Legal Watch No. 91 – January 2026. 

 

Securing data in light of the "France Travail" sanction.

The sanction adopted on January 29 by the CNIL against France Travail is exemplary in that it reminds us of the essential elements of an effective security policy.

In a context of increasing mass data breaches, the CNIL emphasizes three fundamental aspects of data protection:

• Robust authentication,
• Effective logging,
• An authorization policy tailored to the responsibilities of the agents.

The CNIL's sanction, amounting to 5 million euros, is the latest act in a case that began in 2024 when hackers managed to access the accounts of Cap Emploi advisors.

This access allowed them to connect to the data of all people registered with France Travail, or who have been registered in the last 20 years, as well as people with a candidate space on francetravail.fr.

This means that the data of more than 36 million people was able to be downloaded by the hackers.

Regarding responsibility, it should be noted that while the CNIL does not evade that of the Cap Emploi advisors, it insists on the main responsibility of France Travail.

• France Travail is responsible for "the initiative to deploy and manage the measures designed to ensure the security of the information system, which it has opened access to for Cap Emploi (...)."
• It was also France Travail that decided to disregard the prior recommendations of the impact analysis regarding authentication.

Time constraints, linked to technical difficulties in implementation, would have pushed him to disregard these precautions.

In this regard, the CNIL reiterates its doctrine on authentication and specifies that the use of passwords must be supplemented by additional measures (captcha, access time-delay or account blocking after a maximum of ten incorrect attempts), unless the password is composed of: either a minimum of 12 characters including uppercase letters, lowercase letters, numbers and special characters; or a minimum of 14 characters including uppercase letters, lowercase letters and numbers, without mandatory special characters; or a phrase including a minimum of 7 words.

In this particular case, the password was only eight characters long, and the authentication policy stipulated a threshold of 50 unsuccessful attempts before locking access to the advisors' virtual machines. 

France Travail, which processes a large amount of sensitive data, relating for example to the origin of the disability, the constraints of a workstation, the evolution of the disability situation, the conditions of access should have been much stricter.

In particular, they should have provided for multi-factor authentication, a doctrine which, according to the CNIL, is essential in particular for the processing of sensitive data and processing or operations that pose a risk to the persons concerned.

“The difficulty of using a telephone as a second factor, due to the independence of Cap Emploi, could have been overcome by other measures, for example by distributing OTP (One-Time Password) calculators to employees (…).”

The CNIL also emphasizes the essential role of logging measures.

These measures did not allow for the detection of abnormal behavior on the information system, in this case, abnormal data download volumes.

The CNIL rapporteur criticizes France Travail for the lack of regular automatic monitoring of logs to detect and analyze security incidents and to provide a quick and effective response.

“The operations carried out were highly abnormal in light of the timing and frequency of the requests, the considerable volume of data extracted (25 GB of “text” type data), the error rate of certain requests (69 % on one of the compromised accounts (…), and the fact that the data was extracted even though the activity of Cap Emploi advisors does not require significant resource consumption or significant data extraction (for example, on Tuesday, February 6, 2024 alone, 9 GB of data were extracted, which would correspond to more than 13 million records for a single advisor in a single day).”

Finally, the CNIL insists on the importance of limiting access authorizations to the needs and functions of employees.

She notes that the advisors' account settings had been defined too broadly, allowing them to access the data of people they were not supporting, which increased the volume of data accessible to attackers.

The CNIL justifies the amount of the penalty by the choice made by France Travail not to implement the recommendations of its impact analysis, which led to the compromise of the personal data of more than 36.8 million people, including data subject to special protection such as the NIR, which presents specific risks of usurpation or interconnection due to its significant, unique and permanent nature.

It may seem obvious to conclude that one should not wait for a data breach to ensure the security of a system.

It should also be noted that the CNIL regularly sanctions breaches of the security obligation without these necessarily being the cause of a data breach, such as an insufficiently robust password policy.

Data security was also among the main subjects of sanctions by the supervisory authority in 2025, as indicated in its report published at the beginning of February.

 

A data leak that went unnoticed for eighteen months has hit one of the main digital trust companies in France.

The identity verification and fraud prevention platform Sumsub reports having suffered "a security incident" in July 2024.

The company has just become aware of the intrusion following a security audit, carried out in January 2026. The cyberattack is based, as in the case of France Travail, on the compromise of a third party.

