This newsletter presents a selection of news from September 2025 to March 2026 in the field of personal data protection.
1. CNIL decisions
Condemnation of Publications Conde Nast for non-compliance with applicable rules regarding cookies
On 1st September 2025, the CNIL (French authority) fined Infinite Styles Services Co. Limited, an Irish subsidiary of the Shein group, €150 million for failing to comply with applicable rules regarding cookies placed on the devices of users visiting the “shein.com” website.
On 20 November 2025, the CNIL fined the French company Les Publications Conde Nast 750,000 euros on the same ground, regarding cookies placed on the devices of users visiting the “vanityfair.fr” website.
Still based on the same grounds, in its decision of 27 November 2025, the CNIL imposed a fine of 1.5 million euros on American Express Carte France, the French subsidiary of the American Express group.
The CNIL found practices contrary to Article 82 of the French Data Protection Act. Specifically, cookies requiring consent were placed on users’ devices without obtaining their consent, and the mechanism for refusing or withdrawing consent was deficient. Similarly, the information provided to users regarding the purposes of the cookies lacked clarity.
Google Fined €325 Million
In a ruling dated 1st September 2025, the CNIL fined Google €325 million for displaying ads within Gmail users’ emails without their consent, and for placing cookies when Google accounts were created, without valid consent from French users.
This violates the requirement to obtain consent from individuals to receive commercial solicitations by electronic means (Article L.34-5 of the CPCE) and also constitutes a violation in the absence of users’ free and informed consent to the placement of cookies (Article 82 of the Data Protection Act).
Penalty imposed on Mobius Solutions, a subcontractor of Deezer
The Israeli company Mobius Solutions Ltd, whose services Deezer used to carry out personalized advertising campaigns for its customers, was fined 1 million euros on 11 December 2025.
Mobius Solutions had, indeed, retained the data of more than 46 million users after the contract ended and reused this data without authorization to improve its own services. It also failed to fulfill its obligation to maintain a record of processing activities.
The ruling illustrates the application of the GDPR to non-EU entities when the personal data of European citizens is processed.
Free and Free Mobile Fined for Non-Compliance Due to Inadequate Measures to Ensure the Security of Their Subscribers’ Data
In two decisions dated 8 January 2026, the CNIL fined Free Mobile and Free €27 million and €15 million, respectively.
These sanctions were imposed due to the companies’ failure to comply with the obligation to ensure the security of personal data, the obligation to inform data subjects of a data breach, and, for Free Mobile only, the obligation to retain personal data for a limited period (Articles 32, 34, and 5(1)(e) of the GDPR).
Cyberattack and Negligence: CNIL Sanctions France Travail
In a decision dated 22 January 2026, the CNIL imposed a fine of 5 million euros on France Travail for failing to ensure the security of personal data following a cyberattack that occurred in March 2024.
The CNIL noted that the organization had failed to implement appropriate technical and organizational measures to protect the personal data it processes, in violation of Article 32 of the GDPR, thereby exposing information such as names, usernames, and social security numbers.
2. CNIL documentation
Finalization of the CNIL’s recommendations on the development of AI systems
In response to the difficulties encountered by designers and developers of artificial intelligence systems regarding the application of the GDPR, the CNIL proposes in its new recommendations to guide industry stakeholders on the development of AI systems involving the processing of personal data
These recommendations concern only the development phase of AI systems, not the deployment phase. They focus in particular on determining the liability of stakeholders, informing individuals whose data is used, and compliance with the GDPR during the data annotation phase.
At the same time, the CNIL is unveiling its future work, including the development of sector-specific recommendations, conducting research on explainability in the field of AI, and developing technical tools for professionals.
The CNIL publishes a map illustrating the roll-out of GDPR tools across Europe
To help identify compliance tools approved by national authorities across Europe, the CNIL has published two maps: one showing the roll-out of certifications (Article 42 of the GDPR), and the other showing the roll-out of codes of conduct (Article 40 of the GDPR).
