-
By increasing the number of sanctions imposed between 2022 and 2024 to 150 (including 87 last year), the CNIL once again demonstrates its desire to track down any breach of the provisions governing the processing of personal data.
-
The simplified procedure, introduced in April 2022, now serves as a general rule as it is frequently used by the CNIL to sanction offenders.
-
The lack of systematic communication around the sanctions imposed nevertheless gives the false impression that it is possible to slip through the cracks and avoid the obligations linked to the GDPR.
For its third edition, “The Observatory of CNIL Sanctions” from the Walter Billet Avocats firm confirms the underlying trend highlighted a year earlier, namely a very clear increase in the power of the public administration in terms of sanctions imposed for violations of the General Data Protection Regulation (GDPR), which entered into force in mid-2018.
However, unlike previous years, where the CNIL had gradually revealed the fines imposed on offenders, the authority headed by Marie-Laure Denis has increased the sanctions without communicating systematically, whatever their scope. This is the reason why its annual report reflects a dynamism which contrasts with the impression of discretion which could prevail in the eyes of observers: the CNIL has just announced that it has more than doubled the volume of its sanctions, increasing to 87 in 2024.
Among these, around sixty were precisely identified within the framework of “The CNIL Sanctions Observatory”, thanks to the examination of the decisions made public by the authority and those available on Legifrance. By mirror effect, a third of the sanctions imposed during the year 2024 therefore remain impossible to decipher.
“The configuration of the fines imposed by the CNIL has evolved significantly in a relatively short period of time, analyzes Alan Walter, co-founding partner of Walter Billet Avocats and expert in innovative technology and personal data law. After a first phase that could be described as market education, where the practices of large groups, both French and international, were prioritized, the CNIL continued to broaden its spectrum of investigation to reach public and private organizations of all sizes. In this context, it should be noted in particular that only one fine has exceeded the threshold of one million euros in 2024, namely that of 50 million targeting the telecoms operator Orange.”
Eleven fines between 100,000 euros and 1 million
Last year, only 12 sanctions were also made public by the reference authority. Despite this communication becoming piecemeal, “The CNIL Sanctions Observatory” has identified eleven fines of between 100,000 and 1 million euros, involving a multiplicity of sectors of activity (publishing and sale of software, publishing websites, advertisement sites between individuals, management of loyalty programs, carrying out studies, distribution of telecommunications equipment, etc.).
Considering that the CNIL announces that it has imposed sanctions worth 55.2 million euros in 2024, and that the sum of the 12 fines of more than 100,000 euros stands at 54.2 million, this highlights the fact that the remaining million euros is distributed between the 75 other decisions handed down over the last year (which represents an average amount of around 13,000 euros).
“The preponderance of sanctions of a moderate magnitude is the logical consequence of the fact that the CNIL is increasingly using the simplified procedure, created in April 2022 and whose maximum penalty is a fine of 20,000 euros“, underlines Alan Walter.
More and more reports
Alan Walter continues: “The delays in processing files mean that, mechanically, we are starting to observe a very significant multiplication in the number of sanctions, out of all proportion to the annual volume finalized by the CNIL until 2023. It is moreover in the interest of increased efficiency that the simplified procedure has been put in place for files not presenting any particular legal difficulty.”
Whatever the procedure used, companies and public entities targeted by a CNIL investigation have an obligation to cooperate, as stipulated in the GDPR. Despite this, lack of cooperation continues to be a very common reason for sanctions, as was already the case in 2023.
“Companies could consider that the risk of being sanctioned is minor, particularly given the amount of fines imposed, but this is certainly a false calculation because it does not take into account the effect of such sanctions on their reputation. Given that more and more examinations carried out by the CNIL result from reports received from users and customers of the entities concerned, it is better to adopt a pro-active attitude and demonstrate a desire to take corrective actions as soon as an investigation begins”, advises Alan Walter.
Latest evidence pleading for increased attention to these issues: at the beginning of January 2025, the CNIL carried out an internal reorganization by creating two separate departments, dedicated to the exercise of rights and complaints, on the one hand, and to controls and sanctions, on the other hand. Logically, the number of instructions and sanctions should increase again this year.
Methodology: “The Observatory of CNIL Sanctions” from the Walter Billet Avocats firm is carried out on the basis of decisions made public by the CNIL. The amounts of the sanctions, the articles of the GDPR mentioned and the identities of the companies and organizations concerned are extracted from the documents revealed by the CNIL and available on its website, as well as from the decisions available via Legifrance.
The comments appearing in “The Observatory of CNIL Sanctions” are based on the analysis carried out by the IP-IT team of the Walter Billet Avocats firm, led by Alan Walter.