Data leaks of "unprecedented magnitude" in 2024, the CNIL announces that it will raise its voice

The regulator, which is publishing its annual report on Tuesday , will require companies and public bodies that hold databases of more than two million people to implement a two-factor authentication system, considered more reliable than a simple password.

All employees, service providers or subcontractors who connect remotely to these services will not only have to identify themselves in the traditional way but also use another means of identification, such as a code received by SMS.

Worse in 2025?

"What concerns us is that the number of breaches involving databases of more than a million people has doubled between 2023 and 2024," explains Marie-Laure Denis, who has headed the institution since 2019.

A trend that is accelerating since the authority responsible for the protection of French privacy has already noted more than 2,500 data breaches in the first quarter of 2025, almost half of what it recorded for the whole of 2024 (5,629).

Its president estimates that "80% of major data breaches" recorded last year "could have been avoided" with two-factor authentication, coupled with the implementation of tools to detect mass extractions of this information or even greater awareness among employees.

Among the organizations that have been affected: France Travail, the operator Free, the large distribution group Auchan and the third-party payment operators Viamedis and Almerys.

After a period of adaptation, the head of the CNIL promises "massive controls" from 2026.

Last year, the authority more than doubled the number of penalties issued, from 42 in 2023 to 87 in 2024, for a total of €55.2 million in fines. The regulator also began monitoring the use of personal data by mobile applications, similar to requiring websites to explicitly offer the acceptance or rejection of third-party cookies.

"There have been scandals, we must not hesitate to say, concerning the exploitation of sensitive data without users' consent," says Marie-Laure Denis, citing dating apps in particular, "which prompted us to address this issue."

"We will check that you are informed about the data collection that is done when you download or use an application, we will check whether this data is used for advertising prospecting," she explained, highlighting the fact that "each French person downloads around 30 applications per year."

At the same time, the CNIL has also placed generative artificial intelligence (AI), a technology based on the massive exploitation of data, often personal, at the heart of its concerns.

"We're working a lot with (AI) stakeholders to try to see what technologies to implement, so that there is, for example, a filter at the time of data regurgitation," says Marie-Laure Denis, so that some of it "can be erased."

She also welcomes the fact that European users of Meta's platforms (Facebook, Instagram) can refuse to have their public data used to train the American giant's AI, provided they complete an online form by May 27.

While, according to an Ifop/Talan barometer published in April, 45% of French people surveyed say they use generative AI on a daily basis, the president of the CNIL warns about the data shared during exchanges with these conversational agents, such as ChatGTP from the American company OpenAI or Gemini from Google.