Legal news
The CNIL unveils its 2025-2028 Strategic Plan : key issues and lines of action
On January 6, 2025, the French CNIL presented its strategic plan, highlighting its priorities to meet the digital challenges of the coming years. The plan is structured around three major themes, along with related concerns such as smartphone applications and digital identity.
Artificial intelligence and the advent of generative AI
Artificial intelligence is revolutionizing all sectors of activity and raising many concerns of very different kinds : privacy breaches, vulnerability to cyber-attacks, and algorithmic biases. The rise of generative AI accentuates these risks,
by serving as a tool for misinformation on social networks and deep fakes.
To meet these challenges, the CNIL has set several priorities :
- knowledge sharing and collaborative regulation : develop strategic partnerships (researchers, suppliers, institutions) and promote privacy-protective practices ;
- legal clarification : provide pedagogical tools to support players in applying the European regulation on AI (AI Act) and encourage privacy-enhancing technologies ;
- raising public awareness : providing information on AI-related rights and training citizens to better understand these technologies ;
- strengthening controls : checking the compliance of public and private AI systems, particularly those using augmented cameras.
Protecting minors from digital risks
The hyper connectivity of the younger generations exposes them to many dangers : cyberbullying, inappropriate content, targeted advertising and abusive profiling. In this new strategic plan, the CNIL has therefore decided to make their protection an absolute priority.
Its strategic priorities include :
- an increased presence of the CNIL in the field : raising awareness through partnerships with the educational community and local players ;
- appropriate information : helping minors to exercise their rights through simplified, educational interfaces ;
- promoting a more responsible digital use : develop tools co-constructed with young people and mobilize international institutions for better digital education ;
- reinforced controls : check the compliance of popular platforms among young people, such as social networks and educational applications (EdTech).
Cybersecurity : how to respond to the growing number of data breaches ?
Facing an increase in cyber-attacks, the CNIL warns about the need to reinforce data security. Indeed, the sophistication of cyberthreats now requires the use of appropriate tools and the promotion of a culture of cybersecurity for businesses and the general public alike.
The CNIL’s priorities are :
- cooperation and harmonization : it is necessary to work with European regulators to implement key legislation such as NIS2 and DORA ;
- risk management support : train organizations and raise awareness of cybersecurity best practices among individuals ;
- encouraging protective technologies : promoting solutions that integrate data protection right from the design stage (PETs) ;
- reinforce controls and sanctions : increase post-incident checks and coordinate repressive actions with other competent authorities.
Related themes addressed by the strategic plan : smartphone applications and the use of digital identity
The growing use of smartphone applications raises privacy issues, linked to simplified access to highly personal data (geolocation or health for instance). The CNIL therefore recommends that the general public be made aware of the privacy issues associated with the use of smartphones applications, and the best practices to adopt. The French CNIL recommends practices to be monitored for compliance, and recommendations to be updated.
Similarly, the use of digital identity is promising for securing identification processes and dealing with the increasing number of cases of identity theft, cyber-attacks and phishing. To this end, the CNIL mainly suggests cooperation with European authorities for a secure implementation in compliance with the eIDAS regulation, but also wishes to contribute to the development and use of privacy-protecting online identity and age verification solutions.