Annual report: CNIL's achievements and key actions in 2024
The CNIL is publishing its 2024 report in a new format. Awareness-raising, controls and sanctions, AI, new support tools, European and international cooperation: a report that highlights the highlights and the many achievements in protecting everyone's personal data.
Each year, the CNIL publishes its activity report to take stock of its actions around its four main missions: informing and protecting the general public, supporting and advising professionals and public authorities, anticipating and innovating to build the digital world of tomorrow, and finally, controlling and sanctioning breaches of the General Data Protection Regulation (GDPR) and the law. 2024 was a year of intense activity and significant advances.
Download the CNIL 2024 annual report (in French)
Inspections and sanctions: a marked increase in the number of decisions
In 2024, the CNIL carried out several hundred inspections of public and private bodies in response to complaints or reports, depending on current events or within the framework of its priority themes. The CNIL audited both public bodies (ministries, local authorities, etc.) and private bodies on a variety of subjects, such as compliance with the rules on cookies and tracers, cybersecurity and the use of video devices.
In total, the CNIL issued 331 corrective measures in 2024, including 87 penalties totalling more than €55 million in fines. In particular, the simplified procedure, introduced in 2022 for cases that do not present any particular difficulties, has been stepped up significantly and has proved its effectiveness, with 69 sanctions handed down this year, almost three times as many as in 2023.
At European level, the CNIL has studied 12 draft European sanctions.
Complaints: a record number of requests received
2024 was a record year for complaints received: the CNIL received a total of 17,772 complaints. With the exception of a series of 2,423 complaints received at the end of the year, which are still being investigated, in 2024 the CNIL processed more complaints (15,639) than it received (15,350).
The consequences of data leaks (theft of bank details, risks of identity theft, etc.) are a particularly strong cause for concern. More generally, the ‘telecoms, web and social networks’ theme generates the most complaints (49%), followed by commerce (19%) and work (13%).
Cybersecurity: growing threats
In 2024, the CNIL was notified of 5,629 personal data breaches, 20% more than in 2023. Beyond this notable increase, the most worrying trend is the upsurge in very large-scale breaches.
The number of breaches affecting more than one million people has doubled in the space of a year, rising from around twenty to forty successful attacks, and affecting private and public players who are very much a part of French people's daily lives (Internet access providers, third-party payers, e-commerce, public services, etc.).
In response to this threat, the CNIL has worked closely with the Agence nationale de la sécurité des systèmes d'information (ANSSI), the cyber section of the Paris public prosecutor's office (J3) and Cybermalveillance.gouv.fr to prevent and limit the consequences for individuals.
AI: initial resources to strengthen support tools
The rise of artificial intelligence is at the heart of technological and economic prospects, but its development requires, by design, the collection of a large amount of data, which may be personal data.
Following on from its action plan published in 2023, the CNIL has published its first recommendations for the development of AI systems, in the form of 12 practical information sheets, 9 of which are published in their final version, after consultation with the stakeholders concerned. These address, step by step, the points to be respected to ensure that innovation respects data protection. In addition, the CNIL has more specifically published an initial series of questions and answers on the use of generative AI.
These actions, which focus on AI, are part of a wider support approach for public and private organisations.
Support that keeps pace with changes in the sector and technology
In addition, as part of its general support policy, the CNIL launched a ‘sandbox’ for the economy of senior citizens and selected 4 companies for enhanced support. In addition, 2024 saw the publication of a recommendation to help professionals design mobile applications that respect people's rights. The CNIL also continued to travel to the regions to discuss the implementation of the RGPD, in addition to the many thematic webinars on offer.Raising public awareness: increased interaction to protect minors
The data of minors, and their rights over it, are at the heart of the news: access to pornographic content, parental control and supervision, cyber-bullying, media education, etc. The CNIL has carried out 84 actions in the field to raise awareness among young people, their parents, teachers and mediators.
It offered workshops in schools, responded to questions from the public at trade fairs and various events, and produced educational resources adapted to younger children (poster ‘Your data, your rights’ in conjunction with the Korean Data Protection Authority). Several partnerships have also been established or renewed with France Télévisions, the French Ministry of Education and the Infos Jeunes France network.
In addition to minors, the CNIL has stepped up its other actions in the field. In all, it has carried out 173 actions for a variety of audiences: intergenerational workshops, partnership with France Services, sessions for people with disabilities, guides on cyberthreats for families and senior citizens, etc.
