Legal Watch No. 88 – October 2025. 

 

Video surveillance, the main target of CNIL sanctions.

The CNIL has done the point in October on its simplified sanction procedure.

The 16 sanctions imposed since last May have been accompanied by fines totaling €108,000, in addition to the €104,000 from the 10 decisions pronounced since January.

In addition to video surveillance, the sanctions cover commercial prospecting practices carried out without the consent of the persons concerned and failures to cooperate when requesting the exercise of rights provided for by the GDPR (right of access, rectification or objection).

Video surveillance remains the major theme of sanctions, particularly when it takes place in the workplace.

The CNIL systematically points out the failure of data controllers to comply with the principle of data minimization.

A pharmaceutical company and a hospital have been sanctioned for filming union premises and their direct access, in violation of Article 5.1.c of the GDPR which specifies that data must be adequate, relevant and limited to what is necessary for the purpose pursued.

The CNIL reminds us that CCTV cameras installed in workplaces, whether open to the public or not, must respect the privacy of employees.

"Cameras must under no circumstances film union premises or their direct access points."

Any excessive infringement on the privacy of the persons filmed thus contravenes this principle of minimization, as the CNIL also noted in a boarding school whose video surveillance system filmed students during breakfasts and in the courtyard.

Cameras cannot be installed in the workplace.

• Only if they pursue a legitimate objective such as the safety of property and people,
• In delimited and non-intrusive areas such as building entrances and exits, passageways or warehouses.

Security and transparency obligations are also required:

• Access to images must be secure and accessible only to authorized personnel, and data must be kept for a limited period, from a few days to a month in principle.
• The person in charge must inform and consult with employee representatives beforehand, and provide for a notice to be displayed for employees and the public.

Exceptions remain possible regarding transparency obligations: in exceptional circumstances and under certain conditions, the data controller may temporarily install cameras not visible to employees, provided that the compatibility of the device with the GDPR is analyzed and that it is able to justify it.

It was due to the absence of such an impact analysis, and the lack of involvement of its DPO in the implementation of a concealed video surveillance system, that La Samaritaine was sanctioned by the CNIL last September.

The company had reported the existence of thefts committed in the reserves and explained that the system was temporary, but it had not carried out any prior analysis nor documented the temporary nature of the installation.

This failure to maintain the balance between the objective pursued and the protection of employees' privacy resulted in the company being fined €100,000.

Finally, it should be noted that for places accessible to the public, the device must be authorized by the prefect of the department, or the police prefect in Paris.

 

      

The Court of Auditors published a report on October 31st on "the sovereignty issues of the State's civilian information systems".

She makes several observations:

• Some ministries use non-European IT solutions, sometimes for sensitive data, to the detriment of digital sovereignty.

The report cites in this regard the health data platform, which has been hosted for more than five years by an American company.

He also notes that private operators offer public service applications without being subject to the same obligations as the State.

• There is no mapping of sensitive data by administration, which would constitute a reference framework allowing identification of those whose sovereignty must be preserved as a priority.
• The adoption of sovereign cloud computing by government agencies remains limited, internal state clouds struggle to reach sufficient scale, and reconciling sovereignty requirements with performance imperatives proves complex.
• DINUM manages two sovereign infrastructures: the interministerial network of the State (RIE) and the digital identity system (FranceConnect), considered to be successes even if progress is still needed, particularly in terms of resilience.
• Beyond controlling sensitive data, the State does not seek total sovereignty, but rather to establish a sufficiently high level of trust by using public procurement, pooling of purchases and validation by ANSSI to limit risks.

On October 15, the Council of State upheld an €8,000,000 fine imposed by the CNIL on Apple for processing the data of French users for personalized advertising purposes without their consent.

• The Council of State considered that the sanction was not disproportionate, given the number of people concerned — nearly 27.5 million users between July 2020 and July 2021 — and the economic weight of the group.
• He also confirmed the CNIL's jurisdiction to rule on its activities in France, thus rejecting the company's argument that only its Irish entity fell under the jurisdiction of the European regulator.

The Ministry of Labour and Solidarity, the CNIL and the AFCDP have entrusted the Afpa with the carrying out of a new survey of the DPO profession observatory, concerning the impact of AI on this profession.

