The French Data Protection Authority CNIL issued 87 sanctions in 2024, more than double when compared to 2023, new data shows. The regulator, the Commission nationale de l’informatique et des libertés, also increased the number of compliance order and reprimands, and issued a total of 331 corrective measures during the year.

While the number of sanctions rose sharply, the total amount levied was €55,212,400 ($56,933,758) – almost $35m less than 2023’s total of €89,179,500 ($91,959,850).

Increased compliance orders

During 2024, CNIL also slightly increased its work with compliance orders, from making out 168 in 2023 to issuing a record 180 last year, plus 64 reprimands of legal obligations. The CNIL calls this “an unprecedented number for this type of measure.”

Of those, the majority addressed issues relating to:

• Access to the digital patient record – which include formal notices on several healthcare establishments ordering them to take measures to ensure the security on computerized patient files. “Even when data is collected on a large scale by an organization that is unaware of the identity of the individuals concerned, such data remains pseudonymous and non-anonymous when linked through an identifier, which thereby presents a risk of re-identification,” CNIL explained.
• Failure to respond to requests from individuals exercising rights – such as right of access or right to delete data an organization holds on individuals.
• Other issues including video surveillance of employees at their workstations, and inadequate security measures to protect data.

CNIL also issued three warnings to government departments for failing to ensure data being accurate in its databases. One example included police departments not updating files with acquittal decisions on the individuals concerned.

And 11 organizations were also found to have failed to implement adequate measures to ensure data security. The failures included not having robust passwords, storing passwords in clear text, not having an authorization policy, or using an outdated version of the TLS protocol (which ensures the confidentiality and integrity of information circulating between the server and the user’s browser).

Highest fine of the year on Orange

A majority of the sanctions (72) included fines, 14 with injunctions under penalty, eight decisions to liquidate an injunction, and four reminders of the law.

Of the 87 sanctions, 18 were issued under the ordinary procedures, and the majority (69) under the simplified procedures – which was introduced in 2022.

As a consequence, most of the sanctions included administrative fines of up to €20,000 ($20,646), and only one fine hit over the million mark. Of the 87 sanctions, the top five fines were against:

• Orange – €50m ($52.5m). France’s leading telecommunications operator was found to be displaying advertisements placed between emails without the consent of the recipient users.
• A publication and sale of management software for physicians – €800,000 ($827,673). The company failed to apply for a CNIL authorization (health data warehouse), or comply with the obligation to process data lawfully.
• A company specializing in statistical studies of health data – €800,000 ($827,673). The company failed to apply for a CNIL authorization (health data warehouse).
• A company marketing cryptocurrency wallets – €750,000 ($775,391). It was found to be failing to have data security and a data retention period.
• HUBSIDE.STORE – €525,000 ($570,639). The technology and lifestyle store was found to be using customer information from data brokers for commercial prospecting activities – without ensuring that the individuals had given their valid consent for the purposes.

See the full sanctions list here.