resources
chevron blanc pointant vers la droite
CNIL sanctions 2025

CNIL 2025: record-breaking fines signal new era of GDPR enforcement

In 2025, the CNIL imposed record sanctions and an unprecedented level of requirements. Decryption of this repressive turn and strategic recommendations for companies.

Posted by
Emma Hanoun
.
14 Jan 2026

Introduction:

The year 2025 illustrates the CNIL's desire to affirm a rigorous and dissuasive sanctions policy, with sanctions of unprecedented magnitude. The French data protection authority is making a marked change of scale, both in terms of the level of fines imposed and in terms of the requirement attached to the breaches observed.

Record fines that reflect a change of direction:

The figures speak for themselves: the CNIL no longer hesitates to impose sanctions on an unprecedented scale.

Some of the most significant decisions of 2025 include:

  • 325 million euros against GOOGLE, divided between Google LLC (200 million euros) and Google Ireland Limited (125 million euros)
  • 150 million euros against SHEIN
  • 1.7 million euros against NEXPUBLICA
  • 1.5 million euros against AMERICAN EXPRESS
  • 1 million euros against MOBIUS SOLUTIONS LTD
  • 900,000 against SOLOCAL MARKETING SERVICES
  • 750,000 euros against CONDÉ NAST publications

In 2025, the average amount of sanctions pronounced by the CNIL in ordinary procedure reached around 44 million euros against 4 million in 2024: in other words, on average, the amounts of sanctions were multiplied by 10 between 2024 and 2025.

These amounts reflect a clear desire on the part of the authority to reinforce the deterrent effect of sanctions and to remind all economic actors of the importance of complying with data protection rules.

Another significant development: for the first time, some of the sanctions imposed by the restricted group are greater than the amount initially proposed by the rapporteur (CONDÉ NAST and MOBIUS SOLUTION sanctions).

The strengthening of the CNIL's positioning was confirmed in 2026, as demonstrated by the sanctions of the CNIL dated January 14, 2026, which condemned FREE MOBILE and FREE to fines of 27 million euros and 15 million euros respectively.

In short, in 2025, the CNIL displayed unprecedented firmness, reflecting a policy of sanctions that was much more severe than in previous years.

An unprecedented level of requirements expected by the CNIL:

Beyond the record amounts, it is the level of requirement imposed by the CNIL that marks a significant break. The authority is now adopting a particularly rigorous, even inflexible, approach that is evident at several levels.

Regularization is no longer enough to avoid heavy sanctions

The sanctions imposed in 2025 also demonstrate that the regularization of breaches is no longer a significant factor in mitigating the penalty.

For example, the CNIL imposed relatively heavy sanctions against AMERICAN EXPRESS and PUBLICATIONS CONDÉ NAST, despite the complete correction of the breaches identified during the procedure.

The authority considers that the breach is typical of the past and sanctions firmly, despite the rapid adoption of corrective measures.

Although the Conseil d'État admitted, in the Optical Center case, that the speed with which the company implemented corrective measures could justify a reduction in the amount of the fine imposed by the CNIL, this assessment remains discretionary and, based on the reading of recent decisions, the amounts imposed reflect a very limited, even marginal, consideration of corrective actions, indicative of a now greatly reduced tolerance.

Towards a zero tolerance GDPR compliance standard

The strengthened requirement of the CNIL is also evident in its extensive interpretation of the obligations of the RGPD, revealing an assumed maximalism.

The clearest illustration concerns the security obligation of article 32 of the RGPD, although qualified as an obligation of means, which the CNIL tends to understand as a virtual obligation of result.

The CNIL is based on the principle of “defense in depth”, which consists in multiplying and superimposing independent security mechanisms, distributed at different levels of a system, in order to reduce the probability that a failure or an attack will compromise the entire system. Thus, if one layer is bypassed, the next ones should make it possible to detect, slow down, contain, or block the attack.

In practice, this requirement is particularly difficult, if not impossible, to meet, in a context where data breaches are increasing and where no security measure is infallible.

This requirement by the CNIL reveals the desire to impose a maximum standard of compliance: compliance efforts are now insufficient. The authority imposes zero tolerance and expects exemplary, immediate and complete compliance.

An ambitious but unpredictable law enforcement strategy

The dramatic tightening of sanctions pronounced by the CNIL in 2025, which undeniably testifies to a strong desire to make the RGPD a truly binding text, is reflected in practice in a worrying unpredictability for economic actors.

The CNIL is clearly seeking to establish itself as a leading law enforcement authority, imposing fines of hundreds of millions of euros.

However, unlike the Autorité de la Concurrence, which relies on a detailed calculation grid and a proven methodology for calculating fines, the CNIL operates in a much less structured framework: the 04/2022 guidelines of the European Data Protection Board (EDPS) on the calculation of fines are not explicitly applied in the deliberations, the justification of the amounts used in accordance with the criteria of article 83 of the RGPD is not required by the Council of State (EC, 10th/9th, 19 June 2020, no. 430810), and the The reasons for the deliberations are sometimes very brief in view of the amounts involved.

This situation creates significant legal uncertainty: while the amounts of sanctions are reaching unprecedented levels, the criteria for anticipating their quantum remain largely opaque. As a result, businesses are unable to accurately calibrate their legal and financial risk, even when they are making significant compliance efforts.

In short, the CNIL's repressive regime in 2025 is characterized by an unprecedented combination of maximum severity and legal uncertainty in terms of the methodology for calculating fines.

Conclusion: anticipate the new paradigm of CNIL sanctions

Businesses must now incorporate a high risk of sanctions into their GDPR compliance management. The CNIL reached a decisive milestone in 2025, imposing fines of an unprecedented scale and applying a maximum level of requirements. The challenge for the authority will be to reconcile this increased severity with sufficient predictability of the repressive framework.

Key Recommendations to navigate stricter CNIL sanctions

  1. Rethink risk governance : raise GDPR risk to the level of strategic business risks by involving senior management and by systematically integrating GDPR issues into strategic and operational decisions.
  2. Increase the level of data security : adopt a defence in depth approach and strengthen your security arrangements.
  3. Strengthen the internal skills and resources of the DPO : Equip your data protection officer with sufficient resources and train your teams to create a true data protection culture at all levels of the organization, especially when it comes to data security.
  4. Provision high financial risk : the amounts of sanctions were multiplied by 10 on average between 2024 and 2025. Reassess your provisions and cyber insurance accordingly.

When compliance becomes strategic, The regulator's perspective becomes essential

With over 20 years of experience, Odoné supports leading organisations with rigorous, pragmatic and accessible guidance.

Make an appointment
flèche noire pointant vers la droiteflèche noire pointant vers la droite
Did you like this article?

Share it with colleagues or friends:
Logo bleu FacebookLogo bleu LinkedinLogo bleu X