These maps enable organizations to plan their compliance measures more easily by providing an overview of approved mechanisms with a view to harmonization.
The CNIL publishes its final recommendations on cross-device consent for cookies
With these recommendations, the CNIL clarifies how to obtain valid consent for cookies across multiple devices when a user is logged into the same account. The choices must be simple, clear, and applicable to all devices, with explicit information regarding this multi-device scope.
These recommendations also address the handling of differing choices made prior to login and supplement the CNIL’s existing recommendations on cookies. These rules are intended to ensure compliance with the GDPR and are part of a broader discussion on consent across multiple services or websites.
Data processing for scientific research outside the health sector: when to contact the CNIL
The CNIL has clarified the situations in which its opinion is required to conduct public scientific research (non-health) involving the processing of sensitive data. In principle, the processing of sensitive data is prohibited except for exceptions provided for by the GDPR; in the absence of another legal basis (such as explicit consent), referral to the CNIL is required under Article 44.6 of the Data Protection Act.
For consultation to be necessary, three cumulative conditions must be met: the processing must be necessary for public scientific research purposes, it must involve sensitive data, and it must be justified by reasons of substantial public interest. If these criteria are met, the CNIL may be consulted for an opinion to validate the project’s compliance.
The CNIL releases its 2025 report on sanctions and corrective measures imposed
In 2025, the CNIL imposed 83 sanctions for non-compliance with the GDPR and the French Data Protection Act, totaling 486,839,500 euros in fines. Among these decisions, several concerned the use of cookies without valid consent, disproportionate employee video surveillance practices, or breaches of security and the rights of data subjects.
The sanctions reveal recurring themes: violations of consent rules for cookies, data security deficiencies, and failure to cooperate with the CNIL. In particular, the Restricted Committee imposed two record fines of 325 million and 150 million euros on major companies for non-compliance with cookie regulations.
Digital Health: Partnership Between the CNIL and the HAS to Strengthen Best Practices
On 10 March 2026, the CNIL and the Haute Autorité de santé (French National Health Authority) signed a partnership agreement aimed at strengthening best practices in data protection within the health, social, and medico-social sectors. This cooperation is specifically designed to support the development of digital tools and artificial intelligence in healthcare while ensuring respect for patients’ fundamental rights.
The partnership includes joint initiatives to help sector stakeholders effectively implement legal requirements regarding health data and improve the security of data processing. A first joint recommendation is expected in the second quarter of 2026 on the proper use of artificial intelligence in healthcare practices.
3. Legal and case law news – France
Confirmation of the €8 million fine imposed on Apple for its advertising trackers
A decision by the CNIL on 29 December 2022, imposed a fine of 8 million euros on Apple for violating Article 82 of the Data Protection Act, due to practices involving the reading and writing of data for advertising purposes without obtaining the user’s consent.
The Conseil d’Etat (France’s highest administrative Court) dismissed Apple’s appeal seeking to overturn the penalty imposed by the CNIL, confirming, on the one hand, the CNIL’s jurisdiction on the grounds that the processing in question, although carried out by a foreign company, was linked to establishments located in France, and, on the other hand, finding that the violation was established (Conseil d’Etat, 15 October 2025, No. 473833).
Confirmation of the €10 million fine imposed on Yahoo for its advertising trackers
A CNIL decision dated 29 December 2022, imposed a fine of 10 million euros on Yahoo EMEA for violating Article 82 of the Data Protection Act, due to the practice of placing cookies for advertising purposes without prior consent, and the procedures for withdrawing consent to cookies.
The Conseil d’Etat has dismissed Yahoo’s appeal against this decision and upheld the CNIL’s jurisdiction, noting that the CNIL may take action even if the processing does not strictly involve personal data, pursuant to Article 82 of the Data Protection Act, which transposes the ePrivacy Directive.
The finding of the alleged violations by Yahoo is also upheld. The Conseil d’Etat finds that the €10 million fine, given the seriousness, duration, and scope of the violations, is not disproportionate (Conseil d’Etat, 7 October 2025, No. 494300).
