France: French Data Protection Authority adopted guidance on deepfakes including protection and reports of illegal content

On 3 February 2026, the French Data Protection Authority (CNIL) published guidance on deepfakes explaining the associated privacy and security risks and setting out steps for individuals to protect themselves and report illicit content. The guidance defines deepfakes as audio, image, or video content created or modified using artificial intelligence, including techniques such as face swapping and lip-synching, and notes that such content can be used for conduct including identity misuse, online harassment, fraud, and disinformation. The guidance highlights that creating or sharing certain deepfakes can lead to criminal liability under French law, including that creating an image montage of a person without consent may be punishable by one year of imprisonment and a EUR 15'000 fine, and that fraud involving deception to obtain money, property or a service may be punishable by 5 years of imprisonment and a EUR 375'000 fine. The guidance also describes the CNIL’s role in informing the public, supervising compliance with data protection rules, supporting research and detection work, including through the GenFakes project, and contributing to European initiatives, including work on codes of practice for AI-generated content.