CNIL France: DPA PII Tool Requirements

CNIL France: DPA PII Tool Requirements

France's CNIL is the EU's most demanding data body. Most EU regulators write broad rules. CNIL goes further. It publishes precise technical guidance called recommandations. These set exact standards for anonymization and AI data use.

CNIL notices in 2024 often cited weak anonymization in AI systems. The agency took in 16,433 complaints in 2023. That was 43% more than in 2022.

CNIL Guidance Shapes EU Policy

CNIL's technical texts are widely cited by other EU DPAs. Two guides matter most.

Guide pratique de l'anonymisation (2023): This guide covers k-anonymity, l-diversity, and differential privacy. It shows how to use each method on French data. Sweden's IMY and other EU bodies cite it in their own rules.

AI systems guidance (2024): CNIL lists six data types that must be dealt with in AI training. No other EU DPA has gone this far on AI.

Cookie rules: CNIL's cookie guidance sets the highest technical bar for consent tools in the EU. It is updated often.

The NIR: France's Most Sensitive Identifier

The Numéro d'Inscription au Répertoire (NIR) — also called the numéro de sécurité sociale — is a 15-digit French social security number.

Its format is: S AA MM DD CCC OOO K

• S — 1 digit: sex
• AA — birth year
• MM — birth month
• DD — birth department (01–95, 2A/2B for Corsica, 97–99 overseas, 99 foreign)
• CCC — municipality code
• OOO — birth order
• K — 2-digit check key (97 − (NIR mod 97))

The NIR holds sex, birth date, and birth place in one number. CNIL treats it as high-risk. It needs the same care as special-category data under GDPR Article 9.

Why tools miss NIR: Generic NLP tools fail on NIR for three reasons. First, the 15 digits (often written without gaps) look like other long numbers. Second, digits 7–11 hold a department code. Tools that skip the mod-97 check let false positives through. Third, Corsican departments use 2A and 2B, not pure digits. Tools built for numeric-only patterns fail here.

Good NIR detection needs three things: mod-97 key check, a geographic codebook, and Corsica-aware rules.

See our security compliance overview for how identifier coverage fits a GDPR safeguard stack.

SIREN and SIRET: Business IDs in Personal Files

SIREN: A 9-digit French company ID with a Luhn check digit. It appears in all French commercial documents.

SIRET: A 14-digit number built from SIREN (9 digits) plus an establishment code (5 digits). SIRET names a site. SIREN names the company.

Business files often hold SIRET numbers next to staff names. CNIL treats SIRET plus a name as personal data. That pair triggers GDPR rules even with no separate personal data field.

Six Anonymization Steps for AI Training

CNIL's 2024 AI guidance covers six data types. Each must be handled before using French personal records in AI training:

1. Remove direct identifiers — Names, NIR, SIREN must be replaced or removed
2. Generalize quasi-identifiers — Age, department, profession can combine to re-identify people; reduce their precision
3. Add noise to numbers — Numerical fields need calibrated noise to block inference
4. Check k-anonymity — Each person must look like at least k-1 others; CNIL points to k ≥ 5
5. Check l-diversity — Sensitive attributes must vary within each group
6. Run a re-identification risk check — Use a documented method before any data release

Removing NIR and full name alone is not enough. CNIL has found this in enforcement. Quasi-identifiers like ZIP code and medical specialty also need treatment.

Our GDPR compliance guide covers the records French DPA audits expect to see.

Language Context for French PII Detection

France has several linguistic contexts that affect detection.

Standard French is the language of all official documents. NER models must handle accented letters: é, è, ê, ë, à, â, î, ô, û, ç, œ.

Overseas territories (DOM-TOM): Martinique, Guadeloupe, Réunion, Guyane, and Mayotte use NIR codes in the 97–98 range. Local name patterns differ from mainland France.

Alsace-Moselle: German-origin names and some German document formats appear in French records. Models trained only on standard French may miss these.

Cross-border use: Belgian French uses a different ID format. Tools used in France and Belgium need rules for each.

What Your Tool Must Cover

French compliance requires four technical abilities:

1. NIR with mod-97 check — Pattern matching alone fails. Tools must run the key check and handle 2A/2B codes.
2. SIREN/SIRET with Luhn check — Business IDs appear in personal files and create GDPR-covered name combinations.
3. French NER with full accent support — Must handle compound names (Jean-Pierre), particles (de, du, des), and accented characters.
4. Documented six-step process — Any AI training pipeline on French data needs a written record for each anonymization activity.

Sources

• CNIL: Commission Nationale de l'Informatique et des Libertés
• CNIL: Guide pratique de l'anonymisation (2023)
• CNIL: AI Governance Guidance (2024)