CNIL Report 2024: What are the priorities ?

The CNIL has published its 2024 annual report¹, a document that goes far beyond a simple activity report. Indeed, this latter highlights serious issues for the digital future, and above all, the way CNIL intends to react to these increasingly complex challenges. 

Three particularly salient points emerge from this report: I. the intensification of repressive action, II. the necessary regulation of AI and algorithms, and III. the fight for data security, in the face of increasingly high risks.

I – A turning point : The CNIL is intensifying its sanctions

In 2024, the CNIL intensified its repressive action in a context marked by a multiplication of personal data breaches. This year, the CNIL crossed a new threshold in its intervention capabilities, with a doubling of sanctions pronounced compared to 2023.

1. The simplified procedure is gaining momentum

One of the most significant changes lies in the introduction of the simplified sanction procedure. This procedure allows the CNIL to impose sanctions quickly and without requiring a standard procedure which is more complex, when the infringement is widespread and does not raise any legal assessment difficulties (ex: failure to cooperate with the CNIL or non-compliance with the exercise of rights)².

In 2024, through this procedure, it imposed 69 penalties for a total amount of €715,500 (with 62 fines, including 12 with a penalty order and 6 enforcement liquidation orders), either a number significantly higher than that of previous years (24 sanctions in 2023). This simplification aims to accelerate the sanctioning process, thereby ensuring a quicker response to infringements which predominantly manifest in the following manner in 2024³: 

• Lack of cooperation with the CNIL: 27 concerned entities ;
• Non-exercise of rights (erasure, objection, access): Twenty-three decisions rendered ;
• Data minimization (systematic and complete recording of telephone conversations or permanent video surveillance of employees at their workstations): Ten sanctions rendered ;
• Data security (weak passwords or stored in plain text, lack of an authorization policy, use of obsolete protocol): 11 entities concerned

2. Increased controls and sanctions

Alongside this enforcement action, the CNIL has strengthened its supervisory capabilities to ensure ongoing monitoring of practices. In 2024, the authority conducted 321 audits (166 on-site, 99 online, 44 by mail, and 12 by videoconference) in order to verify compliance of actors with the obligations provided by the GDPR.

The number of ordinary sanctions (fines, orders of injunction with or without a fine, warnings) As for it, it has more than doubled compared to 2023 and is structured as follows : 

• 331 corrective measures ;
• 89 sanctions, including 18 in ordinary procedure before the restricted panel (nine fines with two subject to a payment order, two liquidation decisions, three warnings to order) and 69 sanctions in simplified procedure ;
• 55 212 400€ in cumulative fines ;
• 180 stay orders ; 
• 64 reminders of legal obligations by the president of the CNIL ;
• 12 European sanctions examined by the CNIL ; 
• 7 sanctions issued by the CNIL examined by its European counterparts ;

3. The exercise of individual rights

One of the essential functions of the CNIL lies in the management of complaints filed by natural persons. In 2024, it processed 15,689 complaints (including 7 771 were dismissed as inadmissible and 9 868 claims closed after investigation). As a matter of right, one of the CNIL members in charge of the complaint docket recalls that evidentiary elements such as screenshots must be provided to process complaint files. Indeed, out of nearly 5,771 complaints rejected as unfounded, some were lacking in relation to the issues raised, but also due to the absence of proof of a potential violation.

Furthermore, the CNIL has also received 24,947 requests for the exercise of indirect rights. This high demand reflects public confidence in the CNIL’s ability to defend the rights of those concerned.

In addition, please find our previous assessment of sanctions by the CNIL to better understand current repressive trends.

II. The indispensable framework of AI and algorithms: the CNIL at the forefront of innovation

1. Responsible development of SPVs

Artificial intelligence is no longer a distant, almost theoretical concept reserved for experts and researchers. It is now part of everyday life. But where AI is concerned, so are significant risks to privacy. The mass exploitation of data, sometimes without genuine user consent, raises major issues. The CNIL has well understood this and is decisively engaged in this area.

More commonly known as the IA Act, which came into effect from February 2025, the application of this regulation⁴ is one of the CNIL’s major priorities. The objective? To ensure that AI is developed and deployed in compliance with GDPR and the rights of individuals. The CNIL recalls in its 2024 report that it has proposed recommendations on this matter. The 12 sheets published⁵ aim to address the growing concerns of public and private stakeholders, particularly in a context marked by the emergence of generative AI. They detail the key steps in the responsible development of an AI system (AIS), namely: 

• Determine the applicable legal regime ; 
• Define a purpose ; 
• Determine the legal qualification of the actors ;
• Establish a legal basis ; 
• Conduct tests and checks in case of data reuse ; 
• Conduct an impact assessment if necessary ; 
• Take into account data protection from the outset in system design choices ; 
• Take into account the protection of data in the collection and management of data ; 
• Mobilize the legal basis of legitimate interest to develop an AI system ; 
• Inform the concerned parties ; 
• Respect and facilitate the exercise of the rights of the persons concerned ; 
• To annotate the data ; 
• Ensure the security of the development of an AI system.

2. Generative AI

The CNIL also insists on the need for a considered approach when integrating generative AI into business processes. These are AI systems, which by their ability to generate content (text, computer code, image, music, audio, video, etc.), offer immense creative and productive potential. However, their deployment must be very tightly controlled, particularly when they process personal data. The CNIL recommends starting with concrete needs to choose suitable chatbots, while evaluating the risks associated with their use. For example, the CNIL recognizes that making a conversational agent available to assist with drafting may pose less risk than a decision-support tool in recruitment or customer relationship management⁶.

