What Is GDPR + Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés?
France was the first country in the world to enact a data-protection statute: the Loi Informatique et Libertés of 6 January 1978, which created the CNIL. Since 2018 that law operates as the national supplement to the EU GDPR — the GDPR provides the core rules and the French law fills the gaps left by GDPR opening clauses (the age of digital consent is 15 in France, plus national rules on health data, the press exemption, and post-mortem data directives). The CNIL (Commission Nationale de l'Informatique et des Libertés) is the supervisory authority and has become the EU's most aggressive enforcer: its 2025 sanctions totalled roughly €486.8 million, led by €325M against Google and €150M against Shein for cookie-consent violations. For data brokers, the key French feature is the absolute, cost-free right to object to commercial prospecting (le démarchage): a person can oppose marketing use of their data at any time, and the controller must not only stop but also notify downstream partners. France also runs Bloctel, a national do-not-call list that telemarketers must screen against.
At a glance
- Full name
- GDPR + Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
- Short code
- Loi Informatique et Libertés
- Jurisdiction
- France
- Enacted
- 1978
- Last major update
- Realigned with the EU GDPR in 2018-2019 (Loi du 20 juin 2018 + Ordonnance du 12 décembre 2018)
- Regulator
- Commission Nationale de l'Informatique et des Libertés (CNIL)
- Private right of action
- Yes
- Statutory citation
- Loi n° 78-17 du 6 janvier 1978 + Règlement (UE) 2016/679
Scope, who Loi Informatique et Libertés covers
Protected data
Data subject rights
Right of access (Article 15) — obtain a copy of your data
Right to rectification (Article 16)
Right to erasure / right to be forgotten (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object — absolute and free for direct marketing/prospecting (Article 21)
Right to give post-mortem directives on your personal data (French-specific)
Right to lodge a complaint with the CNIL (Article 77)
Notable features
France pairs the oldest data-protection tradition in the world with the EU's most aggressive enforcement. Distinctive features: the absolute, free right to object to prospecting; the Bloctel do-not-call register; the age of digital consent set at 15; and statutory post-mortem data directives. The CNIL has also published specific guidance that reusing publicly accessible online data for marketing is not a free pass — the data subject must have been informed and not objected.
Enforcement & penalties
Regulator: Commission Nationale de l'Informatique et des Libertés (CNIL)
Penalties: GDPR two-tier fines: up to €10M or 2% of global turnover (lower tier) and up to €20M or 4% of global turnover (higher tier), whichever is greater. The CNIL is the EU's most prolific fining authority — ~€486.8M in 2025 sanctions, including €325M (Google) and €150M (Shein) for cookie violations, and €5M each against France Travail (Jan 2026) and IQVIA France (May 2026).
Private right of action: Under GDPR Article 82, individuals can claim compensation for material or non-material damage before the French civil courts. Collective ('class') actions are available under French law (action de groupe) for data-protection breaches, brought by approved consumer associations.
Relevance to data brokers
Data brokers ('courtiers de données') are controllers under GDPR and must have a lawful basis; marketing data sale almost always relies on legitimate interest, which the absolute marketing-objection right overrides on request. Brokers must operate a suppression list ('liste repoussoir') to honour objections and notify downstream recipients (Article 19). French residents can use Bloctel, the telecom 'liste rouge', GDPR erasure/objection requests, and CNIL complaints.
Exercise your rights
Remove your data from 500+ brokers for $7
OfflistMe drafts opt-out emails citing Loi Informatique et Libertés and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Request Removal NowFAQ
Who enforces data privacy in France?+
The CNIL (Commission Nationale de l'Informatique et des Libertés), which enforces both the EU GDPR and France's 1978 Loi Informatique et Libertés. It is the EU's most active fining authority, issuing roughly €486 million in sanctions in 2025.
How do I stop telemarketing calls in France?+
Register on Bloctel, France's national do-not-call list. Companies must screen their call lists against Bloctel before campaigns (and re-check at least monthly). You can also ask your telecom operator for the "liste rouge" to remove your number from the universal directory.
Can data brokers legally sell my data in France?+
Only with a valid lawful basis under GDPR. You have an absolute, free right to object to any marketing use of your data at any time (Article 21). Once you object, the broker must stop and notify any downstream partners to stop contacting you.
How long does a French company have to answer a data request?+
One month from receipt, extendable by two further months for complex requests (you must be told of any extension within the first month). If ignored, you can complain to the CNIL, which must respond on your complaint within three months.
Official sources & citations
Other international privacy regimes
Loi Informatique et Libertés sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: