France’s CNIL Steps up Enforcement with major GDPR and Data Security Fines
March 9, 2026
By Olubunmi Adesanya
France’s data protection watchdog, the Commission nationale de l’informatique et des libertés (CNIL), has recently imposed several significant financial sanctions, reinforcing its oversight of data security and privacy compliance under the EU General Data Protection Regulation (GDPR) and French law.
• •€5 Million Fine for Data Security Failures at France Travail
On 22 January 2026, the CNIL imposed a €5 million penalty on France Travail (formerly Pôle emploi) for failing to adequately protect the personal data of job seekers. The sanction follows a major cyberattack in 2024 that exposed sensitive personal information of tens of millions of individuals due to systemic security weaknesses. The authority highlighted a “manifest lack of appropriate security measures,” underscoring the risk posed to the privacy of those whose data were compromised.
• €42 Million in Cumulative Fines for Free Mobile and Free
Earlier in January,2026, the CNIL sanctioned telecommunications provider Free Mobile and its parent company Free with fines of €27 million and €15 million respectively — a total of €42 million. These penalties stem from a 2024 data breach in which attackers accessed millions of customer records, including contact details and bank information. The regulator found significant shortcomings in technical and organisational security measures, in breach of GDPR requirements on data protection and integrity.
Other Recent Enforcement Actions The CNIL’s enforcement activities extend beyond these headline cases:
• In late December 2025, a €3.5 million penalty was imposed on a company for transmission of loyalty program data to a social network for advertising without valid consent.
• The watchdog continues to tackle cookie and tracking compliance offences, following record fines on major internet players in 2025 (e.g., Google’s €325 million sanction for Gmail advertising practices and cookie consent issues, and a €150 million fine against SHEIN for cookie misuse). What these signals for Organisations These recent decisions underline the CNIL’s intensified scrutiny of data security practices and consent mechanisms, and its willingness to leverage the GDPR’s full penalty regime. From public agencies to private telecom operators, organisations handling personal data in France must prioritise robust security frameworks, clear user consent processes, and transparent data use practices or face punitive enforcement actions.
What these signals for Organisations
These recent decisions under line the CNIL’s intensified scrutiny of data security practices and consent mechanisms,and its willingness to leverage the GDPR’s full penalty regime. From publica to private telecom operators, organisations handling personal data in France must prioritise robust security frameworks, clear user consent processes, and transparent data use practices or face punitive enforcement actions.
