CNIL has done it again. They are the 2nd most active regulator to deploy multi-million dollar fines in Europe behind the GDPR. The French data protection authority known as the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a fine of €1,700,000 against NEXPUBLICA FRANCE. This sanction addresses serious failures in implementing robust technical and organizational safeguards for personal data processed through the company’s software platform.
NEXPUBLICA FRANCE (formerly INETUM SOFTWARE FRANCE) develops and supports a software system called PCRM, which serves as a customer relationship and case management tool for social services organizations, including certain Departmental Houses for Disabled People (Maisons départementales des personnes handicapées).
A series of data exposure incidents were reported in late November 2022, when several entities using PCRM discovered that users were able to access personal documentation pertaining to individuals other than themselves. These reports triggered a formal CNIL investigation.
The CNIL’s investigation found that NEXPUBLICA FRANCE’s security measures were insufficient to protect personal data in accordance with Article 32 of the GDPR, which mandates data controllers and processors to establish appropriate security measures proportionate to the risks associated with data processing. The authority concluded that key vulnerabilities were not addressed proactively and that corrective action was only taken after security incidents occurred.
When determining the level of the fine, the CNIL’s restricted committee considered multiple factors, including the company’s financial position, the number of affected individuals, the sensitivity of the compromised data (which included information related to individuals’ disabilities), and the absence of fundamental safeguards that should have been in place. Although the company has since remediated many of these issues, the CNIL deemed the initial lack of adequate protections significant enough to justify the substantial sanction.
Other Recent CNIL Sanctions
The CNIL regularly uses its enforcement powers to impose sanctions for violations of data protection laws, including the GDPR and the French Data Protection Act. In 2024 and 2025, the authority has issued a range of fines — from major sanctions against large multinational firms to simplified penalties applied through expedited procedures for smaller violations.
Record Fines for Cookie Compliance Violations
In September 2025, the CNIL levied two of the largest penalties in its recent history against major global internet companies for failures in cookie and tracking consent practices:
- Google was fined €325 million for placing advertising cookies and displaying advertisements inside Gmail inboxes without securing valid user consent, which affected millions of users in France. Users were not adequately informed, and cookie placement was tethered to the creation of Google accounts without clear consent mechanisms. The CNIL ordered Google to comply within six months or face an additional daily penalty.
- Shein, the online fashion retailer, received a €150 million fine for placing cookies on users’ devices without their prior consent and for failing to offer an effective opt-out mechanism. This sanction reflects the CNIL’s intensified focus on compliance with tracking and advertising regulations in digital commerce.
These fines underscore the CNIL’s strategy to enforce strict consent requirements for cookies and other tracking technologies under both the GDPR and the French Data Protection Act.
Additional Substantial Sanctions in 2025
Beyond cookie-related matters, the CNIL has issued other significant fines in 2025:
- American Express Carte France was fined €1.5 million for non-compliance with cookie regulations, including inadequate information to users and failure to obtain proper consent before depositing tracking technologies.
- Mobius Solutions Ltd, identified as a data processor involved in a data breach affecting music streaming service users, was fined €1 million for failing to ensure adequate data protection and breach prevention.
- SoLocal Marketing Services, a data broker, received a €900,000 fine for conducting commercial prospecting without a lawful basis and for transferring personal data to third parties without valid consent or legal justification.
- Caloga, another data broker, was fined €80,000 for similar commercial prospecting infringements, reflecting the CNIL’s oversight of marketing practices that involve personal data transfers without consent.
Simplified Sanctions for Smaller Violations
In addition to high-value sanctions, the CNIL uses a simplified procedure to address less severe or more technical breaches of data protection obligations. These may involve inadequate record-keeping, failure to notify data breaches, or shortcomings in basic transparency measures. Since January 2025, multiple simplified sanctions have been issued, cumulatively exceeding €100,000 in administrative fines. Many of these relate to video surveillance practices, commercial prospecting breaches, and cooperation failures when individuals exercise their data rights.
Broader CNIL Enforcement Landscape
The CNIL’s enforcement actions form part of a broader global trend of increasing regulatory scrutiny over data protection practices. Across Europe, supervisory authorities have leveraged GDPR enforcement powers to impose hundreds of millions, and in many cases billions, of euros in fines against entities ranging from multinational technology firms to smaller data controllers and processors. These actions reflect heightened expectations for consent mechanisms, data security, transparency, and user rights enforcement.
