News

CNIL 2025-2028 strategic plan: AI, Minors, Mobile Apps & Cybersecurity

17 January 2025

Key takeaways

Anticipating enforcement priorities of regulators may partly rely on their long-term trajectory and domestic dynamics, which differ from a country to another. This action plan reflects CNIL’s ambition (i) to be appointed by the French government – if any – as THE regulator of artificial intelligence and the AI Act, (ii) to resist budget cuts and (iii) to stay tuned with attractive and supportive individuals’ concerns, especially families (minors, cybersecurity, AI), consumers (mobile apps and… AI) and employees (monitoring, right of access and… AI).

On January 16, the CNIL published its strategic plan for 2025-2028, focusing on four areas : mobile applications and digital identity, minor protection, cybersecurity, and, of course, AI.

The last CNIL’s plan for 2022-2024 was much less specific, since it was around (i) individuals’ rights, (ii) promoting the GDPR as a trusted asset for organizations, and (iii) prioritizing targeted enforcement actions for high-stake privacy issues.

The CNIL’s new plan embraces multiple EU regulations beyond the GDPR and ePrivacy Directive (AI Act, NIS 2, CRA, DORA, DGA), showing the French data protection authority’s ambition to show up its capacity to conduct sophisticated technical investigations to ensure the strict application of privacy laws, notwithstanding other digital regulations… and regulators.

The strategic plan offers a clear overview of how stakeholders can expect collaborating with the CNIL on innovation and how they will be affected by the CNIL’s actions.

1. Promotion of an ethical and rights-respecting AI

The CNIL plans to :

Take part in joint investigations with other regulators, particularly regarding LLM models.
Pursue investigations of AI tools used by the French administration, with a focus on video surveillance in public spaces.

These actions put a spotlight on private companies providing AI and cloud services to public entities.

The CNIL is also developing methodology and tools to assess the compliance of AI systems throughout their lifecycle stages. Once this is established, all AI entities may be subject to investigation.

The CNIL will rely on strategic partnerships with researchers, startups, providers, users, institutions, and regulators (both on national and EU level) to understand technological advancements, usage, and economic challenges of the field. Following these contributions, the CNIL will pursue its actions to offer a comprehensive legal framework for stakeholders by:

Providing guides clarifying the articulation between the AI Act and the GDPR.
Supporting innovative projects throughout their life cycle by promoting the use of emerging Privacy Enhancing Technologies (PETs).

2. Protection of minors and their data

The CNIL plans to:

Reinforce investigations of platforms used by minors, such as social media platforms, EdTech, video games, etc.
Priorities investigations on compliance with advertising regulations and consent requirements.
Take part in joint investigations and coordinated actions with other regulators.

As digital tools are omnipresent in children’s life, making them hyperconnected from a very young age, the CNIL is dedicating substantial resources to tackle this issue. The authority will actively collaborate with all relevant stakeholders (parents, educators, public actors, businesses, regulators, and international organizations) to promote a safer digital environment that supports children’s development.

3. Resilient cybersecurity systems for all stakeholders

The CNIL plans to

Increase investigations following data breaches verify the implementation of appropriate corrective measures.

As the CNIL did not designate a specific sector of focus, all companies, regardless of their size, are subject to an investigation.

The CNIL will ensure consistent and harmonized implementation of the new regulations on cybersecurity, in collaboration with other regulators. It will Integrate personal data protection requirements into European and international standards and certifications.

Additionally, the authority will develop trainings and tools tailored to SMEs, large companies, local authorities and individuals. The goal is to promote a security culture on the ground, helping individuals identify key risks, adopt essential reflexes and respond effectively in case of an incident.

Furthermore, the CNIL will contribute to the development of privacy-protecting technical solutions by supporting technological solutions that support privacy by design in all applications, particularly PETs.

4. Safe mobile apps and digital identity

The CNIL plans to

Investigate the compliance of mobile apps, paying attention to practices involved in their deployment.
Investigate the implementation of digital identity services by public and private stakeholders.

All mobile apps publishers and providers of digital identity services are concerned.

The CNIL will cooperate with regulatory authorities and EU counterparts responsible for the enforcement of the eIDAS regulation and the implementation of the European Digital Identity Wallet.

Moreover, new use of privacy-preserving online identity and age verification solutions are to be expected, along with a strong communications to raise awareness on good practices for individuals.

Authored by Sarina Singh, Rémy Schlich, Etienne Drouard.