1. Cybercrime & Cybersecurity
1.1. Cybercrime
Kick: The Paris Public Prosecutor’s Office has opened a judicial investigation into Kick and its executives for disseminating violent content online, money laundering and failure to assist a person in danger. This proceeding follows the death of a videographer who was broadcasting live on the platform. The investigation has been entrusted to the Central Office for the Fight against Cybercrime and aims to determine the criminal liability and misconduct of the company’s executives. (Press release from the Paris public prosecutor’s office dated 27 January 2026)
Cyberattack: In France, following recent revelations concerning a data leak at DINUM, the Real Estate Department was the target of a cyberattack on January 19. Although no data was stolen, the website was suspended while investigations were carried out, with the support of ANSSI. (Press release dated January 19, 2026)
International Criminal Court: At the end of the year, the ICC published a policy paper on crimes related to the use of cyberspace under the Rome Statute. The Court’s stated aim is to adapt to the growing use of cyberspace in the commission of international crimes. Although the Court and its decisions currently have limited legal recognition, this document highlights the willingness of international authorities to fight cybercrime. (Report release on December 2025)
Cyberattack : On January 15, Microsoft announced the dismantling of RedVDS, a key infrastructure used in global online scams. It provided cybercriminals with ready-to-use Windows servers and tools, facilitating phishing, data theft, and payment diversion. Thanks to coordinated action with US and UK judicial authorities, as well as European law enforcement agencies including Europol, Microsoft was able to take the platform’s key infrastructure offline. (Press release on January 15, 2026)
Spying : A security flaw has been discovered in Fast and Pair, Google’s technology that facilitates Bluetooth connectivity on Android. If exploited by hackers, they could listen in on audio or even use the microphone. Google has now rolled out fixes for its products and is urging users to install updates from manufacturers. (Press release on January 16, 2026)
Cybercrime: A suspect was arrested in France in January 2026 as part of the investigation into the hacking of the French Shooting Federation and the leak of personal data of approximately one million licence holders, which was then allegedly used to facilitate targeted burglaries. (Press release dated 8 January 2026)
Cyberattack: La Poste suffered another massive cyberattack on the night of 31 December to 1 January 2026, paralysing its online services (parcel tracking, Digiposte digital safe, La Banque Postale app), just a few days after a similar attack on Christmas Day. (Press release dated 1 January 2026)
1.2. Cybersecurity
National Cybersecurity Strategy: The National Cybersecurity Strategy 2026-2030 aims to strengthen France’s cyber sovereignty and resilience by developing skills, securing critical infrastructure and public services, supporting technological innovation, and intensifying European and international cooperation in the face of cyber threats (Press release from the General Secretariat for Defense and National Security, January 29, 2026).
Certification: French company Virtual Browser has just obtained First Level Security Certification (a.k.a CSPN in French) from ANSSI, becoming the first CSPN-certified web browsing security solution. This certification recognizes the company’s work in developing web browsing isolation technology. In practical terms, this means that the browser will run on a remote system, preventing malicious code from being executed on the user’s local computer. CSPN certification will give the company official security recognition, providing it with a major commercial advantage. (Press release, January 20, 2026)
Cookies and trackers: The French Data Protection Authority (CNIL) publishes its recommendations on obtaining multi-device consent. The objective is threefold: to regulate the conditions under which multi-device consent must be requested, to adapt user information to the collection of multi-device consent, and to manage situations where users express choices that differ from those recorded on their account before logging in. (Recommendation, January 16, 2026)
Cybersecurity: Google has rolled out a security patch for the Chrome browser to fix a critical vulnerability that could be exploited by a malicious extension and allow access to sensitive data. Users are advised to install the update as soon as it becomes available. (Google press release dated 7 January 2026)
2. Disinformation & Information Warfare
Information warfare: VIGINUM publishes a note on the concept of “« Information Manipulation Set » (IMS) (press release January 22, 2026)
Information warfare: Publication by the Swedish Psychological Defense Agency, a Swedish public administrative authority under the Ministry of Defense, of the manual “Psychological Defense and Information Influence” for better protection of democratic values. (Press release of January 2026)
Information Warfare: The association EU DisinfoLab, in partnership with VIGINUM (France’s service for vigilance and protection against foreign digital interference), has published a report entitled “Developing a Common Operational Picture of Foreign Information Manipulation and Interference (FIMI)” to better understand and respond to information manipulation in Europe. The main recommendations of the report are 1) strengthening and coordinating IMS data collection, 2) integrating IMS into content removal mechanisms 3) improving platform transparency 4) targeting operational structures that support these networks. (Press release, January 16, 2026)
Health: The Department of Health announces the launch of a national strategy to combat health misinformation, aimed at promoting concrete and sustainable actions to ensure that everyone has access to reliable, accessible and understandable health information (Press release dated 12 January 2026).
