On 30 January 2026, France's Conseil d'État (the country's supreme administrative court) rejected the appeal of the municipality of Nice. Decision no. 506370 puts an end to a dispositif the city had deployed in front of its 144 schools since 2020: cameras paired with an algorithm capable of detecting in real time a vehicle parked for more than five minutes at the entrance of a school. The high administrative court rules that "as the law currently stands", the systematic algorithmic analysis of video-surveillance images on public roads is not authorised.

This is not facial recognition in the strict sense. It is automated behavioural analysis, without biometric identification. And that is precisely what makes the decision instructive: it sketches, by exclusion, the red line France has held until now on the most sensitive uses of video-surveillance — that of real-time facial recognition in public spaces. But it also exposes, in negative, the step-by-step advancement strategy of the state and certain local authorities.

To understand the French debate in 2026, two ideas must be held together. On the one hand, the official red line has held: France did not authorise facial recognition in public spaces, even during the Paris Olympic Games. On the other, an adjacent infrastructure has been installed in stages: digital identity with facial verification, a police file containing photographs exploitable biometrically, video-analysis software in investigations, so-called "augmented" cameras to detect certain behaviours, municipal projects around schools, private uses in sporting events or companies.

Taken separately, each of these tools is presented as targeted, experimental or strictly framed. Taken together, they sketch what institutions now bluntly call a risk of a surveillance society.

Facial recognition: what are we actually talking about?

The distinction is legally crucial, and often missed in public debate. The CNIL — Commission nationale de l'informatique et des libertés (France's data protection authority) — restates it at every opportunity: facial recognition is a biometric technology. It processes biometric data within the meaning of the General Data Protection Regulation (GDPR) — data "resulting from specific technical processing relating to the physical, physiological or behavioural characteristics" of a person, allowing for unique identification.

A specific regime applies to this category. Article 9 of the GDPR forbids in principle the processing of biometric data for the purposes of identifying a natural person. The exceptions are tight: explicit consent, substantial public interest defined by a text, national security, protection of vital interests. Without a specific legal basis, facial recognition is, in France, forbidden.

This category does not cover everything cameras can do. A camera that detects an abnormal crowd movement, an abandoned package or a vehicle parked too long does not perform facial recognition. It analyses the image; it does not biometrise people. This is algorithmic video-surveillance — sometimes called "augmented camera" or VSA (vidéosurveillance algorithmique). The applicable legal regime is more permissive, but also framed: it requires a specific legal basis for any automated and systematic analysis on public roads. That is precisely what the Conseil d'État has just recalled in the Nice case.

This distinction between identification biometrics and automated image analysis is the pivot of the whole French debate. As far back as 2019, the CNIL had formulated it in its reference text Facial recognition: for a debate worthy of the issues at stake:

Seven years later, the formulation has held. The debate has remained open. But around the official line, an infrastructure has thickened.

A step-by-step advancement strategy

To grasp the French trajectory, one has to follow the timeline. It reveals less a rupture than an accumulation.

Seven years, seven stages. Each individual stage has its own legal coherence. The whole sketches a dynamic that the CNIL had already identified in 2019: the gradual shift from targeted surveillance of certain individuals to the possibility of surveillance of everyone in order to identify a few.

ALICEM, schools, Clearview: three founding cases

Three episodes structure the French story of facial recognition.

ALICEM, 2019-2022. The digital identity dispositif based on facial verification was created by decree on 13 May 2019. Its objective: to allow citizens to identify themselves online on public services through a procedure including the reading of a biometric document and a facial verification. La Quadrature du Net (a French digital rights association) contested the decree before the Conseil d'État, which rejected the appeal on 4 November 2020. On paper, this was a validation by the administrative judge. On the ground, the dispositif remained very little used, before being repealed in April 2022 and replaced by the Service de garantie de l'identité numérique (SGIN, the State digital identity service).

The precedent is instructive. It shows that the administrative judge has not always closed the door on biometric uses — they validated a dispositif based on explicit consent, in a framework of voluntary authentication. The red line concerns identification in public spaces, not authentication with consent.

The high schools of Nice and Marseille, 2019. In June 2019, the Provence-Alpes-Côte d'Azur region announced an experiment: equipping two high schools — one in Nice, one in Marseille — with a facial recognition system to control student entries. The CNIL was asked to assess. On 17 October 2019, it ruled against. The dispositif, it wrote, was neither necessary nor proportionate: the objectives pursued (securing entrances, smoothing flow) can be achieved by less intrusive means, notably card checks by a human agent. The experiment was abandoned.

This decision set a precedent. It marked the CNIL's line on biometric uses in schools, and more broadly on uses where the population concerned — here minors — has no real choice when facing the dispositif.