The survey explores AI governance models within organizations, the role of the Data Protection Officer (DPO), the main challenges faced by DPOs, and their needs in terms of tools and training. The results will be published in the first half of 2026.

On October 28, the CNIL published the report of its event of May 20, "GDPR: what economic impact?". 

The event brought together economists as well as French (CNIL) and European (UK data protection authority, European Commission) regulators, contributing to the ex post evaluation of the implementation of the GDPR.

Seized by players in the distribution sector on the portability of data related to loyalty programs, it also specified in mid-October what information must be transmitted, in particular regarding the barcode and data related to promotions to which customers have had access.

 

European institutions and bodies

The amendments to the GDPR planned in the Digital Omnibus Act could go further than initially announced, according to an informal version of the document circulated by the press.

The proposal, which is expected to be officially published on November 19, would clarify (while limiting) certain key definitions, relax certain rules regarding confidentiality, and authorize the use of personal data for AI training.

Civil society has already reacted by highlighting the dangers of such a simplification for fundamental rights.

On Thursday, October 9, the European Commission announced the launch of a public consultation on its draft guidelines concerning the interaction between the Digital Markets Regulation (DMA) and the GDPR.

This project was developed in collaboration with the European Data Protection Board (EDPB).

Article 5(2) is at the heart of these guidelines: the DMA requires "gatekeepers" to obtain user consent for sharing their data between different services, but it does not define the precise conditions of this consent.

The text now specifies that this consent must be valid within the meaning of the GDPR, but above all that it must be requested separately for each distinct processing purpose (content personalization and targeted advertising).

The consultation is open until December 4th.

On October 24, the European Commission concluded on a preliminary basis that Meta and TikTok were in breach of the Digital Services Act (DSA).

Companies do not allow researchers adequate access to publicly available data.

The Commission also concludes on a preliminary basis that Facebook and Instagram have failed in their obligations (1) to provide users with simple mechanisms to report illegal content, such as child pornography or terrorist content, and (2) to allow users to effectively challenge content moderation decisions made by Meta.

TikTok and Meta have the ability to access and respond to the investigation file.

The European Commission has published its framework for a sovereign cloud for public procurement authorities.

The document draws on several European initiatives including the European cybersecurity certification framework (ENISA, NIS2, DORA).

It also refers to national policies such as "cloud at the center" in France with the SecNumCloud of Anssi, and the German Sovereign Cloud.

The Commission proposes a sovereignty score for cloud offerings, based on different criteria, which is generating mixed reactions.

The method does not particularly satisfy European cloud providers gathered within the Cispe association, who consider it opaque and, as it stands, favouring foreign players.

Members of the European Parliament are calling for a DSA investigation into Shein, Temu and AliExpress.

Following the opening of an investigation by the Paris prosecutor's office into these four companies for the sale of "child-like sex dolls", more than 40 MEPs have urged the Commission to launch an investigation, according to a report by Euractiv.

The CSAM proposal for a regulation aimed at preventing and combating child sexual abuse was again on the agenda of the European Council meeting on October 14.

Germany, which had previously been a strong supporter of the bill, having withdrawn its support for the draft regulation, the vote was postponed.

The controversial proposal provided for scanning communications on the user's terminal before sending them, an element removed by the Danish Presidency of the Council in order to obtain sufficient support from Member States.

Denmark would nevertheless intend to extend indefinitely the current temporary authorization for CSAM “voluntary” analyses and “high-risk service providers […] could still be required to take steps to develop relevant technologies to mitigate the risk of sexual abuse of children identified on their services”.

EU interior ministers are due to meet again in early December.

At its October plenary meeting, the EDPB chose the theme for its fifth coordinated action on controls, which will focus on compliance with the transparency and information obligations provided for by the GDPR.

The regulation ensures that the persons concerned are informed when their data is processed (under Articles 12, 13 and 14).

The EDPB reiterates that this right to information is a central element of transparency and guarantees individuals better control over their data.

Participating data protection authorities will join this action on a voluntary basis in the coming weeks, and the action itself will be launched during 2026.

An investigation into personal data brokers, conducted by the Belgian daily L'Echo, the German specialist publication Netzpolitik.org, the Dutch radio station BNR, the German radio station BR and Le Monde, shows the extent of the surveillance made possible by geolocated advertising data.

This data, obtained by "Le Monde" and its partners, made it possible to identify and track several European Union dignitaries, sometimes even to their homes.