GDPR Violation: The Conseil d’Etat Reduces the Fine Imposed on Amazon France Logistique
The CNIL, having determined that Amazon France Logistique’s implementation of a system to monitor the activity and performance of warehouse employees was excessively intrusive and lacked a legal basis within the meaning of Article 6 of the GDPR, had imposed a fine of €32,000,000 on the company.
The Conseil d’Etat finds that the CNIL’s decision is marred by an error of assessment on this point. It does, however, uphold the other violations identified by the panel in its sanction decision, namely the violation of the principle of data minimization, the obligation to provide information, and the principle of security regarding access to the video surveillance software managing certain cameras in one of its warehouses, reflecting gross negligence on the part of Amazon France Logistique. The amount of the penalty imposed by the panel is therefore reduced to 15 million euros (Conseil d’Etat, 23 December 2025, No. 492830).
GDPR: Pseudonymization Is Not Sufficient to Exclude the Classification of Personal Data
In a ruling dated 13 February 2026, the Conseil d’Etat reiterated that data can only be considered anonymized through pseudonymization if the risk of identification is negligible—for example, because identification would require a disproportionate amount of time, cost, and labor.
In this case, several healthcare companies had challenged a sanction imposed by the CNIL, arguing that their pseudonymized data no longer constituted personal data. The Conseil d’Etat upheld the CNIL’s sanction on the grounds that elements such as age, gender, health data, or associated codes that allow for simple cross-referencing with external resources may be sufficient to maintain the personal nature of the data despite pseudonymization (Conseil d’Etat, 13 February 2026, No. 498628).
Targeted advertising and cookies: the Conseil d’Etat upholds the €40 million fine imposed by the CNIL
In a ruling dated 4 March 2026, the Conseil d’Etat rejected the appeal filed by an online advertising company against the €40 million fine imposed in 2023 by the CNIL due to several violations of the GDPR. The case concerned the use of cookies and the processing of users’ browsing data to display personalized advertisements on partner websites.
The Conseil d’Etat confirmed that the data constituted personal data despite the pseudonymization of identifiers and found several violations: failure to demonstrate that consent had been obtained (Art. 7), insufficient information provided to individuals (Arts. 12 and 13), lack of an adequate agreement between joint controllers (Art. 26), and failure to effectively erase data after consent was withdrawn (Art. 17). Given, in particular, the scale of the processing (more than 370 million identifiers in the EU), the court considers the €40 million fine to be proportionate and upholds the CNIL’s decision (Conseil d’Etat, 4 March 2026, No. 482872).
4. Legal and case law news – Europe and International
Establishment of Additional Procedural Rules Regarding the Application of the GDPR
To address gaps in the application of the GDPR, due in particular to cumbersome procedures, divergent practices, and operational shortcomings, the European Parliament has established additional procedural rules.
The text dated 21 October 2025, provides that all national supervisory authorities will apply the same procedure for handling cross-border complaints, that parties subject to investigation will have the right to access the file and the right to be heard, and that mandatory deadlines will be established to prevent cases from becoming bogged down.
Simplified European digital rules with the Omnibus Package
The European Union aims to establish a clearer and more effective digital framework through the new “Omnibus” package presented on 19 November 2025. With this proposal, the Commission intends to simplify a regulatory environment that has become overly complex, while maintaining a high level of protection for fundamental rights.
Among other things, the package recommends postponing certain obligations under the European Artificial Intelligence Regulation, targeted amendments to the GDPR—including clarifications on the definition of personal data—and simplifying cookie consent.
The website operator is responsible for the processing of personal data
In a decision dated 2 December 2025, the CJEU ruled that the operator of an online marketplace, as the controller of the personal data contained in advertisements published on its website, is required to verify, prior to publication, whether such advertisements contain sensitive data and whether their processing complies with the GDPR (CJEU, 2 December 2025, Case No. C-492/23, Russmedia Digital SRL v. Inform Media Press).
