Businesses expanding into France or Germany often assume the compliance risk is similar in both markets. After all, GDPR applies to both. The legal frameworks are harmonized at the EU level. The requirements can't be that different.
This assumption is wrong — and for businesses that discover it after the fact, it tends to be expensive.
France and Germany are two of the most strictly enforced digital compliance markets in Europe. But they enforce through fundamentally different mechanisms, with different timelines, different financial profiles, and different discovery pathways. A business that understands French enforcement culture and prepares accordingly may be completely unprepared for what Germany does differently — and vice versa.
⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. Regulations and enforcement practices vary by jurisdiction and may change over time. Consult a qualified lawyer for advice specific to your situation.
In France, enforcement flows through a single channel: CNIL — the Commission Nationale de l'Informatique et des Libertés.
CNIL is one of the most active and technically sophisticated data protection authorities in the EU. It operates through a combination of automated scanning, complaint intake (16,433 complaints received in 2023), and proactive sector-wide investigation campaigns. Its formal investigation process is defined by law and can take months to years. Its outcomes are published on cnil.fr — permanently, by name.
What CNIL enforcement looks like in practice:
The Google fine — €150 million — came from an automated scan of a cookie consent interface. CNIL's tools identified that refusing cookies required more clicks than accepting them. No user filed a complaint. CNIL's own technology discovered the violation.
The Criteo fine — €40 million — emerged from a CNIL investigation into whether advertising technology was collecting data from partner websites without valid consent. The company had believed its consent mechanism was compliant. It was not.
The Doctissimo fine — €380,000 — targeted a content website, not an e-commerce platform. Doctissimo operated under the reasonable assumption that a health information site with advertising posed manageable compliance risk. CNIL disagreed on multiple technical points simultaneously.
The profile of French enforcement risk:
| Characteristic | Detail |
|---|---|
| Who enforces | CNIL — one authority, centralized |
| How they find violations | Automated crawlers, individual complaints, sector campaigns, NGO filings |
| Timeline | Typically 12–36 months from investigation to decision |
| Fine range | Warning to €20M or 4% of global turnover |
| Published? | Yes — decisions published on cnil.fr, permanently |
| Cross-border reach | Yes — can pursue foreign businesses targeting French users |
The reputational dimension of a published CNIL fine is significant and often underestimated. French consumer awareness of privacy is high. A published CNIL decision names the organization, describes the violation in detail, and states the fine. That record is permanent and searchable.
Germany's enforcement ecosystem is structurally different — and, for many businesses, more immediately dangerous.
There is not one German enforcement authority. There are seventeen: the federal BfDI plus sixteen state-level data protection authorities (one per Bundesland), each with independent investigative powers. Multiple parallel enforcement actions by different authorities are legally possible.
But the more distinctive feature of Germany is something that doesn't exist in France: the Abmahnung system.
An Abmahnung is a formal cease-and-desist letter under German civil law. It is not sent by a regulator. It is sent by a competitor, a consumer protection association, or a law firm acting on their behalf. Under German law, any party with a legitimate legal interest can send one to a business they believe is violating the law.
What has developed around this mechanism is a structured, profitable industry. Specialized law firms — known informally as Abmahnanwälte — systematically scan websites, identify compliance gaps, and send templated cease-and-desist letters on behalf of clients. Germany sees an estimated 200,000 to 300,000 Abmahnungen filed per year across all legal domains, with website compliance representing a growing share.
The economics favor the sender. A templated Abmahnung costs the sender's law firm very little to produce. The recipient, regardless of whether the claim has merit, must engage a German lawyer, assess the claim, and respond within the deadline — typically 10 to 14 days. Legal costs to resolve an Abmahnung with counsel typically range from €1,000 to €5,000.
The timeline is brutal. If a recipient ignores an Abmahnung or misses the deadline, the sender can apply for a preliminary court injunction — and German courts can grant these within 24 to 48 hours. Once an injunction is in place, German operations can be halted by a court order before a business has fully understood what happened.
Small businesses are the preferred target. Large corporations contest Abmahnungen routinely. Small businesses — particularly foreign ones unfamiliar with the system — settle more often, faster, and on less favorable terms.
The profile of German enforcement risk:
| Characteristic | Detail |
|---|---|
| Who enforces | 17 DPAs (BfDI + 16 state authorities) + private enforcement via Abmahnung |
| How they find violations | DPA complaints, Abmahnanwälte systematically scan websites |
| Timeline | Abmahnung: 10–14 day deadline, injunction possible in 24–48 hours |
| Fine range | DPA: up to €20M. Abmahnung: €1,000–€5,000 per incident in legal fees |
| Published? | DPA decisions: yes. Abmahnungen: private, but injunctions become court records |
| Cross-border reach | Yes — any business targeting German consumers is exposed |
For businesses operating in both France and Germany — or expanding from one into the other — the risk profiles stack rather than average.
A French business expanding into Germany enters the Abmahnung ecosystem for the first time. They face a mechanism they have no experience with, legal deadlines measured in days, and a system where their competitors are potential enforcement agents.
A German business operating in France faces CNIL's automated scanning and sector-wide investigation capacity. The German instinct toward detailed documentation and process-orientation helps — but CNIL's published decisions mean that any violation found becomes a permanent public record.
A real example: A French e-commerce business expanded into Germany with a translated website, added German shipping options, and launched a Meta campaign targeting German consumers. Eight weeks later, a registered letter arrived. Four pages of German legal text, €1,200 in claimed fees, a ten-day deadline. Three compliance gaps — all fixable in a day had they been identified before launch — had been spotted by a competitor's law firm. By the time a German lawyer was engaged, the deadline had passed. A court injunction followed. German sales halted. Total cost: approximately €3,500 in legal fees and two weeks of halted operations.
In France: CNIL's automated scanning means your website is potentially visible to enforcement at any time, without a complaint being filed. Sector-wide campaigns mean that operating in certain industries increases your probability of being investigated regardless of whether any individual has complained about you.
In Germany: A competitor can file an Abmahnung against your website faster than any regulatory investigation process. The deadline structure means that missing a single letter can result in a court injunction within days. Being a small foreign business does not reduce your risk; it increases it.
In both: The compliance burden is not the sum of two separate markets. It is two different enforcement cultures, two different timelines, and two different financial risk profiles — managed simultaneously.
For more on each system:
Not sure what either enforcement system would find on your website?
Scan your website now — results in 30 secondsSources: CNIL Annual Report 2023, CNIL Decision SAN-2022-001 (Google, €150M), CNIL Decision SAN-2023-002 (Criteo, €40M), CNIL Decision SAN-2023-008 (Doctissimo, €380K), Bundestag documentation on Abmahnung reform (UWG 2021)