3. Personal Data & Privacy
3.1. Data breaches and incidents
Data leak: The Interministerial Digital Directorate (DINUM) has confirmed a data leak affecting HubEE, an administrative document exchange platform used by the public sector. In total, nearly 70,000 files, or 160,000 documents, some of which contained personal data, were stolen. (Press release, January 16, 2026)
Data breach: On 13 January 2026, the French Data Protection Authority (CNIL) imposed a total fine of €42 million on Free Mobile (€27 million) and Free (€15 million) for serious data security breaches, following a breach that exposed the personal information of 24 million subscribers, including their IBANs. (CNIL decision dated 13 January 2026)
3.2. Penalties and regulations
Parasitism: Pursuant to Article 1240 of the Civil Code, the following constitutes parasitic behaviour: a commercial company, as part of a digital communication campaign to promote the arrival of new ‘talent’ on its platform and inviting its followers to invest in players presented as the best during the 2022 Six Nations Tournament, to massively relay messages from the accounts of players of the French national rugby union team and the French Rugby Federation on its social networks without authorisation or compensation (TJ Paris, 06/01/2026, 23/08148).
CNIL sanction: The CNIL imposed a fine of €5 million on FRANCE TRAVAIL for failing to ensure the security of personal data following a breach in the first quarter of 2024, which exposed the data of millions of people registered or previously registered on francetravail.fr, and ordered the organisation to justify corrective measures or face penalties (Press release from the French Data Protection Authority dated 29 January 2026).
Transmission of personal data: On December 30, a company was sanctioned by the CNIL, which imposed a fine of €3.5 million for transmitting the personal data of members of its loyalty program to a social network. This data was then used by the social network to display targeted advertisements promoting the company’s products. The CNIL criticized the company in particular for the fact that the consent obtained was neither explicit nor informed. (Press release January 22, 2026)
Data protection: The European Union has announced the opening of negotiations with the United States to regulate access to certain sensitive data under the visa waiver programme, in order to ensure that the scheme complies with European law. (EU Council press release dated December 2025)
Data protection: Nexpublica was fined €1,700,000 by the CNIL (French Data Protection Authority) for failing to implement adequate security measures relating to the use of software for managing user relations. (Penalty imposed by the CNIL on 22 December 2025)
4. Digital Economy & Competition
Chatbot: The founder of the secure messaging app Signal is launching an alternative to conversational assistants such as ChatGPT. Confer, the new chatbot, combines several technologies focused on personal data protection. In practice, this includes strong encryption and secure environments so that only the user can read their conversations. (Press release on January 5, 2026)
Transparency: Arcom publishes its analysis report on the transparency reports of French digital intermediary service providers subject to the European Digital Services Regulation (DSR/DSA). (Arcom report published on 12 January 2026)
Digital economy: The French Financial Markets Authority (AMF) and the French Prudential Supervision and Resolution Authority (ACPR) warn the public about several players offering unauthorised services in France related to Forex trading and crypto-assets, exposing investors to high risks of financial loss and fraud. (Press release from the AMF and ACPR dated January 2026)
Audiovisual: A recent study by the European Audiovisual Observatory explains that the news media sector in Europe has been profoundly transformed by digital technologies, shifting from a traditional model (press and broadcasting) to ecosystems dominated by social media and AI. The report highlights the importance of new European regulatory frameworks and media literacy. (Press release dated 18 December 2025)
5. Artificial Intelligence
5.1. Copyright in the age of AI
.
