This newsletter presents a selection of legal news from January to June 2025 in the field of personal data protection.
1. CNIL decisions
Reminder to search engine QWANT of its legal obligations
Through an investigation carried out in 2019 on the search engine QWANT, known for its data protection efforts, the CNIL (French Data Protection Authority) had concluded that the data transmitted by the search engine to Microsoft was personal data, thus falling under the GDPR.
Despite an overhaul of its privacy policy, the French Authority issued a reminder to QWANT of its legal obligations under article 58-2-b) of the GDPR. At issue was the qualification of the data transmitted, which was pseudonymised and not anonymised, and a breach of the obligations of transparency and information.
Clarification on the GDPR’s applicability to AI systems development
In a deliberation dated February 6, 2025, the French Authority adopted a recommendation about the application of the GDPR to AI systems development, including two pratical guides : « Informing data subjects » and « respect and facilitate the exercise of data subjects’ rights »
The first specifies the obligation for organizations that process personal data for the development of AI models or systems to inform data subjects. The second provides guidance for ensuring these individuals can exercise their rights on their data.
Sanctions against data brokers
On 15 May 2025, the French Data Protection Authority (CNIL) fined data brokers SOLOCAL MARKETING SERVICES and CALOGA €900,000 and €80,000 respectively for canvassing sale leads without their consent and passing on their data to partners without a valid legal basis (Article 6 GDPR).
These penalties were imposed during inspections carried out by the French authority as part of its priority inspection of commercial prospecting in 2022.
New sanctions under the simplified procedure
Since January 2025, ten new penalty decisions have been handed down by the French Data Protection Authority under its simplified procedure, totaling 104,000 euros.
Six of these sanctions concerned employee surveillance. The failure to comply with the data minimization principle was mainly due to the permanent video surveillance of workstations.
Sanctions were also imposed for breaches of data security and the obligation to notify data breaches to the persons concerned.
2. CNIL documentation
2024 CNIL activity report: sharp increase in all corrective measures
For the French Data Protection Authority, 2024 saw a significant increase in the number of measures adopted, with 331 corrective measures pronounced: 87 sanctions, 64 reminders of legal obligations, 180 formal notices and a total cumulative fine of 55,212,400 euros.
The recurring themes in sanction decisions by the Authority’s restricted committee are commercial canvassing and the anonymization of health data.
In April 2024, the French Authority published its annual report for the year 2024.
A record 17,772 complaints were received, half of which related to “telecoms, web and social networks”.
12 practical guides on the development of AI were also published, with a view to ensuring that innovation respects data protection.
The Authority also continued to support the compliance of health data processing. It received 619 requests for authorisation to process data, and succeeded in reducing the time taken to process them to an average of 65 days (compared with 73 days in 2023).
Report on CNIL inspections of the right of access
The investigations have shown that the majority of organizations have put in place organizational measures to handle requests for access rights.
Nevertheless, these measures remain insufficient.
Some organizations provide partial or incomplete responses to requests for access.
A practical guide had been published by the French Authority on the best way to respond to a right of access request.
CNIL’s commitment to innovative and privacy-friendly AI
During the Paris AI Action Summit (February 6–11, 2025), the French Data Protection Authority signed a joint statement with data protection authorities from Australia, South Korea, Ireland, and the UK to promote data governance that fosters innovative yet privacy-preserving AI.
The initiative emphasizes both the opportunities AI offers and the imperative of transparency and fundamental rights protections. The signing authorities pledged to clarify legal bases for data processing in AI and monitor its technical and societal impacts by involving various bodies.
In February 2025, the French Authority issued two new recommendations to ensure AI use complies with the GDPR.
The Authority first recommends that when personal data is used to train an AI model and is potentially stored by it, data subjects should be informed.
It also recommends that AI players put in place the necessary measures to ensure compliance with the various rights set out in the GDPR (right of access, rectification, opposition and erasure).
Publication of the results of the “sandbox” dedicated to AI applied to public services
The “sandbox” is a personalised support programme run by the French Data Protection Authority for stakeholders seeking advice on how to develop an innovative project.
