> Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity

Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...

In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.

⁽⁰⁾ French data retention laws are illegal by european standards.