France’s Privacy Watchdog Says the Situation Is “Very Worrying” After a Record Year of Data Breaches

Key Takeaways

• Complaints Hit Another Record: France’s privacy regulator received 20,150 complaints in 2025, up 10% from the previous year.
• Cybersecurity Became a Major Enforcement Driver: The CNIL received 6,167 data breach notifications, with hacking responsible for half of reported incidents.
• Enforcement Totals Reached Historic Levels: The regulator issued 83 sanctions totaling nearly €487 million following 323 investigations.
• Third-Party Exposure Emerged as a Recurring Problem: The CNIL warned that many major breaches involved service providers and processors.
• 2026 Will Focus Heavily on Security Failures: Half of the CNIL’s controls and enforcement actions next year will target data security and cybersecurity issues.

Deep Dive

France’s data protection authority received more than 20,000 complaints last year, handled over 6,000 data breach notifications, and issued nearly €487 million in fines as cybersecurity incidents and privacy enforcement continued to intensify across the country.

In its 2025 annual report, Commission nationale de l'informatique et des libertés said complaints rose 10% year-over-year to 20,150, marking another record for the regulator. Many complaints involved workplace privacy issues, commerce, social networks, real estate, and data breaches. Around 1,900 complaints were directly tied to cybersecurity incidents and unauthorized disclosures of personal data.

The CNIL carried out 323 investigations during the year and issued 259 corrective measures, including 83 sanctions totaling nearly €487 million. The regulator said two major cases accounted for much of the record fine total, though it also highlighted increased use of its simplified enforcement procedure for less complex matters.

Cybersecurity featured heavily throughout the report.

The regulator received 6,167 data breach notifications in 2025, up 9.5% from the previous year, with hacking responsible for roughly half of all reported incidents. Other breaches involved personal data being sent to the wrong recipients or lost through misplaced equipment and devices.

“Three lessons can be drawn from the data breach reported to the CNIL in 2025: no one is spared; breaches are becoming increasingly massive; they often involve service providers,” CNIL chair Marie-Laure Denis said in the report.

The agency said cybersecurity breaches accounted for about one-third of its investigations and nearly 30% of sanctions during the year. It also noted growing coordination with France’s national cybersecurity agency, Agence nationale de la sécurité des systèmes d'information, and prosecutors handling cybercrime cases.

The CNIL said the trend has become serious enough that half of its controls and enforcement actions in 2026 will focus specifically on data security and cybersecurity breaches. Future investigations are expected to target organizations affected by breaches, entities receiving complaints, and sectors handling large amounts of sensitive data, including banking information, location data, and government records.

The report also reflects the regulator’s expanding responsibilities under the EU’s AI Act.

The CNIL said it has already been designated to oversee prohibited AI uses and is expected to become the market surveillance authority for certain high-risk AI systems involving areas such as biometrics, migration, employment, education, and law enforcement.

During 2025, the regulator published guidance and technical resources for AI developers and designers, participated in public consultations, and worked with partners including ANSSI, Inria, and PEReN on the PANAME project, a software library designed to determine whether AI models process personal data.

Beyond enforcement activity, the CNIL said it processed 1,351 requests for professional advice, delivered 90 opinions on draft laws and regulations, and handled 539 health-sector authorization requests during the year. It also launched seven public consultations on topics including connected vehicles, internet trackers, medical records, and credit-granting practices.

The regulator additionally reported responding to more than 35,000 calls and over 14,000 written requests for information from the public while conducting awareness campaigns aimed at schools, families, and younger users.

The annual report repeatedly notes that the agency’s workload continues to increase while resources remain constrained. At the same time, the CNIL said it is reorganizing internally to prepare for the progressive implementation of the EU AI Act and the growing scale of cybersecurity-related enforcement.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.