The National Commission for Data Protection (CNIL) is worried after a year marked by personal data leaks “Unprecedented”.
“In 2024, data violations were not only more numerous but also of greater magnitude, leading to the theft of data for millions of people”deplores the protective authority of the private life of the French, in its assessment unveiled Tuesday, April 29.
The regulator recorded, in 2024, 5,629 notifications of data violations, 20 % more than in 2023, he detailed in his report, and he is concerned that “The number of violations affecting more than a million people has doubled in a year, going from around twenty to around forty successful attacks”. Among the organizations that were the victims last year: France Work, Free, third -party operators paying Viamedis and Almerys or Auchan.
The trend accelerates since the CNIL has already noted more than 2,500 data violations in the first quarter, almost half of what it recorded in 2024.
Double authentication
The regulator will impose on companies and public organizations which have databases of more than two million people to establish a double authentication system, deemed more reliable than a simple password. All employees, providers or subcontractors who connect to these services remotely will not only have to identify themselves in a conventional way but also use another means of identification, as a code received by SMS.
The president of the CNIL, Marie-Laure Denis, believes that “80 % of major data violations” Registered in 2024 “Could have been avoided” With the double authentication, coupled with the implementation of tools to detect massive extractions of this information or even greater awareness of employees.
After an adaptation time, the boss of the CNIL promises “Massive checks” From 2026.
The CNIL recorded 17,772 complaints received in 2024, a total record and up 8 % compared to 2023. A similar number of complaints (15,639) was treated and more than 5,700 were deemed not admissible.
Newsletter
“Pixels”
Social networks, cyber attacks, video games, manga and geek culture
Register
The number of sanctions pronounced by the regulator has more than doubled over a year, going from 42 in 2023 to 87 in 2024, for a total amount of 55.2 million euros in fines. Among the companies concerned, the telephone operator Orange was inflicted a fine of 50 million euros in December 2024 for uncompressed advertisements. In 2023, this total amount amounted to 89 million euros, due to several large fines targeting the French advertising giant Criteo (40 million euros) and Amazon France Logistics (32 million).
In parallel, the CNIL carried out last year 180 formal notice and sixty-four reminders of legal obligations, of procedures also increasing. The simplified sanction procedure, implemented in 2022 for files “Not having any particular difficulty” And for which a fine of 20,000 euros maximum can be pronounced, continues to develop, with seventy-nine sanctions pronounced in this context.
Artificial intelligence under surveillance
The regulator has also started to control the use of personal data by mobile applications, on the same principle as that requiring websites to explicitly offer acceptance or refusal of third -party cookies. “There have been scandals, do not hesitate to say it, on the exploitation of sensitive data without the consent of users”says Marie-Laure Denis, citing in particular meeting applications, “Who have encouraged us to grasp us from this subject”.
“We are going to control the fact that you are informed of the collection of data that is made when you download or when you use an application, we will control if these data are used for advertising prospecting”she detailed, stressing the fact that “Each Frenchman downloads approximately thirty applications per year”.
In parallel, the CNIL also placed the generative artificial intelligence (AI), a technology which is based on the massive exploitation of data, often personal, at the heart of its concerns. “We work a lot with the actors [de l’IA] To try to see which technologies to implement, so that there is for example a filter at the time of data regurgitation ”said Marie-Laure Denis, so that part of these “May be able to be erased”.
She also welcomes that European users of Meta platforms (Facebook, Instagram) can refuse that their public data will be used in order to cause AI of the American giant, as long as they fill out an online form by May 27.
The president of the CNIL warns on the data shared during exchanges with these conversational agents, such as Chatgtp of the American Openai or Gemini of Google, more and more used on a daily basis by the French. “Be very vigilant with the data that should seem to you to be a little sensitive (…) as health data, banking data, data on your sexual identityshe insists. Do not entrust an AI what you would not entrust to someone you would meet in the street. »»