 

News from the member countries of the European Union.

The German state of Schleswig-Holstein has abandoned its government email and calendar systems in favor of open-source software.

The migration, which lasted six months, replaced Microsoft Exchange and Outlook with Open-Xchange and Mozilla Thunderbird.

The transfer involved more than 40,000 email accounts and more than 100 million messages and calendar entries.

In Austria, the NGO Noyb reports that the data protection authority has issued a ruling concluding that Microsoft 365 Education illegally tracks students and uses their data for Microsoft's own purposes.

The software giant also did not respond to a request for access relating to Microsoft 365 Education, which is widely used in European schools.

An Austrian court has upheld a €1,500,000 fine imposed on IKEA for illegal and excessive video surveillance in and around one of its branches, recording, among other things, customers entering their PIN codes.

He thus overturned a decision by the APD which held only the seller responsible for violations committed during the purchase.

In Belgium, the Belgian Data Protection Authority (APD) also reprimanded a company for illegally retaining the email address and phone number of a former employee after their employment contract had ended. The APD found that the data controller had violated several provisions of the GDPR, including the principle of purpose limitation, the principles of data minimization and storage limitation, the principles of informing the data subject, and the right to erasure.

Finally, there was no longer any legal basis to continue processing this data.

In Spain, the APD fined a financial services company (Servicios Financieros Carrefour) €1,500,000 for failing to ensure the security and confidentiality of data processing in the context of a data breach that resulted in the sending of numerous phishing emails.

In Ireland, the appointment of former Meta lobbyist Niamh Sweeney as commissioner of the Irish data protection authority has recently attracted renewed attention.

The Irish Civil Liberties Council (ICCL) filed a complaint against Ireland with the European Commission on October 25, alleging that Ireland had not provided sufficient guarantees regarding the independence and impartiality of its nomination process.

The European Commission reportedly responded by stating that it had no competence regarding national appointments concerning ODAs.

The Dutch Data Protection Authority (APD) has fined Experian Nederland 2.7 million euros for multiple violations of the GDPR.

Until January 1, 2025, Experian provided its clients with creditworthiness assessments for which it collected data on, for example, negative payment behavior, unpaid debts or bankruptcies.

The APD noted a lack of valid legal basis for the collection of information and a failure to inform the persons concerned.

The company had to cease its operations in the country and pledged to delete its entire personal database before the end of the year.

 

 

The UK Data Protection Authority (DPA) has fined a business services provider specializing in pension administration, and its subcontractor, £8,000,000 and £6,000,000 respectively, following a cyberattack that allowed unauthorized third parties to access the data of more than 6 million people.

The APD noted a lack of appropriate security measures.

The IAPP reports that, for the first time since 2019, the International Organization for Standardization has updated its international standard for managing privacy compliance programs, ISO 27701.

The standard is now a self-contained management system, meaning that organizations will no longer need to have an ISO 27001 certified information security management system.

However, those with an SGSI will be able to integrate both management systems.

The standard details the high-level requirements for the implementation of a PIMS, which must be met and implemented by any organization seeking certification.

Although it cannot be considered a substitute for legislation, it remains closely aligned with the EU and UK GDPR.

In the United States, immigration police scan people's faces in the street to verify their citizenship.

According to the American media outlet 404, videos circulating on social media show ICE (Immigration and Customs Enforcement) and CBP (Customs and Border Protection) agents using facial recognition technology on passers-by in the field.

The application used, Mobile Fortify, would link faces to a database of 200 million images from databases of the FBI, the State Department and other agencies.

The application could also perform cross-searches on vehicles, phones, addresses and firearms.

While the Department of Homeland Security refuses to confirm or deny the capabilities of “Mobile Fortify”, CBP reportedly acknowledges relying on “various technological tools to enhance the effectiveness of agents”.

Competition is growing to integrate AI into internet browsers, and to challenge the dominant position of the now classic Google Chrome.

Microsoft has thus integrated its Copilot AI tool into the Edge browser.

The proposed "actions" allow Copilot to fill out forms or book hotels, and the "Journeys" allow Copilot to trace the links between tabs opened by the user.

Microsoft's announcement came two days after a similar launch by OpenAI, which unveiled its new Atlas browser, visually very similar to Microsoft's.