The 3rd edition of the programme, the results of which were published in April 2025, was devoted to projects incorporating artificial intelligence to improve public services. This support focused in particular on the notion of significant human intervention and the principle of data minimisation in generative AI.
The CNIL updates its Tables informatiques et Libertés and Cahiers compiling decisions handed down in 2024
The French Authority has published an update of its Tables informatiques et Libertés, which bring together the essential points of its case law and decisions. These tables contain a summary of the main points raised by these decisions.
As for the Cahiers, they bring together the Authority’s landmark decisions.
Publication of the final version of the Transfer Impact Assessment (TIA) guide
The French Data Protection Authority has published the final version of its TIA guide, intended to provide guidance for data controllers and processors transferring data outside the European Union. The guide, which was modified following a public consultation, provides a methodology identifying the stages prior to carrying out a TIA, although it is not mandatory.
A TIA must be carried out by the exporter subject to the GDPR, with the assistance of the importer, before transferring data to a country outside the EEA when this transfer relies on an Article 46 GDPR tool. Its purpose is to assess whether the data importer in a third country will be able to comply with the obligations laid down by the chosen tool in view of its legislation.
Coordinated Action 2025: series of controls on the right to erasure
In 2025, the French Data Protection Authority and several of its counterparts are taking part in a new coordinated action by the EDPB, on respecting the right to erasure, also known as the “right to be forgotten”. The aim of these investigations is to ensure that organizations properly implement this right.
Under the conditions laid down in Article 17 of the GDPR, the right to erasure enables a data subject to request that an organization delete his or her personal data, a request to which it is obliged to respond in order to comply with its obligation of transparency (Article 12 of the GDPR).
In April 2025, the French Authority published its European strategy for 2025 to 2028. This strategy is built around three main areas: facilitating European cooperation, promoting high international standards and consolidating the Authority’s European and international influence.
It aims to strengthen and coordinate the French Authority’s action with the other European authorities, taking account of the EDPB’s guidelines.
CNIL recommendation on multi-factor authentication
In April 2025, the French Authority published a recommendation for data controllers implementing multi-factor authentication.
The main purpose of this recommendation is to emphasise the choice of authentication methods (knowledge factors, possession, inherence) and their compliance with the principles of determining a legal basis and minimising the data collected.
3. Legal and case law news – France
Exception to the obligation to provide information regarding the communication of tax data
As a general rule under Article 14 of the GDPR, the controller must inform data subjects whenever the data has not been collected directly from them.
In a decision dated February 27, 2025, the French Supreme Court ruled that tax information is not covered by this obligation. The judges ruled that, as the communication of contributor’s tax data to the Urssaf is expressly provided for by law, there is an exception to the obligation on the data controller to inform the contributor.
Requirement of a prior request to the controller in order to exercise the rights provided by the GDPR and the Loi informatique et libertés.
In a decision dated January 27, 2025, the Conseil d’Etat ruled that when a data subject wishes to exercise his or her rights with regard to personal data, he must first contact the data controller. It is only in the event of failure or absence of response that he can refer the matter to the French Data Protection Authority. The Conseil d’Etat also confirms that the Authority can reject a complaint if this prior step has not been taken.
Apple sanctioned by the French Competition Authority for abuse of dominant position in the mobile application distribution sector
Since April 2021, app publishers wishing to track their users for advertising purposes across multiple apps or sites have to obtain explicit permission from the user via a window designed by Apple, App Tracking Transparency (ATT).
After requesting two opinions from the CNIL, the French Competition Authority ruled in its decision of March 28, 2025 that the methods used to implement the system were neither necessary nor proportionate to the objective of protecting personal data. In particular, the user experience for third-party applications was complicated by the multiplication of consent windows generated by the system.
Appel was fined 150,000,000 euros for abuse of a dominant position.
