The year 2024 was particularly busy for the French National Commission for Information Technology and Civil Liberties. The personal data protection authority received 17,772 complaints, a figure never before reached since the organization's creation. Remarkably, it investigated more cases than it received (15,639 processed for 15,350 received, excluding the late wave of 2,423 complaints).
A record number of complaints and sanctions
At the same time, 5,629 personal data breaches were notified to the CNIL, 20% more than in 2023. And the most worrying thing, according to the authority, is the increase in large-scale incidents. In one year, the number of attacks affecting more than a million people has doubled, rising from around twenty to around forty. These attacks affected both the private (Free, Auchan, Boulanger, etc.) and public (France Travail) sectors.
In response, the CNIL issued 87 sanctions, totaling more than €55 million in fines. The simplified procedure, used for the clearest cases, has proven to be an effective tool: 69 decisions have been issued through this method, three times more than in 2023.
Violations mainly stem from computer attacks: ransomware, phishing, and other account compromises. However, 20% of incidents are still due to internal human error. Among the most frequent breaches, the CNIL notes that the identifiers were already compromised, that the intrusions were not detected in time, and that a subcontractor was involved in a significant proportion of the cases.
Faced with these findings, the CNIL announces that it will impose two-factor authentication from 2026 for all remote access to databases containing several million personal data, as indicated by Franceinfo. This will affect employees as well as partners and subcontractors. According to the organization, combined with other measures (monitoring of extractions, traceability of access, awareness raising, etc.), this requirement would have prevented 8 out of 10 massive breaches.
The CNIL took the opportunity to reiterate basic good practices in cybersecurity: regular updates, strong passwords, frequent backups, email protection, and ongoing user training. These recommendations are part of its 2025–2028 strategic plan, which focuses on anticipation and resilience in the face of growing digital risks.
The authority has intensified its awareness-raising activities, organizing 173 field actions that have reached families, seniors, people with disabilities or those excluded from digital technology. The CNIL has also sought to better inform and raise awareness among minors, with initiatives on pressing issues such as young people's access to pornographic content, cyberbullying, and the role of parents in controlling digital usage.
0 Comments