On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French). The Recommendation is open for public consultation until May 20, 2025.Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
Digital Fairness Act Series – Topic 1: Influencer Marketing
The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space. The DFA is expected to regulate, among other things, influencer marketing.
With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted by influencers (see for example here), the DFA’s provisions may apply not only to influencers, but also to companies that deploy or use influencers, to ensure that advertising practices are fair and transparent. This blog post explores two key issues that the European Commission is expected to prioritize in its approach to influencer marketing. It also provides a brief overview of the French legal framework in this area, which some expect to serve as a model for the EU’s forthcoming rules in this area.Continue Reading Digital Fairness Act Series – Topic 1: Influencer Marketing
CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.
The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online. Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency.
The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
CNIL Opens Public Consultation on Its Standards for Processing Health Data
On May 16, 2024, the CNIL launched a public consultation on all of its health data standards. Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.
French law has specific requirements for the processing of health data. In particular, it
Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health DataFrance Publishes Updated Certification Standard for the Hosting of Health Data
The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification. In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard. On May 16, 2024, France officially published an updated version of this “HDS”
Continue Reading France Publishes Updated Certification Standard for the Hosting of Health DataFrench CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments. Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
Court of Justice of the EU Clarifies Rules on the Production of Evidence Containing Personal Data in Civil Litigation
On March 2, 2023, the Court of Justice of the EU (“CJEU”) decided, in case C-268/21, that the GDPR applies to the production of evidence in civil court proceedings. The case sets limits on, but does not preclude, the production of personal data in court proceedings.
Continue Reading Court of Justice of the EU Clarifies Rules on the Production of Evidence Containing Personal Data in Civil Litigation
The French CNIL Reminds Two Medical Research Organizations of their Data Protection Obligations
As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research. Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements.
Continue Reading The French CNIL Reminds Two Medical Research Organizations of their Data Protection ObligationsFrench CNIL Finds GDPR Not Applicable to a US Company Providing a Browser Extension
On December 20th, 2022, the French Data Protection Authority (“CNIL”) closed down an investigation against a US company providing a browser extension (the “Company”), after finding that its activities were not subject to the GDPR. The CNIL’s decision is available here in French.
The Company provides a browser extension (the
Continue Reading French CNIL Finds GDPR Not Applicable to a US Company Providing a Browser ExtensionCNIL Tests Tools to Audit AI Systems
With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that
Continue Reading CNIL Tests Tools to Audit AI Systems