CNIL, 26 May 2026 – SAN-2026-008 (IQVIA OPERATIONS FRANCE)
The French data protection authority, the CNIL, has imposed a fine of €5 million on the health data company IQVIA OPERATIONS FRANCE – primarily because it failed to comply with data subject protection requirements whilst operating health data warehouses.
IQVIA conducts studies for pharmaceutical companies, relying for this purpose on two health data warehouses (which had previously been authorised by the CNIL) containing data from around 14,000 pharmacies and several thousand doctors. During a subsequent audit, the CNIL found that, in practice, requirements regarding the provision of information to data subjects, the exercise of data subjects’ rights and data security had not been met.
IQVIA assumed that the data was anonymous and that data protection law therefore did not apply. The key argument in this regard could be the ‘SRB’ judgment of the European Court of Justice (4 September 2025, C-413/23 P). This judgment described the personal nature of data as relative: according to it, the same pseudonymised data may be personal to the data controller who holds the key, whilst it may be anonymous to a third party without the means to re-identify it.
However, the CNIL did not consider this to be the case here. It argued that the data in the warehouses was not anonymous, but merely pseudonymous, because re-identification was possible using reasonable means.
Three points were key to this conclusion:
- a unique identifier for each patient,
- the depth of the data collected (e.g. year of birth, gender, prescriptions, diagnoses, symptoms, allergies, weight, height, pulse, vaccinations, examinations, sick notes) and
- the possibility of identifying individuals by combining the IQVIA data with publicly available information.
According to the CNIL, there were further factors that undermined the adequacy of anonymity:
- The rapporteur in the proceedings clearly illustrated just how easy re-identification can be in practice using an example: a patient from a study was identified within a few minutes via a Facebook support group.
- Even contractual prohibitions, such as those preventing partners from re-identifying individuals, did not mean that the data could be regarded as anonymous in this case. Although a statutory prohibition could render the appropriateness of the measures irrelevant – mere contractual agreements are not sufficient for this purpose.
- In contrast to the SRB ruling, the company was not merely a recipient of pseudonymised data in this case, but was to be regarded as the controller of the entire processing operation from the moment the data was collected. According to the CNIL, this role as controller argues against treating the data as anonymous. The ‘relativity’ principle from the SRB judgement helps the third party without a key – not the company that set up the data warehouse itself and brings together the rich data.
- The fact that IQVIA had no intention of re-identifying individuals is irrelevant – what matters is solely the possibility of re-identification.
In terms of substance, the CNIL then criticised various security shortcomings(including, in some cases, a failure to regularly review access logs; a lack of multi-factor authentication; incorrect patient information; and the absence of an procedure for the right to object). In some cases, this was compounded by the fact that the pharmacies did not properly inform their customers about the transfer of data to IQVIA, and that the pharmacy software itself forwarded patient data without consent (a breach of ‘Privacy by Design’).
The sensitivity of the health data and the volume of data played a central role. The CNIL emphasised these factors in relation to the protection requirements and explicitly took them into account when determining the amount of the fine – alongside the number of data subjects (several tens of millions), the company’s market position and its financial strength. However, pseudonymisation itself was regarded as a mitigating factor, as it at least ruled out direct identification.
For companies in the e-health sector, this means that when pseudonymised (health) data is used in data warehouses, real-world evidence products or for AI training, anonymisation must be examined in detail. Data controllers who merge rich, longitudinal datasets containing unique identifiers will, in most cases, continue to be dealing with re-identifiable data. In such cases, companies will have no choice but to distinguish between individual scenarios based on the potential for re-identification. Only then can one be confident that the data is no longer subject to data protection requirements.
Legal action may generally be taken against CNIL fines, meaning that the decision is not necessarily final.
(Dr. Marian Klingebiel, Unverzagt Law)