On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it generally requires that the processing either comply with one of the French Supervisory Authority’s (“CNIL”) standards (such as the méthodologies de référence or “MRs” – hereafter Health Data Standards”) or be specifically authorized by the CNIL. 

Since 2018, the CNIL has issued multiple Health Data Standards to cover a variety of processing activities, such as medical research and pharmacovigilance.  However, as technologies deployed in the health sector rapidly evolve, some of these standards have become outdated and fail to adequately meet industry practices and needs.  For instance, conducting a decentralized clinical trial is typically challenging under the current Health Data Standards, meaning that sponsors are often forced to pursue the more burdensome and time consuming CNIL authorization. 

The consultation questionnaire released by the CNIL is divided in five sections:

  • the Health Data Standards covering research activities;
  • the other Health Data Standards (e.g., on pharmacovigilance);
  • adaptation required because of the increasing use of AI;
  • specific documentation the CNIL could provide; and
  • participation to upcoming working groups – the CNIL encourages participants to identify any topics they consider as high priorities, in particular as the CNIL is considering setting up some working groups on high priorities.

The CNIL also used this opportunity to summarize its recommendations and best practices relating to three aspects of decentralized clinical trials.  These guidelines cover:

  • Electronic information notices (see here) – The CNIL highlights the importance of ensuring that the confidentiality of the data is sufficiently protected and identifies some security measures to that end.  For instance, where the notice contains direct or indirect health information about the individual, the CNIL considers that it may only be sent to a regular email address (as opposed to via a secure platform) provided that (i) the subject and text of the email do not include any sensitive data, (ii) the notice itself is shared as an encrypted attachment or via a password-protected link and (iii) the relevant encryption key or password is shared separately and via different means (e.g., by post);
  • Following-up and monitoring patients at home (see here) – The CNIL reminds sponsors how they can make such arrangements while still complying with the Health Data Standards (in particular where the sponsor relies on a third party);
  • Remote quality control (see here) – Sponsors who wish to engage in remote quality control currently cannot do so while relying on a Health Data Standard and need to obtain a specific authorization from the CNIL. However, the CNIL has compiled a list of best practices that, if complied with, would facilitate the authorization process.  Such best practices include transparency requirements, the consultation of the data protection officer, precautions concerning remote consultation and the professional secrecy of clinical research associates, and a list of security measures (including a requirement that the data be stored in the EU or an EU-adequate country).

These guidelines are only temporary, as the CNIL intends to better address these issues in the updated version of its Health Data Standards.  The consultation questionnaire thus also enables participants to comment on these guidelines.  In terms of timeline, the CNIL will analyze responses to this public consultation during Summer and Fall 2024.  Some updated Health Data Standards are expected in the course of 2025, starting with the ones identified as high priorities during the consultation. 

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.