In its latest annual report, French Data Protection Authority CNIL (Commission nationale de l’informatique et des libertés) reports a year-on-year increase in complaints received and in notifications of data breaches. In fact, 2024 was a record year with a total of 17,772 complaints in 2024, up from 16,433 in 2023. That is also a 35% increase on 2022 numbers.

There were 2,423 complaints received late in 2024 that are still under investigation). The authority processed a total of 15,639 complaints during the year. Most concerns were related to telecoms, web and social networks (49%), followed by commerce (19%), and work (13%).

Cyber attacks

CNIL also experienced a 20% rise in reports of personal data breaches with 5,629 breaches in total. The number of big breaches that affected more than one million individuals also doubled from about 20 to 40 successful attacks on both private and public organizations.

“Beyond this notable increase, the most worrying trend is the upsurge in very large-scale breaches,” the authority commented.

To address the threat, the authority has therefore worked closely with the Agence nationale de la sécurité des systèmes d’information, the cyber section of the Paris public prosecutor’s office, and Cybermalveillance.gouv.fr in order to take measures to limit consequences for individuals.

About one in three sanctions that CNIL issues is related to bad data security.

Another increasing part of the CNIL’s work was reminders of legal obligations that are issued by the authority’s Chair, which almost doubled from 33 to 64.

Increased sanctions

As reported earlier, CNIL also increased the number of compliance order and reprimands, and issued a combined total of 331 corrective measures in 2024. The regulator also issued 87 sanctions during the year, more than double the figure in 2023.

While the number of sanctions rose sharply, the total amount levied was €55,212,400 ($56,933,758) – almost $35m less than 2023’s total of €89,179,500 ($91,959,850).

During 2024, CNIL also slightly increased its work with compliance orders, from making out 168 in 2023 to issuing a record 180 last year, plus 64 reprimands of legal obligations. The CNIL called this “an unprecedented number for this type of measure.”

Of those, the majority of orders addressed issues relating to:

• access to the digital patient record;
• failure to respond to requests from individuals exercising rights – such as right of access or right to delete data an organization holds on individuals; and
• other issues such as video surveillance of employees at their workstations, and inadequate security measures to protect data.

Global collaboration

Looking ahead, CNIL recently issued a new framework and strategy to enhance and coordinate global data protection, which clarifies the regulator’s position to stakeholders globally. It says it wants to strengthen its role in joint operations as a lead or concerning authority by playing “an active role ensuring the protection of personal data in France, Europe and the rest of the world.”

The strategy also provides guidance to key issues at both European and international level.

“Beyond this notable increase, the most worrying trend is the upsurge in very large-scale breaches.”

CNIL

The authority also signed a joint declaration with four other data protection authorities to continue their commitment to establish data governance that fosters innovative and privacy-protective AI. The other DPAs were Australia, Korea, Ireland, and the UK.

And even though AI brings many opportunities in the fields of innovation, research, economy and society, the declaration also states that AI poses “significant risks with respect to the protection of fundamental rights such as data protection and privacy.” These include risks of “discrimination, misinformation and hallucination that are often caused by the inappropriate processing of data.”