CNIL’s 2024 Report: A Year of Stronger Data Protection & Growing Challenges

Key Takeaways

• Record Complaints: The CNIL received 17,772 complaints in 2024, a 20% increase from the previous year, with major concerns related to telecoms, web, social media, and e-commerce sectors.
• Increased Sanctions: The CNIL issued 331 corrective measures, including 87 penalties totaling over €55 million, marking a significant rise in enforcement actions compared to 2023.
• Cybersecurity Surge: The CNIL saw a 20% increase in data breaches, with a notable rise in large-scale breaches affecting millions. One-third of the CNIL's sanctions were due to data security failures.
• AI Data Protection: The CNIL published 12 “how-to” sheets to guide AI developers in ensuring privacy and data protection, while also addressing specific concerns around generative AI technologies.

Deep Dive

The French data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés), has released its 2024 annual report, showcasing a year marked by significant strides in personal data protection. The report highlights key achievements in inspections, sanctions, public awareness, artificial intelligence (AI) development, and cybersecurity, underscoring the CNIL’s critical role in safeguarding privacy in France.

In 2024, the CNIL ramped up its enforcement efforts, conducting hundreds of inspections across both public and private sectors. These inspections addressed a range of compliance issues, including the use of cookies and tracking technologies, cybersecurity protocols, and the management of video surveillance systems. This year also saw a marked increase in the number of legal decisions, with the CNIL issuing 331 corrective measures and 87 penalties, amounting to over €55 million in fines. Notably, the simplified procedure introduced in 2022 proved effective, enabling the CNIL to issue 69 sanctions, a nearly threefold increase from the previous year.

The CNIL also engaged at the European level, reviewing 12 draft European sanctions, reinforcing its commitment to ensuring consistent data protection across borders.

A Record Year for Complaints

2024 was a record-breaking year for complaints, with the CNIL receiving a total of 17,772 complaints, a 20% increase from the previous year. The majority of these complaints were centered around data breaches, identity theft, and privacy violations. The CNIL processed more complaints than it received, handling 15,639 cases by the end of the year. Among the top concerns were issues related to telecommunications, social media, and e-commerce, with these sectors accounting for 49%, 19%, and 13% of complaints, respectively.

The CNIL’s cybersecurity efforts in 2024 were notably proactive, addressing a sharp rise in data breaches. The number of breaches reported to the CNIL surged by 20% compared to 2023, with a significant uptick in high-profile incidents affecting millions of individuals. In fact, breaches impacting over one million people doubled from 20 to 40 incidents over the course of the year, spanning industries such as internet service providers, e-commerce, and public services. In response to these challenges, the CNIL worked closely with national cybersecurity bodies, including the Agence nationale de la sécurité des systèmes d'information (ANSSI) and Cybermalveillance.gouv.fr, to mitigate the impacts of these breaches.

The rise of artificial intelligence has also brought new challenges to data protection, and the CNIL has been at the forefront of developing guidelines to ensure AI innovations respect personal data rights. In 2024, the CNIL published its first series of recommendations for AI system development, offering practical guidance on how to integrate data protection into AI technologies. The CNIL's “how-to” sheets, which cover key points such as transparency, data minimization, and fairness, are a significant step towards balancing innovation with privacy rights. Additionally, the CNIL has issued a series of questions and answers to address the specific challenges posed by generative AI.

Raising Awareness and Educating the Public

Public education has been a cornerstone of the CNIL’s activities in 2024. The organization carried out 173 awareness-raising actions, including 84 specifically focused on minors. The increasing concern over children's data, particularly in relation to issues like online privacy, cyberbullying, and parental control, led the CNIL to focus its efforts on schools, public events, and digital literacy campaigns. The CNIL also developed educational materials, such as posters and guides, in collaboration with various organizations, including the French Ministry of Education and France Télévisions, to better inform the public about data protection rights.

With a year of notable achievements, the CNIL has demonstrated its commitment to evolving with technological advancements while safeguarding individuals' privacy rights. As data protection continues to be a crucial issue in the digital age, the CNIL's work, particularly in areas such as AI, cybersecurity, and public education, ensures that France remains at the forefront of data privacy protection. The organization’s proactive approach in inspecting, sanctioning, and raising awareness is setting a benchmark for data protection authorities worldwide.

As we move further into 2025, the CNIL’s work is expected to expand in response to new challenges and emerging technologies, with the goal of ensuring that personal data remains secure and protected for everyone.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.