Clearview AI, 2022-2023. The American company Clearview had built, without consent, a database of more than 20 billion photographs extracted from the internet — social networks, online media, public sites — coupled with a facial recognition search engine. Sold to private and public police forces in several countries, the database makes it possible to find, from a photo, a person's name and their online accounts.

The CNIL settled the matter. On 20 October 2022, by its deliberation SAN-2022-019, it fined Clearview AI €20 million, ordered it to cease the illegal collection and use of biometric data of persons located in France, and ordered it to erase the data already collected. Clearview did not comply. In 2023, the commission imposed an additional €5.2 million penalty.

The Clearview precedent does not only say "France sanctions". It says above all that massive biometric databases built by untargeted scraping of images on the internet are illegal — a principle the AI Act enshrined in Union law in 2025.

The 2024 Olympic Games: the red line maintained, under conditions

It was in the run-up to the Paris 2024 Olympic Games that the French legislator had to arbitrate the debate. The result is a tight compromise: the law of 19 May 2023, known as the 2024 Olympic Games Law, authorises during an experimental period algorithmic image processing in public spaces and places open to the public, to detect in real time predetermined events — abnormal crowd movements, intrusions into restricted areas, abandoned packages, fires, presence of weapons.

The law explicitly excludes facial recognition. The CNIL stated this unambiguously:

The experiment ran from spring 2024 to 31 March 2025. It covered the Paris Olympic and Paralympic Games, plus other subsequent events. The official evaluation report, submitted on 10 January 2025 and published on Vie publique, records the scale: around 30 events, 70 locations and 800 cameras tested in total.

The operational figures, however, tell a more nuanced story.

Detection (RATP, Paris transport)True positivesFalse positives
Intrusion in restricted zone1,222324
Crowd density30541
Abandoned objects42151

On the detection of abandoned objects, the false positive rate exceeds 78%. At France's SNCF (national rail), over 56 days of experimentation, 1,552 alerts were generated; for abandoned objects, 206 true positives out of 629 alerts (about two-thirds false positives), against 660 true positives / 233 false positives for intrusions.

This is not trivial. The operational performance of algorithmic video-surveillance remains strongly case-dependent. On intrusions, the tool is useful. On abandoned objects or complex behaviours, it generates noise that can, at scale, mobilise human resources more than it frees them. The technical debate meets the democratic debate: the promise of "augmented" surveillance through algorithms produces, in practice, an excess of alerts that must then be sorted manually.

It is one of the lessons the CNIL was determined to pass on in its opinion on the extension of the dispositif: algorithmic video is not a simple technical improvement on classic video-surveillance. As our broader analysis of the French framework for state surveillance highlighted, the shift to automated analysis transforms the very nature of surveillance: people are no longer merely filmed, they are analysed in real time.

The Nice case: a real-world test for the red line

It is in this context that the Conseil d'État's decision of 30 January 2026 takes on its full legal weight.

The facts are relatively simple. In 2020, the municipality of Nice, led by Christian Estrosi, deployed in front of its 144 schools a dispositif called "intrusion zone — school entrances": video-protection cameras coupled with an algorithm that automatically detects the presence of a vehicle parked for more than five minutes during opening hours and triggers an alert to the municipal police.

In April 2023, the CNIL inspected the dispositif and ordered the municipality to produce a data protection impact assessment. By its deliberation of 15 May 2025, the commission ruled that the implementation of the dispositif was not authorised as the law stood, for lack of a specific legal basis. The municipality then appealed to the Conseil d'État.

The decision was handed down on 30 January 2026 (no. 506370). The 10th and 9th chambers sitting jointly confirmed the CNIL's position. Their reasoning is clear: the Internal Security Code allows video-surveillance on public roads (article L. 251-2), but cannot be interpreted, in its silence, as authorising the use of algorithms to analyse in a systematic and automated way images collected in public spaces. No other text authorises such an implementation either.

The scope of the decision goes well beyond the Nice case. In practice, it closes the door to any local generalisation of algorithmic video-protection dispositifs without prior intervention by the legislator. Municipalities that were considering similar projects must wait for a specific law. The distinction is clear: classic video-surveillance (human viewing) remains possible, algorithmic video (automated analysis) requires a dedicated legal basis.

The reasoning is legal. But it is also democratic. As the decision puts it: the shift to systematic algorithmic analysis qualitatively transforms the infringement on public liberties. It is not the same thing to watch camera images and to have them analysed, continuously, by a system that triggers operational actions.

The European AI Act: what has changed since February 2025

While France debates dispositif by dispositif, the European Union has decided as a bloc. The Regulation on Artificial Intelligence — the AI Act — came into force on 1 August 2024. Its first bans have been applicable since 2 February 2025.

