criminal proceedings are not sufficient to require erasure, provided that the infringement of privacy is not disproportionate (Court of Cassation, 3 June 2026, No. 25-14.228).

GDPR complaint: inadmissible due to lack of a ‘data subject’

In a judgment of 11 June 2026, the Conseil d’Etat (French Administrative High Court) upheld the CNIL’s decision to close a complaint directed against a school’s ‘GDPR policy’. It ruled that the referral did not constitute a ‘complaint’ within the meaning of Article 77 of the GDPR, as the contested provisions were not applicable to the applicant.

The High Court noted that the disputed document had been published after the applicant’s child had left the school, ruling out any concrete link to his situation. As he was not a ‘data subject’, the applicant had no legal standing to bring proceedings, which rendered his application inadmissible and precluded any examination of the merits (CE, 11 June 2026, 513677).

Invalidation of the cumulative sanctions imposed by the DGCCRF, ARCEP and the CNIL

The Conseil constitutionnel (French High Court)held, in a decision of 25 June 2026 (CC, 25 June 2026, No. 2026-1210 QPC, Orange SA), that Article L. 34-5 of the Post and Telecommunications Code, in its sixth, eighth and penultimate paragraphs, was unconstitutional in that it allowed the same breaches to be penalised concurrently by three different authorities: the CNIL, ARCEP and the DGCCRF. This therefore entailed a cumulation of penalties exceeding any damage that might already have been remedied, as well as differences in penalty ceilings – 375,000 euros for the DGCCRF, up to 3 per cent of French turnover for ARCEP and up to 2 per cent of global turnover for the CNIL.

It is specified that penalties already imposed will not be called into question. The text must be rewritten by 31 October 2027. As a transitional measure, the Conseil constitutionnel (French High Court) has established that priority is to be given to the authority to which a case has been referred, preventing the other two competing authorities from ruling on the same case – even if the financial risks differ substantially.

4. Legal and case law news – Europe and International

The EDPS adopts guidelines on scientific research and accelerates its work on anonymisation

The European Data Protection Board (EDPB) has adopted new guidelines on the processing of personal data for scientific research purposes. The guidelines aim to clarify the application of the GDPR in this area, in particular regarding the concept of ‘scientific research’, the legal bases that may be used, transparency obligations and the safeguards set out in Article 89 of the GDPR. A public consultation is open until 25 June 2026.

Right of access: the CJEU sets strict parameters for the concept of an abusive request

In the Brillen Rottler case, a reference for a preliminary ruling was made to the Court of Justice of the European Union concerning a data controller’s refusal to respond to a request for access (Article 15 of the GDPR), on the grounds that it was frivolous. The dispute concerned an individual who had exercised their right of access after registering for a service, with the controller arguing that this action was solely intended to obtain compensation.

In its judgment of 25 March 2026, the Court held that a request for access may, in principle, be classified as excessive from the very first request, but only in exceptional circumstances. It specified that the data controller must demonstrate concretely the existence of an abuse, for example where the data subject is acting for the sole purpose of artificially creating a right to compensation. The burden of proof thus rests with the data controller, confirming a strict interpretation of Article 12(5) of the GDPR (CJEU, 19 March 2026, C-526/24, Brillen Rottler).

Bank data breach: €31.8 million fine for security and notification failures

In a decision of 26 March 2026, the Italian data protection authority imposed a fine on a bank after an employee gained unauthorised access to the financial data of several thousand customers over a two-year period. Although the bank had reported a data breach, the investigation revealed a much greater scale than initially declared, as well as shortcomings in the detection of unauthorised access.

The authority has identified several breaches of the GDPR, including failures to comply with security and accountability obligations (Articles 5(1)(f), 24 and 32), as well as breaches of the rules on breach notification (Articles 33 and 34). In particular, it highlights the absence of effective technical measures, an incomplete and belated notification, and the failure to inform all data subjects despite a high risk. Given the number of people affected and the sensitivity of the data, a fine of €31.8 million has been imposed.

Reuse of booking data: €14.4 million fine for lack of a legal basis and lack of transparency

In a decision dated 7 April 2026, the Spanish data protection authority imposed a fine on Amadeus IT Group for reusing booking data from its distribution system to test a profiling project, without informing the data subjects. The data, originally collected for travel management purposes, was used for a different purpose without the travellers – who had no direct connection with the company – being informed.