The compromised data includes names, email addresses, and phone numbers.

On December 30, 2025, the CNIL imposed a fine of 3.5 million euros. to a company whose name it unfortunately withholds, for having transmitted, at regular intervals for six years, the data of members of its loyalty program to a social network for advertising targeting purposes, without valid consent.

Following a public consultation, the CNIL published its recommendations on collecting multi-device consent on January 16th. (cross-device) in the context of the use of cookies and other trackers.

The objective is to help stakeholders obtain consent that complies with GDPR requirements, and in particular to ensure transparent consent collection.

The Commission also published two maps on January 14th listing approved certifications and codes of conduct. by national authorities or by the European Data Protection Board (EDPB) since the entry into force of the GDPR, to facilitate the identification of available compliance tools.

Finally, in the context of the municipal elections of March 15 and 22, the CNIL reminds us of good practices in political canvassing and reactivates its election observatory.

Established in 2012, its objective is to ensure that political parties and candidates take data protection legislation into account in their practices.

In particular, it allows for the monitoring of requests addressed to the CNIL in the context of electoral campaigns, such as requests for advice from candidates or reports of bad practices.

At the beginning of February, the State made three commitments in favor of digital sovereignty:

• Regarding health data, he launched a call for tenders to entrust the health data of French citizens to a "secure European platform".
• More generally, the State is committed to massively directing its public purchases towards French and European solutions, investing 4.5 billion euros in them.

According to David Amiel, Minister Delegate for the Civil Service, "There is an urgent need to detoxify ourselves from American solutions."

• Finally, a recently published Circular from the Prime Minister specifies that administrations should favour market solutions (rather than developing internally) provided that they meet the criteria of sovereignty and security.

The Council of State ruled in favour of the CNIL on January 30, 2026, in the context of a dispute concerning algorithmic surveillance which pitted it against the city of Nice.

He confirms that the algorithmic processing of images from CCTV cameras placed at the entrance of schools, implemented by the municipality, is not authorized under current law. 

While it permits the implementation of video surveillance systems in public spaces, the Internal Security Code, by its silence, cannot "be interpreted as authorizing the implementation of algorithmic processing enabling systematic and automated analysis of images collected in public spaces by means of such systems. No other provision authorizes the implementation of such processing."

“Accidental” Americans are asking the CNIL to suspend the transfer of their banking data to the United States.

In accordance with the Foreign Account Tax Compliance Act (FATCA), French banking institutions must transmit a great deal of sensitive data about themselves to the American tax authorities in order to combat possible fraud – Americans must indeed declare their income in the United States regardless of where they reside in the world.

The Association of Accidental Americans denounces the current agreement between the United States and France which governs the conditions for sharing this information.

 

European institutions and bodies

On January 20, 2026, the European Commission proposed a new package of cybersecurity measures aimed at strengthening the EU's resilience and improving its ability to manage threats.

The project includes a proposal to revise the cybersecurity regulation, which strengthens the security of EU information and communication technology (ICT) supply chains.

It ensures that products intended for EU citizens are cyber-secure from the design stage through a simplified certification process.

It also facilitates compliance with existing EU cybersecurity rules and strengthens the European Union Agency for Cybersecurity (ENISA) in its role of supporting Member States and the EU in managing cybersecurity threats.

The European Commission and Brazil adopted two mutual adequacy decisions on January 27, confirming that their levels of data protection are comparable.

"Recognizing the high standards of data protection that safeguard consumers and citizens on both sides, these agreements now allow businesses, public authorities, and researchers to freely exchange data between the EU and Brazil."

The Commission opened a new formal investigation against X on January 26 under the Digital Services Regulation (DSA).

She suspects that the Grok features integrated into X carry unassessed and unmitigated risks of generating and distributing illegal content, such as sexually explicit manipulated images, including content that may constitute child pornography.

It also extended the formal proceedings initiated in December 2023 against X to determine whether the company has properly assessed and mitigated all systemic risks related to its content recommendation systems.

Also on January 26, the European Commission officially designated WhatsApp as a very large online platform (VLOP) under the DSA, as its "Channels" feature reaches the required threshold of at least 45 million users in the EU.

Meta has four months, until mid-May 2026, to ensure that WhatsApp complies with the additional obligations imposed by the DSA.