5.2. Regulation and supervision
Legal action: A class action lawsuit has been filed against NVIDIA for copyright infringement. The company, which specializes in designing graphics processors and AI models, is alleged to have not only used third-party datasets containing pirated books, but also to have contacted Anna’s Archive directly to obtain millions of books. The authors are seeking compensation for damages suffered. (Amended complaint filed in the District Court for the Northern District of California, Oakland Division)
Deepfake : Faced with criticism, X finally decided to update Grok’s terms of use to limit the creation of sexual deepfakes. This decision follows numerous pressures on the social network, including the opening of an investigation by the OFCOM (the British telecommunications regulator) on January 12. In France, the High Commissioner for Children, Sarah El Haïry, announced that she would refer the matter to the European Commissioner for Digital Sovereignty, arguing that deepfakes fall under the scope of the DSA and DMA. (Post on X on the 14th of January).
Deepfake: In France, several ministers have reported to the judicial authorities and the Pharos platform sexual content generated without consent by X’s Grok AI tool, leading to the extension of an ongoing judicial investigation into these deepfakes and their possible criminal violations. (Press release dated 2 January 2026)
AI: Google and start-up Character.AI have reached amicable agreements to settle several lawsuits in the United States brought by families who claim that chatbots contributed to the suicide or serious injury of minors, without the details of the settlements being made public. (Press release dated 7 January 2026)
AI: In its ‘Flash interference’ #117, the French DGSI warns of the risks associated with the use of artificial intelligence in companies, in particular attempts at interference via deepfakes, the exposure of confidential documents, and excessive dependence on AI tools, which can reduce human vigilance and encourage fraud. (Flash Ingérence #117, December 2025)
AI/Mental health: At the end of 2025, China proposed the strictest regulations for AI ‘companions’. The aim is to prohibit any incitement to violence, suicide or emotional dependence by requiring platforms to regularly remind users that they are interacting with a machine, with a view to preventing psychological and social abuse. (Official press release dated 27 December 2025)
AI/Health: A study has highlighted the fact that artificial intelligence is enabling the proliferation of websites offering fake obesity drugs (such as Ozempic, Wegovy and Mounjaro) using deepfakes, fake health authority logos and misleading promotions. These practices are carried out with the aim of deceiving consumers and pose major health risks. (Study published on 21 November 2025)
6. Intellectual Property & Counterfeiting
6.1. Legal actions and proceedings
Copyright: An advisor to the Court of Justice of the European Union has ruled that the use of a Virtual Private Network (VPN) to circumvent geographical restrictions is not sufficient to constitute copyright infringement. Liability therefore lies with the actions of publishers, and not with technical circumventions by users. (Copy of the conclusions of Advocate General Athanasios Rantos dated 15 January 2026)
Copyright: Chinese police raided a suspect linked to the manga piracy site BATO.TO and its affiliated sites, which have been shut down since November 2025, following complaints from Japanese publishers via CODA, illustrating international cooperation to protect intellectual property and combat the illegal distribution of manga. (Press release from the Content Overseas Distribution Association dated 29 January 2026)
LCEN’s applicability: No breach of Article 6 of the LCEN (Law on confidence in the digital economy) in the event of content being removed by the host, in this case Amazon, within three weeks of receiving a notification. (CA Versailles, January 7, 2026, 24/03975)
IA : Actor Matthew McConaughey is taking the lead in combating AI abuses by legally protecting his image and voice as trademarks. He has obtained approval to register eight trademarks with the USPTO. This move gives the actor a solid legal basis to take action against any unauthorized use of his voice and prevent deepfakes. According to McConaughey, the main objective of this move is to “create a clear perimeter around ownership” in the era of widespread AI. His initiative could well inspire other celebrities to do the same. (Press release January 15, 2026).
