Compliance Updates June 2026: AI Act, Court of Auditors, and a shake-up in telemarketing
June 2026 marks a regulatory turning point for DPOs and legal professionals: the Court of Auditors delivers an uncompromising assessment of the CNIL, while the law of June 30, 2025, mandates a shift to strict opt-in for B2C cold calling from August 11, 2026. On the artificial intelligence front, the AI Office is finalizing its Codes of Conduct for GPAI model providers, with direct implications for auditing your AI subcontractors. Finally, the G7 Privacy meeting in Paris and Microsoft France's admission regarding the Cloud Act reignite the debate on digital sovereignty. Here's what you need to know to manage your GDPR and AI Act compliance this month.

Each month, Adequacy deciphers the significant regulatory news in data protection and artificial intelligence. This June 2026 compliance review features: the CNIL's critical review by the Court of Auditors, the scheduled end of B2C cold calling, the publication of the AI Office's audit frameworks, the G7 summit in Paris, and Microsoft's admission regarding the Cloud Act at VivaTech.
Here's what you need to know to effectively manage your compliance this month.
1. Regulatory Bodies: The CNIL Under Scrutiny by the Court of Auditors
On June 4, 2026, the Court of Auditors published a landmark thematic public evaluation report on the CNIL. While the institution on Rue Cambon commends the Commission's historical trajectory and its adaptability in the face of the GDPR wave, it delivers an uncompromising diagnosis of its current operational limitations. The Court severely criticizes the extended complaint processing times and demands an immediate overhaul of internal processes, coupled with a strengthening of agents' legal powers and technical skills.
For legal departments and DPOs, this report serves as a warning: driven towards administrative efficiency, the CNIL will have to industrialize and automate the management of mass disputes. Future controls will be technically more incisive, more automated regarding complaint flows, and uncompromising for companies whose documentation or management of data subject rights lacks rigor.
2. Marketing: The Death Knell for B2C Cold Calling
On June 10, 2026, the CNIL updated its guidelines on commercial prospecting, formalizing a seismic shift that many companies pretended not to see coming: the complete transition toStrict opt-in (mandatory prior consent) for calls to individuals, in application of the law of June 30, 2025. Specifically, as of August 11, 2026, the historical "Bloctel" system based on the right to object is dead. If a potential customer has not explicitly checked an un-pre-checked box to say "Yes, I agree to be called," it is legally forbidden to dial their number. The only exceptions? An ongoing contract, and strictly for a purpose related to that contract.
To be perfectly honest, it's the end of an era and a massive shake-up for call centers and data brokers (data brokers). Companies that relied on purchasing "qualified lead" files will have to urgently audit their partners: the CNIL reminded that consent cannot be passed from partner to partner like a hot potato. If your marketing teams continue to make calls "without proper consent" after August 11, you risk not only a CNIL fine, but also the automatic nullification of all contracts signed as a result of these calls. There are less than two months left to bring your data collection funnels into compliance; the countdown has begun.
3. Artificial Intelligence: the AI Office's Codes of Conduct are now part of DPO audits
The major consultations conducted by the European AI Office (AI Office) concluded this month, specifically on June 3 and 23, 2026. The objective of this intense regulatory activity is clear: to finalize the first draft of the Codes of Conduct for providers of general-purpose AI models (GPAI), i.e., the large language models (LLM) that everyone uses today. This document is not merely legal theory: it lists ultra-precise technical requirements regarding the transparency of training data, respect for European copyright, and documentation of systemic risks.
Let's be clear: while this text primarily targets tech giants, it radically changes the daily work of DPOs and legal directors in companies starting this month. The AI Office's requirements immediately transform into a mandatory audit framework for your subcontractors. The emergence of technical and legal evaluation tools (such as LARA audit frameworks) proves that the market is already organizing itself. If your company integrates an LLM into its business tools, you can no longer rely on a simple confidentiality clause in your IT contract. You must demand from your service providers supporting documents aligned with these new Codes of Conduct to validate the compliance of your deployments.
4. International: the CNIL welcomes the G7 data protection authorities in Paris
From June 23 to 26, 2026, the CNIL will chair and host in Paris the roundtable of G7 data protection and privacy authorities. This high-level institutional summit takes place amidst strong geopolitical tensions surrounding digital sovereignty and the rapid acceleration of artificial intelligence worldwide.
For our professions, this is more than just a photo op for diplomats. This week's discussions are focused on the operational convergence of controls and the secure streamlining of cross-border data flows. Regulators are seeking to harmonize their methods so that international investigations into major Tech or AI players no longer hit national borders. What does this mean for you? Increasingly fluid information sharing between global authorities. If a flaw or algorithmic bias is detected abroad, the alert will reach your national regulator's desk much faster.
5. Cloud & Sovereignty: Microsoft France's Admission Regarding the US Cloud Act at VivaTech
This stark truth resurfaced to fuel legal debates this June 2026. Publicly questioned during the panels of the anniversary edition of VivaTech 2026 in Paris, Microsoft France's management explicitly acknowledged its legal inability to oppose a data seizure injunction issued by US courts under the Cloud Act, even if its clients' sensitive data is physically stored within national territory.
Let's be perfectly transparent: this admission doesn't surprise any rigorous legal professional, but it does have the merit of cutting through the marketing fog. It confirms that no data localization certification in Europe can shield against extraterritorial US legislation if the parent company is subject to it. For DPOs, this is a crucial piece of information to urgently integrate into your data transfer risk assessments outside the European Union (the famous TIAs). If your company handles highly strategic, health, or sovereignty-related data, reliance on a provider subject to the Cloud Act carries a residual risk that you must map out and politically assume at the board level.
FAQ - GDPR and AI Act compliance in June 2026
Why did the Court of Auditors audit CNIL in June 2026?
The Court of Auditors published its report on June 4, 2026, to assess CNIL's effectiveness in fulfilling its missions. It specifically calls for a reduction in complaint processing times and a modernization of agents' legal powers to address the challenges of artificial intelligence.
What is the deadline to comply with the new telemarketing rules?
The deadline is set for August 11, 2026. After this date, B2C telemarketing will switch to a strict Opt-in regime (mandatory prior consent).
Does data hosting in France protect against the US Cloud Act?
No. As Microsoft France management reiterated at VivaTech this month, if the cloud provider is a subsidiary of an American group, it remains subject to the injunctions of the Cloud Act, regardless of the physical location of the servers.
Official Sources & Legal References
- CNIL Evaluation Report: Public Report of the Court of Auditors (June 2026)
- G7 Privacy Summit: CNIL International Hub & G7 Roundtable (June 23-26, 2026)
- Telemarketing Guidelines: Telemarketing (excluding automated calls): what are the rules? - CNIL
- AI Office Consultation Period Ends: Updates and Schedule from the European AI Office (June 2026)Looking to structure your GDPR and AI Act governance without the burden of regulatory overlap? Discover how the SaaS platform Adequacy centralizes your risk assessments and automates your compliance.