These obligations include assessing and mitigating any systemic risks, such as violations of fundamental human rights and freedom of expression, election manipulation, the dissemination of illegal content, and privacy issues, arising from its services.

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted on January 21 a joint opinion on the European Commission's proposal for the "Digital Omnibus on AI", which aims to simplify the implementation of certain harmonized rules provided for in the AI regulation in order to ensure its effective application.

Both authorities support the objective of addressing the practical challenges related to implementing the legislation, but stress that administrative simplification must not reduce the protection of fundamental rights. Regulators believe that some of the proposed amendments could compromise the protection of individuals in the context of AI.

 

News from the member countries of the European Union.

In Greece, the Data Protection Authority (DPA) has issued a warning against the deployment of a "smart policing" system involving the use of smart wearable devices by patrols to determine and verify the identity of citizens undergoing on-the-spot checks using biometric data. The DPA considers this processing illegal because it is not specifically provided for by current legislation.

The Spanish Data Protection Authority (APD) has fined the IDCQ Hospitals and Health group €1,200,000. for deleting patient data too quickly, which prevented it from fulfilling its obligation to inform the individuals concerned.

The Norwegian Data Protection Authority (APD) has fined Timegrip AS 250,000 NOK (approximately €25,000) for illegally denying former employees access to their working time records after their employer went bankrupt and for falsely presenting itself as a mere subcontractor when it exercised effective control over personal data.

In particular, Timegrip assumed the status of responsible party after the bankruptcy, being the only entity exercising technical and practical control over the data.

The president of the Polish Data Protection Authority (APD) imposed an administrative fine of 978,000 PLN (€250,000) on Poczta Polska SA for failing to guarantee the independence of the data protection officer (DPO).

The supervisory authority found that the company had allowed a conflict of interest in the performance of the DPO's duties.

In the UK, the APD fined ZMLUK Limited, a financial brokerage and advertising agency, £105,000 (€120,000) for sending more than 67 million unsolicited direct marketing emails without the consent of the individuals concerned or without a valid exception.

The Swedish Data Protection Authority (APD) has fined a subcontractor, Sportadmin i Skandinavien AB, 6,000,000 SEK (€560,000). digital service provider for sports clubs and associations, after a cyberattack exposed the personal data of more than 2.1 million people.

The subcontractor was found guilty of failing to implement sufficient security measures, in violation of Article 32 of the GDPR.

The Swiss government wants to expand online surveillance by revising an ordinance on the surveillance of postal correspondence and telecommunications.

The proposal would significantly increase the amount of personal data held by requiring large communications service providers to retain metadata and by imposing user identification requirements on virtually all service providers.

These organizations should retain this data for at least six months and help law enforcement decrypt its content. Nineteen civil society organizations have sent a letter to the Swiss Federal Department of Justice and Police expressing their concerns.

 

In the UK, the APD fined ZMLUK Limited, a financial brokerage and advertising agency, £105,000 (€120,000) for sending more than 67 million unsolicited direct marketing emails without the consent of the individuals concerned or without a valid exception.

The Swiss government wants to expand online surveillance by revising an order on the surveillance of postal correspondence and telecommunications.

The proposal would significantly increase the amount of personal data held by requiring large communications service providers to retain metadata and by imposing user identification requirements on virtually all service providers.

They should retain this data for at least six months and help law enforcement decrypt its content.

19 civil society organizations have sent a letter to the Swiss Federal Department of Justice and Police to express their concerns.

On February 3, 2026, the United States House Judiciary Committee published a report attacking the European Digital Services Act (DSA), calling it a tool of censorship. "The threat of foreign censorship, part II: Europe's ten-year campaign to censor the global internet and its harmful consequences for freedom of expression in the United States"

In this report, several European NGOs, including Bits of Freedom and Justice for Prosperity, are described as "censorship NGOs".

Five sanctions, previously reported in this newsletter, have already been imposed in the form of entry bans to the United States against Europeans involved in the application of the DSA, research and criticism of the power of platforms.

The European Commission responded through its spokesperson by recalling that the DSA puts responsibility where it belongs, namely on online platforms.

Australia's ban on social media for minors under 16 has become an international model. despite the shortcomings identified in the early stages of its implementation. The European Union, the United Kingdom and the United States are thus closely monitoring the Australian experience, with some countries having already introduced similar legislative proposals, as noted by the IAPP (International Association of Privacy Professionals) in an article dated February 5.