CNIL France: GDPR Technical Compliance

CNIL France: GDPR Technical Compliance

France's Strictest Privacy Regulator

France's data body is CNIL. It sets the EU's most exact privacy rules. Most EU regulators write broad guidance. CNIL goes further. It publishes precise technical specs called recommandations. These define what real GDPR compliance looks like.

Other EU regulators often copy CNIL's work. Key texts include the 2023 Guide pratique de l'anonymisation and the 2024 AI guidance.

The numbers show the agency is active. It handled 16,433 complaints in 2023. That is 43% more than 2022. It has issued about €150 million in GDPR fines since enforcement began.

AI Training: Six Record Types to Scrub

CNIL's 2024 AI guidance applies broadly. It covers any group that trains AI on French personal records. It also applies to those who serve French users with AI tools.

The agency lists six record types that need scrubbing before AI training:

1. Identifiants directs (direct IDs): Names, addresses, ID numbers. Remove or replace these before training.
2. Identifiants quasi-directs (quasi-IDs): Groups of traits that allow re-ID. Apply k-anonymity checks.
3. Données sensibles (special types): Health, biometric, political, and faith records. Isolate with added controls.
4. Données comportementales (usage records): Browse history and usage patterns. Aggregate or mask these.
5. Données inférées (inferred traits): AI-derived signals from usage. Apply purpose limits.
6. Données relatives aux mineurs (children's records): Any records linked to persons under 15. Run age checks and use strong scrubbing.

Using LLMs trained on scraped content? You need written proof. Show that your training records were reviewed and scrubbed. See our GDPR compliance guide for scope details.

The Anonymization Guide: Core Rules

The 2023 guide is the EU's most detailed text on this topic. It sets the bar for what counts as truly anonymous.

Approved techniques:

• k-anonymity — each record looks like at least k-1 others
• l-diversity — sensitive traits vary within each group
• Differential privacy — noise added to output stats
• Pseudonymization — a risk-reduction step, not true anonymization

Required records:

For each activity that uses scrubbing, CNIL expects a fiche d'anonymisation (anonymization record). It must include:

• The technique used and its key settings (k value, epsilon value)
• The result of a re-ID risk check
• The validation method (testing or external review)
• The person in charge and the review date

Re-ID risk check:

Before marking records as anonymous, run a formal check. Ask: could a motivated person re-ID this? Look at what auxiliary datasets exist. Consider the full context.

French PII: What Your Tools Must Find

French rules require French-language PII coverage. Your tools must detect French-specific ID types.

Key IDs to cover:

• NIR: 15 digits (13 base + 2-digit key). This is the French Social Security Number.
• Carte vitale number: Health insurance card ID.
• SIRET/SIREN: Business IDs found in personal files.
• Numéro d'ordre professionnel: Registry numbers for doctors, lawyers, and accountants.
• CNI (Carte nationale d'identité): French national ID card number.

French NER models must handle French name patterns. These include compound names (Jean-Pierre), particles (de, du, des), and hyphenated surnames. See our multilingual PII detection guide for how to cover all locales.

Enforcement: What Gets Fined

The agency's fines follow a clear pattern. They target missing technical controls. Poor process alone is rarely the main issue.

Clearview AI — €20M fine (2022): The firm processed biometric records of French people without a legal basis. Records were scraped from public web sources. The case confirmed: bulk web-scraping for AI training needs an explicit legal basis.

TikTok — inquiry launched 2024: Focused on systems that may infer sensitive types from usage signals. This method is now the EU reference for AI audits.

Generative AI review (2024–2025): The agency reviewed LLM vendors in France. It focused on training content provenance. Vendors without proper records had to add controls.

Four Steps to CNIL Compliance

Handling French personal records? You need four things in place.

1. An anonymization record for each activity

Each activity that uses scrubbing needs its own record. Note the technique, its settings, a risk result, and a review date.

2. Pre-processing logs for AI

Log which PII detection tool you used. Note which entity types it found. Record what was removed or masked. Keep these logs ready for audits.

3. French-language PII coverage

Check that your tool finds NIR, carte vitale, and CNI numbers. Test your French NER model on real French names. Note any gaps. Record the controls you put in place to address them.

4. Provenance records for training content

For scraped content: document the source scrubbing check. For user records: document the user scrubbing process. Our security compliance overview shows how this fits a broader safeguard stack.

Groups with good records move through audits fast. Build your file now. Don't wait for an inspection to start.

Sources

• CNIL: Commission Nationale de l'Informatique et des Libertés
• CNIL: Guide pratique de l'anonymisation (2023)
• CNIL: Systèmes d'IA générative — recommandations (2024)