The authority found a breach of Articles 6 and 14 of the GDPR, ruling that no valid legal basis could justify this processing and that individuals could not reasonably have expected their data to be reused in this way. It has imposed a fine of 18 million euros (reduced to 14.4 million in the event of voluntary payment).

Protection of minors: suspected breach of the Digital Services Act by Meta

In preliminary findings made public as part of proceedings launched on 16 May 2024, the European Commission considers that Meta is in breach of the Digital Services Act (DSA) in relation to Instagram and Facebook. It criticises the platforms for failing to diligently identify, assess and mitigate the risks associated with access to their services by children under the age of 13, despite a minimum age being set out in their terms and conditions.

The Commission highlights age verification measures deemed ineffective, relying largely on self-declaration without reliable verification, as well as a complex system for reporting minors’ accounts that has had little practical effect. It also considers that Meta’s risk assessment is incomplete and contradicts the data available at European level. If these findings are confirmed, Meta could face a fine of up to 6 % of its global annual turnover, along with compliance obligations.

Data transfers to Russia: penalty for breach of data protection safeguards

In a decision dated1April 2026, the Dutch data protection authority imposed a penalty on MLU B.V. (Yandex Group), the operator of the Yango app, for transferring personal data to Russia without adequate safeguards. Customer and driver data (location, conversations, bank details, login credentials) were transferred to entities within the group, with a risk of access by the Russian authorities.

The authority found a breach of Articles 44 and 46 of the GDPR (relating to data transfers), ruling that the standard contractual clauses and technical measures cited were insufficient, particularly given the effective control exercised within the group. It imposed a fine of 100 million euros.

Digital identification: incorrect classification and excessive data collection penalised

In a decision dated 12 May 2026, the Belgian data protection authority sanctioned Isabel SA, the operator of the TruliUs authentication service, for wrongly presenting itself as a mere data processor. The authority considers, on the contrary, that it was acting as a data controller, since it determined the purposes and means of the processing (Article 5(2) of the GDPR).

It also identified several breaches of the GDPR, including insufficient information provided to users, a failure to respond to requests for access, and excessive data collection (nationality, passport photo, place of birth, etc.). Taking the view that these shortcomings stemmed from the initial misclassification, the authority imposed a fine of 120,000 euros.

Work email: excessive retention and lack of transparency penalised

In a decision dated 12 May 2026, the Belgian data protection authority penalised a company for keeping a service provider’s email account active after the end of their collaboration, without adequate information or a valid legal basis beyond a limited period. Whilst short-term retention may be justified on organisational grounds (out-of-office messages, forwarding), the continued processing over several months was deemed contrary to the principles of lawfulness, purpose limitation and data retention period (Articles 5 and 6 of the GDPR). The authority also identified breaches of the right of access, as the company had unjustifiably restricted the former employee’s access to their emails, in breach of Articles 12 and 15 of the GDPR. It imposed a fine of 175,000 euros.

Data breach notification: towards a harmonised European model

On 8 June 2026, the European Data Protection Board (EDPB) adopted a common template for data breach notifications, as part of its efforts to harmonise the application of the GDPR across the EU. This initiative aims to simplify the obligations placed on organisations, particularly regarding the notification of breaches (Articles 33 and 34 of the GDPR), by proposing a standardised format that can be used in all Member States.

Data transfers to China: TikTok fined €530 million despite its contractual safeguards

In a ruling dated 3 June 2026, the Irish High Court largely upheld the decision of the Irish Data Protection Authority to fine TikTok for its data transfers to China, imposing a total administrative fine of €530 million. The court reiterated that a data controller must not only put in place appropriate safeguards, but also demonstrate that the data enjoys a level of protection that is ‘essentially equivalent’ to that guaranteed within the EEA. In this case, TikTok failed to adequately assess the impact of Chinese law or to demonstrate the effectiveness of its supplementary measures, and its privacy policy was also deemed insufficiently transparent.

The Court thus upheld the findings of infringements of Articles 46 and 13 of the GDPR, as well as the principle of accountability resting with the data controller. However, it annulled the orders to suspend transfers, finding that the authority had not properly taken into account the more recent measures put in place by TikTok (the ‘Clover’ project). The case has been referred back for further consideration on this point, whilst confirming the possibility of imposing significant financial penalties.

Article written by: Jeanne BRETON, Claire GOURJON and Camille PECNARD

Published On: 8 July 2026Categories: IP/IT, PublicationsTags:

Share this article