Insights
CNIL Strategic Plan 2025
Jan 21, 2025The CNIL has published its strategic plan for the period of 2025-2028. This is typical of the CNIL, who regularly inform its stakeholders of its priorities.
For the period of 2025-2028, the CNIL will focus its efforts on 4 main areas at the heart of the development of the digital society: Artificial Intelligence (AI), the protection of minors online, cybersecurity and two digital uses: mobile applications and digital identity.
Artificial Intelligence (AI)
AI is a data-intensive technology which raises a number of privacy and cybersecurity issues.
In addition to producing recommendations and guidelines for players in the AI sector, the CNIL intends to continue its conversations surrounding the technology. However, it is also planning a more repressive approach involving compliance checks on artificial intelligence systems. Developers, as well as deployers, are being warned that they must document their compliance in anticipation of a possible inspection.
Protection of minors
Minors have always been considered to be particularly vulnerable to technology and the youth of today are ultra-connected.
The CNIL intends to educate young people, without forgetting to participate in the creation and implementation of technical means to protect minors. In this respect, we can reasonably anticipate the application of the provisions of Article 8 of the RGPD, which require parental consent for the processing of data on minors under the age of 13 (15 in France under Article 45 of the French Data Protection Act). It is highly likely that the CNIL will also be vigilant about the implementation of age verification technology by online services that are obliged to do so (for example, online communication services allowing access to pornographic content or JONUM operators, etc.) and it is expected that operators offering online services to minors will be particularly scrutinised.
Cybersecurity
The year 2025 will see the gradual entry into force of significant provisions from the European Union's cybersecurity policy, notably with the transposition of the NIS 2 directive at Member State level and the introduction of the EU regulation on cyber resilience.
The CNIL’s work is a useful reminder that the protection of personal data requires the implementation of high security standards for IT systems. As a reminder, in 2023, a third of the penalties handed down by the CNIL were for breaches of the security obligation and 60% of the notifications sent to the CNIL were the result of hacking (Source: Cybersécurité 2024 - CNIL).
Mobile applications and digital identity
The CNIL plans to continue monitoring the compliance of players in the mobile application value chain. This is to be expected, as after publishing comprehensive recommendations[1]for professionals in September 2024, the CNIL will want to ensure, from 2025 onwards, that these recommendations are taken into account and will do so through a specific campaign of controls.
The European regulation establishing the European framework for a digital identity was published in April 2024. This regulation, known as "eIDAS2", enables the creation of a digital identity portfolio. There is no doubt that the CNIL will ensure that the rules protecting personal data are applied in the implementation of this new framework.
While the CNIL sets out its objectives for the next three years, it also outlines the means it will use to achieve them.
This involves, first and foremost, continuing the dialogue between the regulator and its stakeholders. The CNIL has also indicated that it intends to diversify its range of services. Secondly, the CNIL will continue to advise companies and individuals on issues relating to the processing of personal data. Finally, the CNIL clearly indicates that it wishes to increase the number and variety of its repressive measures. This confirms our analysis of the future increase in the number of sanctions (in particular thanks to the development of the simplified sanction procedure) but also in the amount of fines handed down by the CNIL, alone or as part of a cooperation procedure with other European authorities.
If you are affected by one or other of the CNIL's priorities for action, don't wait to comply.
