French recruiters are exposing candidate data without knowing it

Every resume processed by a US AI, whether built into a US ATS or plugged into a European one, can be legally intercepted by American authorities. GPT, Gemini, Claude, Grok: the moment any of these components touches your recruitment process, the CLOUD Act applies. A 2018 US federal law, largely unknown, that ignores borders and certifications alike. A real, underestimated legal risk that now affects virtually every recruitment tool used in France.

A resume is more than a document

Name, address, phone number, email, work history, qualifications, sometimes a photo or family situation. A resume is a concentrated identity profile. And contrary to what many believe, it is personal data under the GDPR, subject to the same obligations as a medical record or a bank file.

The France Travail data breach in 2024 made that brutally clear: 43 million people exposed, including names, social security numbers, and contact details. In January 2026, the CNIL fined the organisation €5 million for failing to secure the data. That's just the visible tip of the iceberg.

The CLOUD Act: the problem nobody wants to name

The CLOUD Act, enacted in March 2018, allows US judicial authorities to access electronic data stored abroad by US companies, in the context of criminal proceedings.

In practice: if your ATS or recruitment AI is published by a US-incorporated company, American authorities can access data physically located outside the United States (including in France), as long as a US company is technically involved in the storage.

But the risk doesn't stop at US-built ATS platforms. A European ATS that sends data to a US AI like GPT (OpenAI), Gemini (Google), Claude (Anthropic) or Grok (xAI) falls into exactly the same situation. The moment any component in the process is operated by a US-incorporated entity, the CLOUD Act applies. It doesn't matter if the front door is European.

The servers may be in Paris or Frankfurt. It makes no difference. These requests are independent of where the data is physically stored.

And most concerning of all: US authorities can access this data without notifying the individuals concerned, without going through local judicial procedures, and without an international mutual legal assistance request. Your candidates will never know. Neither will you.

A real legal conflict, not a theory

The European Data Protection Board has been unequivocal: service providers subject to EU law cannot legally base data transfers to the United States solely on requests made under the CLOUD Act.

In other words: if your US provider complies with an American warrant covering your candidate data, it is potentially violating the GDPR. And you, as the data controller, can be held accountable.

The CNIL is no longer pulling its punches

In 2025, the CNIL issued 83 sanctions totalling €486,839,500 (source: CNIL annual report published 9 February 2026). Two major fines skew that figure upward: Google (€325M) and Shein (€150M). But the simplified procedure now allows fines of up to €20,000 per breach, issued quickly, including against small and medium-sized businesses.

The most common breaches under the simplified procedure? Insufficient data security and failure to respect individuals' rights. Exactly what using an unaudited US tool can generate.

What this means in practice for a recruiter

Using a US-governed ATS or recruitment AI without a data protection impact assessment (DPIA), without specific contractual clauses, without informing candidates about transfer risks: you are potentially in breach. Not hypothetically. Legally.

The GDPR requires a retention period of no more than 2 years, a declared purpose, and a right of access fulfilled within 1 month. The EU AI Act, in force since August 2024, classifies CV screening and scoring tools as high-risk systems. Obligations will only keep increasing.

What this means for your choice of tools

The question isn't "is my provider ISO 27001 certified?". The question is: "is it subject to US law?" If so, no certification neutralises the CLOUD Act.

Sovereign solutions exist. At Intuition Software, JobAffinity is a 100% French ATS, hosted on servers in France, with French AI, outside the scope of the CLOUD Act. That's not a marketing argument: it's a legal response to a real risk.

Your candidates trusted you with their data. The question is simple: who have you passed it on to?

Sources

• CNIL : 2025 sanctions report, published 9 February 2026
• CNIL : France Travail fine (€5M), 22 January 2026
• CLOUD Act, H.R. 4943, Clarifying Lawful Overseas Use of Data Act, March 2018
• EDPB-EDPS : Joint position on the CLOUD Act, European Data Protection Board
• AI Act, Regulation (EU) 2024/1689, in force since 1 August 2024