France

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.

Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm

On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French).  The Recommendation is open for public consultation until May 20, 2025.

Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it

Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health Data

The French Public Health Code requires that certain service providers hosting health data hold a specific “HDS” certification.  In order to obtain this certification, providers must comply with the requirements set out in the “HDS” certification standard.  On May 16, 2024, France officially published an updated version of this “HDS”

Continue Reading France Publishes Updated Certification Standard for the Hosting of Health Data

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  

Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that

Continue Reading CNIL Tests Tools to Audit AI Systems

On March 2, 2022, following a fast-track legislative process in the French National Assembly and Senate, President Macron of France signed into law a new piece of legislation designed to reinforce parental controls over minors’ access to the Internet (the “Law”) (see final text of the Law published in the Official Journal here, in French).

The Law will apply primarily to manufacturers of devices that enable minors to access online services and content likely to harm [their] physical, mental or moral development” (e.g., computers, smart phones, and tablets).  The Law – which extends only to devices sold with an operating system (e.g., PCs, mobile phones, tablets, smart TVs) – requires manufacturers of such devices to provide a pre-installed parental control system which can be activated by parents or guardians upon first use.  The installation, use, and (where applicable) uninstallation the system must be provided to end users at no additional cost.Continue Reading France Enacts New Law on Parental Controls

On 12 January 2022, the French National Assembly’s Committee on Cultural Affairs and Education (the “Committee”) unanimously approved a draft bill seeking to “encourage the use of parental controls on certain equipment and services sold in France and allowing access to the Internet” (the “Bill”).

  1. Background

In 2021,
Continue Reading French National Assembly’s Committee Approves Bill on Internet Parental Control

On December 22, 2020, the European Union Agency for Cybersecurity (“ENISA”) published a draft scheme for cloud services (see press release here and scheme here). Cloud services that meet the security requirements of the scheme will be able to obtain a certification attesting their level of cybersecurity. The draft scheme is available for public consultation until February 7, 2021.
Continue Reading The European Union Agency for Cybersecurity Publishes a Draft Certification Scheme for Cloud Services