Table of contents
The CNIL has fined IQVIA OPERATIONS FRANCE €5 million in decision SAN-2026-008 dated May 26, 2026, made public on May 28, 2026 (the restricted committee had a session on March 26, 2026). The procedure targeted two health data warehouses operated by the American group IQVIA's subsidiary: LRX, authorized in 2018 and fed by about 14,000 French pharmacies, and EMR, authorized in 2021 and fed by several thousand doctors. The deliberation found that the processed data concerned several tens of millions of people - year of birth, gender, prescriptions, diagnoses, symptoms, allergies, socio-professional elements, and unique care pathway identifiers. The regulator also ordered compliance within six months, under penalty of a fine of €10,000 per day of delay, according to the official CNIL statement. The company reserves the right to appeal. The fine remains under the ceiling of 4% of the global consolidated annual turnover set by Article 83 of the GDPR.
Impact Beyond IQVIA: 102 Operators Share the Same Architecture
As of September 1, 2025, the portal esante.gouv.fr listed 125 health data warehouses authorized by the CNIL, managed by 102 distinct actors - pharmaceutical publishers, public research organizations, insurance platforms, conventional hospital structures. All rely on the same technical foundation: the pseudonymization of patient data before opening to secondary use. The reasoning retained by the regulator against IQVIA - pseudonymization does not equal anonymization for the entity holding the keys - targets by construction an architectural trait, not a peculiarity of the case. The CNIL had already made health data an explicit axis of its doctrine through its dedicated call for projects. The May 26, 2026 deliberation extends this doctrinal foundation to the legal qualification itself, structurally exposing each of the 101 other operators, as the initial controller holding the re-identification keys, to the same framework - subject to the technical architectures specific to each system, whether it relates to the pharmaceutical industry, insurance, or public research.
Pseudonymization: An Architectural Layer Caught by the Initial Controller's Qualification
For a CIO operating a warehouse, pseudonymization is a technical layer: an encrypted correspondence table on one side, derived data sets on the other. IQVIA's defense relied on this separation, referring to the CJEU ruling C-413/23 P EDPS v. SRB of September 4, 2025 - the EDPS, the European Data Protection Supervisor, against the Single Resolution Board, a banking authority whose reference regime (regulation 2018/1725, the institutional counterpart of the GDPR applicable to Union institutions) transposes identically here. The Court of Luxembourg stated that pseudonymization is a status relative to the observer: as long as the entity retains the re-identification keys, the data remains personal - a qualification that the CNIL transposes to the GDPR via the parallel definitions of Articles 4(1) and 4(5). "The pseudonymization measures only reduce the risks of correlation... but do not eliminate them," the restricted committee held. For the warehouse's project manager, the architectural consequence is clear: as long as the correspondence table is within its operational perimeter, the personal data regime applies to the entire system and not just to the area that still contains direct identifiers. In addition to this qualification base, five documented technical and procedural shortcomings were noted: insufficient information for data subjects, practically ineffectual right to object, lack of multi-factor authentication on the EMR warehouse, connection logs not regularly analyzed, inaccurate information notices - to which is added the finding that none of the controlled pharmacies informed their customers of the transmission. There remains an architectural nuance that the SRB ruling explicitly bears and which the CNIL decision does not address: if a recipient does not have the means reasonably likely to be used to relate the data to an identifiable person, the pseudonymized data do not constitute personal data for them. In other words, two components of the same chain may fall under different regimes depending on their access to the keys. The sanction targets IQVIA as the initial controller; it does not prejudice the regime applicable to third parties receiving extracts without access to the re-identification table.
Two Regulatory Horizons Define the Preparation Window for Tech Teams
For a CIO or CTO operating a warehouse today, the status of third-party recipients remains pending two deadlines that delimit the operational preparation window. The EU regulation 2025/327 of February 11, 2025 establishing the European Health Data Space sets March 2029 for the implementation of its secondary use component, which will precisely organize the technical conditions of access to pseudonymized data by third parties - academic research, pharmaceutical industries, public authorities. ActuIA detailed the five canonical use cases of the future EHDS as early as the negotiation phase of the text. As long as this component is not applicable, the regime of each outgoing flow - extractions, third-party APIs, project shares - remains to be arbitrated case by case based on the GDPR enlightened by the SRB ruling. The other horizon is doctrinal: the European Data Protection Board (EDPB) organized a stakeholder event on December 12, 2025, linked to a discussion paper, intended to integrate the SRB's contribution into its guidelines 01/2025 on pseudonymization. The SAN-2026-008 deliberation sets the regime applicable to the data controller holding the keys; for flows to third parties without access to the keys, the EDPB guidelines 01/2025 - whose public consultation closed at the end of 2025 - will provide the answer, with their finalization following the usual schedule of 12 to 18 months post-consultation, i.e., 2027 at the earliest.