The CNIL publishes its annual report for 2023
General information and protection of individual’s rights, compliance support and advising, anticipation and innovation, investigations and sanctions: five years after the GDPR entered into application, the CNIL reviews the highlights of 2023, marked by a record number of complaints received and a rethought support policy.
The publication of its annual report gives the CNIL an opportunity to highlights its activities in relation to its four main missions: informing the public and protecting their rights, supporting compliance and advising professionals and public authorities, anticipating and innovating to build the digital world of tomorrow, and monitoring and punishing breaches of the General Data Protection Regulation (GDPR) and the law.
Download the CNIL 2023 activity report (in French)
Download the 2024 CNIL in a nutshell (in English)
Informing individuals and protecting their rights
In the spring of 2023, the CNIL decided to set up a public awareness campaign to complement its existing initiatives. Within this framework, the CNIL met with more than 2,500 people at conferences or workshops in 6 regions. Regarding digital education, the CNIL offered 81 presentations in 9 regions and met with 4,300 people, including 1,500 young people.
Number of complaints received from the general public increased in 2023. The CNIL received 16,433 complaints (+35% vs. 2022) and, for the second year in a row, processed as many complaints as it received. It also received 20,810 requests for indirect access rights (enabling access to certain banking or police files) via a dedicated online service, representing an increase of 217% in one year.
The cnil.fr website has seen a record audience, with 11.8 million visits, testifying to the ever-growing interest of the public – both professionals and individuals – in data protection, particularly regarding phishing, cookies and artificial intelligence. In addition, the CNIL noted a 35% increase in visits to its “Need help” (Besoin d’aide) frequently asked questions database, particularly on subjects relating to the national payment incident file (FICP) and criminal records.
47,111
calls answered during hotlines
11.8 millions
visits on CNIL’s websites
16,433
complaints received
20,810
admissible requests to exercise indirect rights received
Supporting compliance and advising
One of the CNIL's key missions is to support professionals achieving compliance.
In 2023, it strengthened its support strategy, focusing on artificial intelligence: on the one hand, through enhanced support for companies with strong economic or innovation potential; on the other hand, through the third edition of its "sandbox", dedicated this year to public service projects.
In addition to providing sector-specific and, in some cases, individual support (1,651 requests for advice received in 2023), the CNIL has produced 13 new reference documents: 5 new guides, 4 referentials, 2 recommendations and 2 reference methodologies for the health sector.
Finally, it continued to travel to the regions as part of the “GDPR Days” (Journées RGPD), meeting professionals and students in Reims, Rennes, Marseille and Toulouse.
13
new reference documents
including 5 guides, 4 referentials, 2 recommendations and 2 reference methodologies in health-related data processings.
An enhanced support for
3
innovative organisations
4
AI projects supported as part of the "personal data" sandbox
Anticipating and innovating
As in previous years, the CNIL continued to consolidate its close links with the world of research, in particular by organising the second edition of the Privacy Research Day, an international conference bringing together regulators and researchers.
In addition, as part of its role of anticipation and support, the CNIL has published a roadmap on artificial intelligence, based on 3 fundamental principles: guiding the development of privacy-friendly AI, bringing together and supporting innovative players, and auditing existing systems and protecting individuals.
Finally, in the current environmental context, it has become necessary to explore the intersections between data protection and the environment: this link is the subject of the 9th IP report from the CNIL's Digital Innovation Laboratory (LINC), Data, Footprints and Freedoms.
The CNIL also organised its air2023 ethics event, attended by 1,700 people both on-site and online. It published a booklet in 2024, covering the main themes and debates of the event, via interviews.
32
articles and case studies published on linc.cnil.fr
4,439
attendees at the Privacy Research Day
Investigating and issuing sanctions
The CNIL has actively continued its repressive activity: it carried out 340 investigations, mostly on-site and online, either on the basis of complaints or on its own initiative (priority topics, information published in medias, etc.).
42 sanctions were issued (twice as many as in 2022), including 36 fines totalling 89,179,500 euros. In addition, the Chair of the CNIL issued 168 formal notices and 33 reminders of legal obligations against organisations that had breached data protection regulations.
It was also the year in which the simplified procedure really took off. Created in 2021 to adapt procedures to cases that do not present any particular legal difficulty, the procedure enables the CNIL to act even more effectively in the face of an ever-increasing number of complaints. As a result, 24 sanctions - more than half of the total - were issued under this procedure.
340
investigations
42
sanctions
36
for a total amount of about 90 million euros