Application of the GDPR to evidence submission in labor disputes
In a ruling dated 26 March 2025 (RG No. 23-16.068), the labor division of the French Supreme Court held that it is up to the judge hearing a request for disclosure of documents based on article 145 of the Code of Civil Procedure to determine whether such disclosure is strictly necessary for the exercise of the right to evidence and proportionate to the aim pursued.
In concrete terms, if personal data is collected before or during the trial for the purpose of proving acts of discrimination, that personal data may not be used for other purposes.
It also considers that the judge must ensure that the principle of data minimization is observed, by ordering, if necessary, that personal data that is not essential to the exercise of the right to evidence be withheld. Reiterating the usual criteria for minimization, the Court held that the information left visible must be « adequate, relevant and strictly limited to what is essential » for the purpose in question.
Then, in a ruling dated 9 April 2025 (RG No. 23-13.159), the labor division of the French Supreme Court reiterated that IP addresses are personal data. The appeal ruling had considered that log files linked to a local network address and not to an internet service provider were not equivalent to IP addresses and could not be considered personal data. The social chamber overturned the ruling, holding that these files, when cross-referenced with messages, did indeed allow the employee to be identified and were therefore personal data. In the absence of a legal basis, the log files were therefore used unlawfully by being processed for the purpose of monitoring the individual activity of the employee.
In a second ruling dated 9 April 2025 (RG No. 22-23.639), the labor division considered that an immediate appeal – without waiting for the decision on the merits – was admissible against the interim order requiring the disclosure of personal data and against the appeal decision, as the potential violation of the GDPR would be irreversible once the documents had been disclosed.
Use of evidence derived from the operation of a video protection system
In a ruling handed down on 21 May 2025 (RG n° 22-19.925), the labor division of the French Supreme Court approved an appeal court’s decision to admit evidence of dismissal based on the use of recorded images of an employee.
Although the capture and viewing of images from an airport’s video protection system constituted processing of personal data within the meaning of Article 4 of the GDPR, the data had been collected for the purpose of ensuring the safety of people and property, and the employee had been informed of the purposes of the system and of his right of access, so that the rights to a defense had not been infringed..
Interpretation of employees’ right of access to their data by the French Supreme Court
On 18 June 2025 (RG No. 23-19.022), the Labor division of the French Supreme Court ruled that emails sent or received by an employee via their work email account are personal data. Employees have the right to access these emails, and employers must provide them with both the metadata (time stamp, recipients) and their content, unless the information requested is likely to infringe on the rights and freedoms of others. In this regard, the CNIL’s previous position is as follows: although providing a copy of the emails may appear to be the easiest solution for the organization, this solution cannot be mandatory. Sending a table listing the data contained in the emails is also a solution.
Request for deletion of a Google listing by a professional
In a ruling dated 22 May 2025 (RG No. 22/01814), the Chambéry Court of Appeal ruled that a professional may request the removal of their Google My Business listing on the grounds of a violation of their personal data. The information listing containing the appellant’s surname, first name, profession and professional telephone number contains personal data, which falls within the scope of the GDPR.
The legitimate interest of users’ right to information invoked by Google was rejected by the Court: the fact that effective control of published reviews, which may contain sensitive data, sometimes requires deletion that can only be carried out retrospectively, thus requiring active action on the part of the data subject, contrary to the principles of the GDPR. The processing is therefore deemed unlawful and the request for deletion of the file is upheld.
Termination of a contract on the basis of the GDPR
In a ruling dated 13 May 2025 (Case No. 23/02044), the Bordeaux Court of Appeal upheld the termination of a website licence agreement on the grounds of repeated breaches of contract, consisting of violations of the French Data Protection Act and the GDPR – in particular the unauthorised installation of cookies. The Court ordered the termination of the contract for non-performance and the reimbursement of the sums paid.
4. Legal and case law news – Europe and International
The EDPB adopts guidelines on pseudonymization and proposes to strengthen cooperation with the French Competition Authority
On January 17, 2025, the EDPB adopted guidelines on the use of pseudonymization, as defined in Article 4 of the GDPR. It thus specifies that pseudonymized data remain personal data and that pseudonymization makes it possible to reduce risks and facilitate the use of legitimate interests as a legal basis (Article 6.1.f of the GDPR), provided that all the other requirements of the RGPD are met.