To anticipate the challenges of AI and GDPR in the coming years, also consult our analysis of the CNIL strategic plan 2025-2028.

III. Data Security: CNIL’s action in the face of a high level of risk

1. Data breaches, poor practices and recommendations

In 2024, the CNIL faced a resurgence of data breaches of unprecedented scale (5 629 notifications of infringements brought to the knowledge of the CNIL). This phenomenon highlights the need for data controllers to strengthen their cybersecurity posture. The CNIL, aware of the rapid evolution of the threat, has adjusted its recommendations and guidance to better support stakeholders. For example, through the updating of its personal data security guide⁷ to integrate technological advancements, such as AI, cloud computing, and mobile applications. These updates aim to provide concrete tools that take into account new vulnerabilities and common attack practices.

She also invites stakeholders to strengthen their authentication mechanisms, in particular by adopting multi-factor authentication⁸ and proceed to a rigorous management of authorizations. 

According to the CNIL report, data breaches most often result from poor practices such as :

• The use of generic or shared login accounts ;
• Should-based fishing (phishing) ;
• Malware that allows for the theft of login data ;
• The sale of user connection data by the user himself ;
• The use of data originating from previous breaches ;
• The unauthorized access to the information system (e.g : free access to all equipment) ;
• Exploitation of security vulnerabilities ;

Principal findings identified by the CNIL :

• Broad authorizations with mass access to personal data ;
• Data retrieval via scripts ;
• No limitation of claims ;
• Excessive collection or sharing of data with a subprocessor (beyond the purposes);
• Excessive data retention in active databases ;
• Absence, insufficiency or failure to exploit abnormal activity indicators ;
• Non-detection of data exfiltration.

The CNIL, in coordination with authorities such as ANSSI, is intensifying its awareness and training actions to make private and public actors more autonomous in the face of cyber threats. Furthermore, it reminds of the imperative to notify data breaches within 72 hours of the incident being detected. In 2024, this vigilance led to a notification of 5,629 data breaches, representing a 20% increase compared to 2023.

For businesses particularly exposed to risks related to cloud computing (cloud), the CNIL has updated its practical guides⁹, recommending notably robust encryption solutions and specialized security devices to protect data in the cloud.

2. Health Security

Finally, in the healthcare sector, CNIL reiterated the imperative need for healthcare facilities to secure computerized patient files (DPI)¹⁰. Following several breaches, formal notices have been issued to ensure strictly controlled access to medical data. The management of authorizations must be adjusted according to the profession exercised (ex: a patient reception agent should only have access to the patient’s administrative file and not to medical data) and also take into account the “care teams” which are indeed involved in the care of patients and are the only ones authorized to access data covered by medical confidentiality.

In its report, the CNIL recommends implementing the following three priority security measures : 

« Secure access to the system through a robust authentication policy (including passwords that are sufficiently complex) » ; 

« Provide specific authorizations so that each healthcare professional or establishment agent can only access the files relating to them » ;

« Implement traceability of access to the DPI. It must not only allow indicating who logged in and at what time, but, more precisely, what was accessed by whom. Regular checks of these accesses must be carried out, in order to identify those that may be fraudulent or illegitimate ».

Discover also the best practices to adopt during a GDPR audit to anticipate CNIL audits and strengthen your compliance.

Conclusion

The 2024 report demonstrates a more reactive, technical, and strategic authority. The CNIL does not simply impose sanctions; it anticipates, frames, and supports. For businesses, these orientations call for increased vigilance regarding responsibilities, the governance of processing operations, and the integration of data protection principles from the outset.

Aumans Avocats accompanies you in the analysis of these priorities and their concrete translation into your activities. Whether you are a public body, a SME or an innovative company, we help you to implement a solid, durable and adapted compliance.

Contact us for personalized legal support in the area of personal data protection.

Sources:

1. https://www.cnil.fr/sites/cnil/files/2025-04/rapport_annuel_2024.pdf – CNIL, Annual Report 2024 ↩︎
2. Ibid, p30 ↩︎
3. Ibid, p35 ↩︎
4. https://eur-lex.europa.eu/eli/reg/2024/1689/oj?locale=fr – Regulation 2024/1689 on Artificial Intelligence (IA Act | RIA) ↩︎
5. https://www.cnil.fr/fr/les-fiches-pratiques-ia – CNIL, The IA Practical Guides ↩︎
6. https://www.cnil.fr/sites/cnil/files/2025-04/rapport_annuel_2024.pdf – CNIL, Annual Report 2024, p40 ↩︎
7. https://www.cnil.fr/sites/cnil/files/2024-03/cnil_guide_securite_personnelle_2024.pdf – CNIL, personal data security guide ↩︎
8. https://www.cnil.fr/fr/recommandation-mfa – CNIL, Multi-Factor Authentication: The CNIL’s Recommendations for Better Protection of Data ↩︎
9. https://www.cnil.fr/fr/informatique-en-nuage-cloud-la-cnil-publie-deux-fiches-pratiques-sur-le-chiffrement-et-la-securite – CNIL, Cloud Computing: the CNIL publishes two practical guides on encryption and data security ↩︎
10. https://www.cnil.fr/fr/donnees-de-sante-la-cnil-rappelle-les-mesures-de-securite-et-de-confidentialite-pour-lacces-au – CNIL, Health Data: The CNIL recalls the security and confidentiality measures for access to the computerized patient file (DPI) ↩︎