In France, we have an expression to describe institutional overreach: “To be more Royalist than the King.” That is an apt way to describe how CNIL–National Commission on Informatics and Liberty–has over-interpreted General Data Protection Regulation (GDPR) enforcement in a way that has led to unintended consequences.