Three bans directly concern facial recognition:

  1. Real-time remote biometric identification in spaces accessible to the public is forbidden, except in narrow exceptions for law enforcement (targeted search for a kidnapping victim, prevention of an imminent terrorist threat, identification of a suspect in a serious offence on a closed list). These exceptions require prior authorisation and strict framing.
  2. The creation or extension of facial recognition databases through untargeted scraping of images extracted from the internet or video-surveillance is forbidden — that is precisely the Clearview model, now explicitly prohibited across the Union.
  3. Emotion inference in the workplace and in educational institutions through AI systems is forbidden, except for medical or safety uses.

The full regime for so-called "high-risk" AI systems — which includes many biometric applications outside real-time — will come into force on 2 August 2026.

For France, the AI Act does not radically change the picture: the national red line was already stricter than the European minimum on several points. But it gives the French framework a European foundation: a dispositif that would circumvent the French red line would now also run up against Union law, directly enforceable against member states and private actors.

TAJ, BriefCam, Disclose: the grey zones persist

This is where the picture gets complicated. The official red line has held, but several recent affairs document uses that come close to it — or cross it.

The TAJ. The traitement des antécédents judiciaires (police antecedents file) is the principal file of the French national police and gendarmerie. According to data reported by the specialised press and parliamentary inquiries, it contained in February 2022 more than 24 million records of individuals investigated, including 8 million anonymised. The records include photographs registered with technical characteristics enabling biometric matching. An official feature has existed in law enforcement's mobile terminals since 2022: a photo taken in the field, search in the TAJ via facial recognition, in a framework strictly reserved for judicial investigations and individually authorised agents.

The BriefCam affair. The video-analysis software produced by this Israeli company, a Canon subsidiary, was acquired by several police and gendarmerie services without the CNIL being officially informed. This was revealed by Disclose in November 2023. The Interior Ministry published, on 28 October 2024, its administrative inquiry report. The official finding is precise: out of nearly 600 operations of the software by police services, the report identifies a single case of illegal use of the facial recognition feature.

This wording matters. It nuances broader presentations of the case that have circulated in the press and in some organisations. The official report speaks of a single case, not of massive use. The CNIL then issued, on 5 December 2024, several formal notices reminding of the need to technically prevent any activation of the software's facial recognition function.

The Disclose investigation of March 2026. The investigative outlet published, on 16 March 2026, a video investigation claiming that police officers and gendarmes use, on their service phones, facial recognition linked to the TAJ — including during identity checks outside any strict judicial framework. The investigation generated several written questions to the National Assembly, notably written question no. 14143. As of this research, no consolidated government response has been publicly identified.

These three elements — TAJ, BriefCam, Disclose investigation — belong to different legal registers. The TAJ has a legal basis. BriefCam has been brought into compliance after a CNIL inspection. The Disclose investigation, at this stage, falls within the realm of documented but not court-confirmed media allegations. But together, they sketch the blind spot of the French framework: the uses that develop in the grey zone between official legal framework, operational practice and effective control.

Europe's position: a feeling of constant surveillance

The European Data Protection Board (EDPB) adopted, in its final version of May 2023, its Guidelines 05/2022 on the use of facial recognition by law enforcement. The doctrine is firm: these technologies, by their capacity to identify discreetly and at scale, can have an effect on freedom of expression, religion, association and assembly.

This formulation of the "general feeling of constant surveillance" is not anecdotal. It says that the heart of the problem is not only the technical performance of facial recognition — its accuracy rate, its demographic biases, its false positives. The problem is also sociological and democratic: from the moment a population knows, or assumes, that it can be biometrically identified at any moment in public space, collective behaviour changes. Protesting, attending a place of worship, going to a sensitive medical consultation, meeting a source if one is a journalist — all these actions become potentially traceable acts. The legal effect has a name: the chilling effect, the self-censorship of public freedoms.

The European Court of Human Rights has already ruled on a case. In the Glukhin v. Russia affair of 4 July 2023, it held that the use of facial recognition by Russian authorities to identify and then prosecute a peaceful protester holding a placard in favour of a political opponent violated articles 8 (private life) and 10 (freedom of expression) of the Convention. The Court considers that this type of use is "incompatible with the ideals and values of a democratic society governed by the rule of law".

The ruling concerns Russia. It has a pedagogical scope for the entire Council of Europe: facial recognition used against protesters is not, in principle, compatible with fundamental rights. The French authorities, party to the Convention, take this into account in their doctrinal choices.

And the private sector? Airports, sporting events, companies

The French debate often focuses on the state. But facial recognition is also being installed, and to a growing extent, in private or hybrid contexts: corporate access controls, smoothing of border crossings in airports, identification of athletes at sporting events, management of spectators in some venues.