Clarifications from the CJEU regarding the retention of biometric and genetic data of a person facing criminal proceedings
The CJEU clarifies in a judgment of 20 November 2025 that EU law does not, in itself, prohibit the indiscriminate collection of biometric and genetic data concerning any person prosecuted or suspected of having committed an intentional offence. Such collection is permissible provided that, on the one hand, the purposes of the processing do not require any specific distinction between the data subjects and, on the other hand, the authorities processing such data strictly comply with the rules applicable to sensitive data (CJEU, 20 November 2025, Case No. C-57/23, JH v Policejní prezidium).
Sending newsletters is possible without consent
In a judgment of 13 November 2025, the CJEU ruled that a user’s email address collected in connection with the sale of a product or service constitutes direct marketing for similar products or services within the meaning of the e-Privacy Directive, without the need to obtain the consent required by the GDPR (CJEU, 13 November 2025, Case No. C-654/23, Inteligo Media SA v. ANSPDCP).
Clarification of the sanction’s regime provided for by the GDPR
In a judgment of 4 September 2025, the CJEU confirmed that non-material damage, within the meaning of Article 82 of the GDPR, resulting from unlawful processing is compensable without the need to prove a minimum threshold of seriousness. The decision specifies in this regard that the concept of non-pecuniary damage encompasses negative feelings experienced by the data subject following the unauthorized disclosure of their personal data to a third party.
This is the case, in the present instance, of an employee of a company who, via the messaging service of a professional social network, transmitted to an unauthorized third party a message initially intended for a job applicant (CJEU, 4 September 2025, Case No. C-655/23, IP v. Quirin Privatbank AG).
The CJEU clarifies the concept of personal data
In 2018, following the bankruptcy of Banco Popular, the Single Resolution Board (SRB) organized a procedure in which shareholders and creditors submitted anonymized comments, which were subsequently analyzed by Deloitte. Complaints were filed with the EDPS regarding a lack of information on Deloitte’s use of personal data.
In a judgment dated 4 September 2025, the CJEU reiterates that personal data is any information relating to an identified or identifiable natural person. It further states that pseudonymization may affect the personal nature of the pseudonymized data: while the data constitutes personal data for the data controller (in this case, the SRB), it may be considered anonymous from the recipient’s perspective (in this case, Deloitte) if the recipient is unable to re-identify the data subjects. Finally, the Court clarifies that the fact that the recipient cannot re-identify the individuals does not exempt the original controller from complying with the transparency obligations set forth in the GDPR (CJEU, 4 September 2025, Case No. C-413-23, EDPB v. SRB).
Meta continues its policy in favor of the “opt-in or pay” model
Following the publication of the EDPB’s opinion regarding the “opt-in or pay” models used by major online platforms, Meta Platforms Ireland challenged the opinion before the General Court of the European Union, arguing that the opinion should be annulled and that Meta should be compensated. On 29 April 2025, the General Court dismissed Meta’s claims as inadmissible and manifestly unfounded, leading Meta to appeal this decision to the CJEU (CJEU, 10 July 2025, Case No. C-454/25, Meta Platforms Ireland v. European Data Protection Board).
GDPR Reform and Guidelines on Online Account Creation: The EDPB Issues Its Recommendations
On 2 and 3 December 2025, the European Data Protection Board (EDPB) reviewed the European Commission’s proposals to amend the GDPR and the ePrivacy Directive. It also adopted guidelines on the creation of online user accounts, as well as best practices regarding their operation.
Belgian Data Protection Authority (DPA) fines Infobel for reselling data without consent
In a decision dated 27 November 2025, the DPA fined data broker Infobel 40,000 euros for reselling data obtained from a telecom operator for marketing purposes without valid consent from the data subject, in violation of the GDPR.
AI Act: the EDPS publishes a ‘compass’ for trustworthy AI in the European administration
The EDPS has published an ‘AI Act Compass’, designed to support EU institutions and agencies in implementing the AI Act. This document forms part of the EDPS’s new role as the supervisory authority for AI systems used by European institutions, with the aim of promoting reliable artificial intelligence that complies with legal requirements.