In a position paper, the EDPB also expressed his desire to deepen the interaction between data protection law and competition law, suggesting in particular the progressive integration of market and competition factors into data protection practices.
The CJEU clarifies the concept of “excessive request”.
The Austrian data protection authority referred a question to the CJEU for a preliminary ruling on whether requests should be classified as excessive within the meaning of Article 57(4) of the GDPR, once a person has sent a certain number of requests over a certain period of time, or whether there should be an abusive intent in addition.
In its decision of January 9, 2025 (C-416/23), the Court held that an authority cannot simply classify requests for the exercise of rights as excessive, solely on the basis of the large number of such requests. The authority must ascertain whether the applicant has abusive intentions, for example if he submits requests that are not objectively necessary for the protection of his rights.
Reinforced right of access to automated decisions
In Austria, a cell phone service provider refused to enter into a contract with a customer on the basis of an automated credit assessment. The Austrian court thus referred the matter to the CJEU for an interpretation of Article 15 h) of the GDPR (right to an explanation of the automated procedure) in the light of the Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure ((EU) 2016/943, June 8, 2016).
In its February 27, 2025 judgement (C-203/22), the Court ruled that the data subject may request an explanation of the procedure and principles applied in practice to the automated use of his or her personal data. The mere communication of an algorithm or mathematical formulas is not, however, an intelligible explanation.
If the data controller considers that the information to be provided falls within the scope of trade secrets, it is up to him to communicate it to the competent supervisory authority or court, which is responsible for balancing the interests involved.
Fine for breaching the GDPR and the notion of “undertaking”
In the context of criminal proceedings brought against a data controller, the Danish public prosecutor referred a question to the CJEU for a preliminary ruling on the interpretation of Article 83(4) to (6) of the GDPR (assessment of the administrative fine) and the concept of “undertaking”, which it contains.
On February 13, 2025, the CJEU replied that the aforementioned term “undertaking” must be understood as the concept of “undertaking” within the meaning of Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). Accordingly, the maximum amount of the fine imposed on a controller which is or forms part of an undertaking is determined on the basis of a percentage of the undertaking’s total worldwide annual turnover for the previous financial year.
As part of a European harmonization effort, this notion of “undertaking”, an autonomous concept in European Union competition law, now also applies to personal data law.
Communication of data concerning representatives of legal entities
Following two preliminary rulings, the Court of Justice of the European Union ruled on 3 April 2025 (Case C-710/23) that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes the processing of personal data within the meaning of Article 4 of the GDPR, even if the disclosure is intended solely to identify the person authorized to act on behalf of the company.
The Court also held that a public authority responsible for communicating official documents to the public is not obliged to inform the person mentioned in the documents if doing so would result in a disproportionate restriction on the public’s right of access.
Swedish data protection authority’s warning decision on health data sent by e-mail
On 12 May 2025, the Swedish Data Protection Authority issued a warning to the board of a hospital for failing to put in place sufficient security measures regarding the processing of health data contained in e-mails.
Despite the guidelines put in place by the hospital, the authority criticized the prolonged storage of sensitive health information in e-mails, without an effective deletion procedure.
EDPB’s opinions on the adequacy of the European Patent Office and on the validity of UK adequacy decisions
In May 2025, the European Data Protection Board (EDPB) adopted two opinions.
The first concerns the European Commission’s draft adequacy decision on the European Patent Office (EPO). The EDPB notes that the data protection framework of the EPO is in line with that of the European Union.
The second relates to the European Commission’s proposal to extend by 6 months two UK adequacy decisions, one concerning the GDPR and the other under the 2016/680 Directive. In the opinion, the EDPB acknowledges the need for this extension and underlines its exceptional character due to the ongoing legislative developments in the UK.
Article written by: Jeanne BRETON, Pierre-Emmanuel MEYNARD, Camille PECNARD, Léa RICHIER and Claire GOURJON