Several cases have been documented in 2024-2025. The press has notably revealed the illegal use of facial recognition in some French sporting events to identify runners on finish-line photos. A CNIL referral is under way; as of writing, no final public decision has been identified.

In the workplace, attendance tracking dispositifs by facial recognition are emerging. They raise a triple question: real consent of employees (who are in a subordinate relationship), proportionality in light of less intrusive objectives (badges, codes), centralisation of biometric templates (which in practice multiplies risks of leak or reuse).

At borders, the European Data Protection Board has issued a specific opinion on facial recognition in airports. It distinguishes several scenarios: voluntary and consented authentication (for example a "facilitated" path reserved for passengers who request it), with local and temporary storage of the biometric template, versus systematic identification of all passengers with the creation of a centralised database. The first is legally defensible. The second raises, for the board, substantial proportionality issues.

On all these subjects, the GDPR remains the general norm. Lawfulness depends on context, legal basis, centralisation or not of templates, real consent, and proportionality. There is no global answer of the type "private facial recognition is always authorised" or "always forbidden". There is a grid of analysis, applied case by case.

Surveillance cameras installed on a building, illustrating the growing use of facial recognition in the private sector.
Surveillance cameras are mounted on a building, highlighting the increasing use of facial recognition technology in various sectors.

Public opinion: a demand for stricter framing

The Défenseur des droits (France's ombudsman) published in 2022 a survey on the social perception of biometric technologies in France. The central figure: 84% of respondents consider it a priority or important to strengthen the legal framing of these technologies in order to better guarantee respect for rights.

The result does not say that the French population is hostile to facial recognition as a whole. It says that it is not satisfied with the current state of the debate. This is an important political datum: on this file, pressure from public opinion does not systematically run in the direction of liberalisation. It runs rather in the direction of a demand for legal clarity and tighter control.

What the Conseil d'État decision implies

Let us return to the decision of 30 January 2026. Its immediate scope is clear: no systematic algorithmic video on public roads without a dedicated law. But its wording contains an implicit message, important for the rest of the debate.

The Conseil d'État does not say "forbidden, full stop". It says "not authorised as the law currently stands". The nuance is crucial. It explicitly leaves open the possibility of a future law that would establish a legal basis for these dispositifs — as the 2024 Olympic Games Law did for augmented cameras in the framework of major events. The decision is therefore as much a message to the legislator as a signal to local authorities.

Several scenarios are on the table in the French debate:

  • Extension of the Olympic Games experiment beyond 31 March 2025, in an adapted form. The mixed operational results make this scenario harder to argue.
  • A specific law on algorithmic video-surveillance in sensitive spaces (railway stations, airports, school surroundings) — without facial recognition. This scenario follows the logic of framing by use case.
  • The status quo, relying on the current framework and on the application of the AI Act. This is probably the most legally stable scenario, but the least satisfactory for public safety actors who advocate for technical upgrades.

On facial recognition stricto sensu in public spaces, no recent political signal suggests a revision of the red line. Neither the government nor the National Assembly have begun preparatory work in that direction. But the Disclose investigation of March 2026 and the parliamentary questions that followed have reopened the debate on existing police uses — TAJ, mobile terminals, identification within investigations. It is on this terrain, more than on that of a new law, that the red line could be tested in the months to come.

A political question, not just a technical one

The debate on facial recognition is often presented as a debate on technical performance: what can algorithms really do? what are their demographic biases? how many false positives? These questions are important — the reference NIST report assesses 189 algorithms on 18.27 million images and confirms the existence of significant biases according to ethnicity, gender and age of persons.

But this is not the heart of the debate. The heart of the debate is democratic. As the CNIL wrote as early as 2019, the question posed is that of a possible paradigm shift: the shift from targeted surveillance of certain suspected individuals to the possibility of permanent surveillance of all in order to identify a few.

This is a question that does not settle solely on the yardstick of performance or operational effectiveness. It supposes a collective debate on what a democratic society accepts to surrender in terms of anonymity in public space. On what it means to be able to walk in the street without being biometrically identified. On what it means to protest, to attend a place of worship, to meet a source, without leaving an exploitable digital trace.

These questions also arise for independent media like Kero: the protection of sources, the confidentiality of meetings, the anonymity of witnesses require a public space where certain gestures remain traceable only in a targeted way — not by default.

The French red line, in 2026, still holds. It holds because it is held: by the CNIL, by the Conseil d'État, by associations that contest, by journalists who investigate, by the legislator who has not voted the extension. It is also fragile: by the layering of adjacent tools, by the grey zones documented by Disclose, by the pressure of security actors who advocate for more resources.

The debate is not closed. As the EDPB wrote, the stake is to prevent the day when, in our cities, a feeling of constant surveillance replaces what makes the democratic specificity of a public space: the possibility of moving through it without having to justify oneself.

Sources