Biotech Act: The EDPB and the EDPS Support the Harmonization of Clinical Trials with Enhanced Safeguards
The European Data Protection Board and the European Data Protection Supervisor have adopted a joint opinion on the draft regulation for the future “European Biotech Act.” They support the goal of harmonizing the rules applicable to clinical trials within the European Union, believing that it can improve legal certainty and promote innovation in the field of biotechnology.
However, both authorities emphasize the need for strict regulation of the processing of health data, given its particularly sensitive nature. They call for the introduction of specific safeguards, particularly to ensure compliance with the principles of necessity and proportionality, as well as a high level of protection for the rights of individuals participating in clinical trials.
Digital Omnibus: The Supervisor and the European Data Protection Board Support Simplification but Call for Data Protection to Be Preserved
On 10 February 2026, the European Data Protection Board and the European Data Protection Supervisor adopted a joint opinion on the proposed Digital Omnibus aimed at simplifying several texts within the European regulatory framework. In particular, they examine the proposed adjustments to the GDPR and their effects on the protection of personal data.
While they support the goal of simplification and reducing administrative burdens, the two authorities stress that these changes must not weaken the safeguards provided to data subjects or undermine the current balance of the European data protection framework.
European Institutions: The EDPB Strengthens the Independence of DPOs
In a press release dated 13 February 2026, the European Data Protection Supervisor announced the adoption of new guidelines clarifying the role, position, and guarantees of independence for Data Protection Officers (DPOs) within the institutions and agencies of the European Union. The objective is to ensure consistent application of the framework established by Regulation (EU) 2018/1725.
In addition, the EDPS has established binding rules requiring its prior approval in the event of the dismissal of a DPO before the end of their term. This mechanism aims to prevent any institutional pressure and to guarantee the functional independence of these key compliance actors.
The CJEU opens direct appeal against the EDPS’s binding decisions
In a judgment dated 10 February 2026, the CJEU ruled that a binding decision by the EDPB may be the subject of a direct appeal before the courts of the Union. The case stems from the EDPB’s 2021 decision, which led the Irish authority to impose a fine of €225 million on WhatsApp for breaches of the GDPR.
The CJEU set aside the order of the General Court of the European Union, which had declared the appeal inadmissible, holding that the EDPB’s decision produced binding legal effects with respect to WhatsApp. The case is referred back to the General Court for consideration on the merits (CJEU, 10 February 2026, Case No. C-97/23 P).
Data collection without consent by Meta: non-pecuniary damage recognized by a German court
In several rulings dated 3 February 2026, the Dresden Higher Regional Court held that the collection of user data, without their consent, by Instagram and Facebook via Meta Business Tools (Meta Pixel and other tools integrated into third-party websites) constituted unlawful processing of personal data under Article 6 of the GDPR, due to the lack of valid consent. Four users had brought the case before the court seeking compensation for non-pecuniary damage resulting from this unauthorised collection.
The Court recognized the non-pecuniary damage, awarding each claimant €1,500 and ordering Meta to cease the processing and delete the disputed data.
Targeted Advertising: Record €746 Million Fine Imposed on Amazon Overturned
The Administrative Court of Luxembourg heard an appeal against a decision upholding a €746 million fine imposed by the National Commission for Data Protection (CNPD) on Amazon. The Commission had found a lack of a valid legal basis for behavioral advertising (Art. 6 GDPR) as well as several breaches of transparency obligations and individual rights (Arts. 12–17 and 21). The Court confirmed these violations in a ruling dated 12 March 2026.
However, the Court overturned the decision in its entirety due to irregularities affecting the penalty. It criticized the Commission for failing to verify the existence of fault (whether intentional or negligent) and for failing to conduct a comprehensive assessment of the proportionality of the fine under Article 83 of the GDPR.
Article written by: Jeanne BRETON, Claire GOURJON, Kylian TREGUER and Camille PECNARD