Anti-piracy: Cloudflare has been fined €14.2 million by Italian regulator AGCOM for failing to block access to pirate sites via its public DNS service 1.1.1.1. In response, Cloudflare denounced the measure as ‘Internet censorship’ and threatened to withdraw its servers from Italy, discontinue its free cybersecurity services for local users, and cancel its planned investments in the country. (Decision of the Italian authority published on 8 January 2026)
Complaint/DMCA: X (formerly Twitter) has filed a complaint against the National Music Publishers’ Association (NMPA) and several major music publishers (including Sony, Universal and Warner Chappell), accusing them of ‘weaponising’ the DMCA to force a commercial partnership. According to the complaint, after X refused to sign an agreement in 2021, the NMPA launched a massive campaign of takedown notices targeting more than 200,000 posts and resulting in the suspension of more than 50,000 users. (Complaint filed by X on 9 January 2026)
Anti-piracy: The High Court of New Delhi has granted Disney, Netflix, Crunchyroll and other film giants a new order to block pirate sites, targeting notorious platforms. This decision, which relies on domain name registries and even foreign governments, seeks to have a global impact, although some sites remain accessible by changing domains. (Court order issued on 18 December 2025)
Shadow library: The underground library Anna’s Archive has lost access to its main .org domain name, which has been suspended by the relevant registry, making the site temporarily inaccessible via this address. However, the platform remains accessible via alternative domains. (Press release dated January 2026)
Copyright: The Court of Cassation has clarified that a person’s participation in an interview is not sufficient in itself to confer co-authorship under copyright law; only an original contribution to the conception or structure of the work can be considered. (Court of Cassation ruling dated 15 October 2025)
Counterfeiting/Parasitism: In a ruling dated 5 November 2025, the Paris Judicial Court convicted the leader of the ‘Les Survivants’ movement for counterfeiting and parasitism after he affixed 10,000 anti-abortion stickers that reproduced the Vélib’ logo without authorisation. The judges ruled that freedom of expression did not justify this infringement of the City of Paris’ copyright, as the message could be disseminated by other means. (Decision of the Paris Judicial Court, No. 23/13625, 5 November 2025)
6.2. Regulation and supervision
Industrial property: The judge presiding over summary proceedings at the Paris Commercial Court reiterated the binding nature of contractual commitments in relation to software licences, ordering VMware to continue to perform a global enterprise licence agreement entered into with Thales despite a change in commercial policy, emphasising the legal protection of the exploitation rights granted. (Interim order of the Paris Commercial Court dated 19 July 2024)
IPTV: The French Regulatory Authority for Audiovisual and Digital Communication (Arcom) reiterates that IPTV is legal as a technology, but that certain offerings are illegal when they provide unauthorised access to copyright-protected content, particularly audiovisual channels and events. (Arcom press release dated 8 January 2026)
.
7. Regulation & Justice
7.1. French law
Blocking social media: The National Assembly has adopted a bill prohibiting minors under the age of 15 from accessing social media services, in order to better protect the mental health of children and adolescents. The bill requires the platforms concerned to verify users’ ages and is expected to come into force at the start of the 2026 school year. (National Assembly press release dated 26 January 2026)
7.2. European law
DSA: The European Commission opens a new formal investigation against X under the DSA and extends the investigation opened in 2023 into X’s recommendation systems. This new investigation will determine whether X has properly assessed the various risks associated with the deployment of Grok’s features within the European Union (EU). (Press release dated 26 January 2026)
DMA: Google’s promotion of its Gemini AI assistant on Android and its restriction of the interoperability of competing assistants and fair access to search data constitute a breach of the obligations of the Digital Markets Act, justifying the European Commission’s initiation of two proceedings to clarify the obligations of access to Android functions and sharing of anonymised search data in order to restore effective competition (European Commission press release of 27 January 2026)
Digital sovereignty: In early January 2026, the European Commission launched a public call for contributions on its future open-source strategy, which aims to strengthen Europe’s digital sovereignty by promoting the development and commercialisation of European free software. Contributions are expected by 3 February 2026. (Call for contributions)
Protection of minors: The European Commission has proposed extending the 2021 temporary regulation (EU 2021/1232) until 3 April 2026, which allows for a derogation from the ePrivacy Directive to facilitate the detection and reporting of online child sexual abuse. This extension aims to avoid a legal vacuum pending the adoption of a permanent legislative framework. (Press release dated 19 December 2025)
DSA / VLOP : Zalando’s appeal against a General Court ruling challenging its classification under the Digital Services Act was published in the EU’s Official Journal on Monday. The online retailer of shoes, fashion, and accessories put forward six legal grounds, arguing that it is not an online platform within the meaning of the DSA, that user exposure was wrongly presumed, and that the EU judges misapplied the rules on hosting services. It also claimed that the court reversed the burden of proof, violated its rights of defense, and undermined legal certainty. (Appeal before the CJEU against the judgment of the EU General Court of 3 September 2025)
