CNIL — Commission Nationale de l’Informatique et des Libertés
Overview
CNIL is France’s independent data protection authority, established by the Loi Informatique et Libertés (loi n° 78-17) of 6 January 1978, one of the earliest national data protection laws in the world, predated only by those of Germany (1971) and Sweden (1973). CNIL is responsible for ensuring that data processing activities in France comply with the GDPR (Regulation EU 2016/679) and its French implementing legislation, and has powers of investigation, sanction, and guidance. It issues binding authorisations for certain categories of sensitive data processing, including health and genetic data, and virtually any research project involving personal health data in France requires either a CNIL authorisation or a declaration of conformity to a CNIL reference methodology before data collection or processing can begin. Under EHDS, CNIL will play a supervisory role in French compliance with secondary use provisions, working alongside the Health Data Hub and whichever body France formally designates as its HDAB.
Role in Health and Research Data
Health data is a special category under GDPR (Article 9) and requires explicit legal basis and, in France, specific CNIL oversight. CNIL has developed a set of reference methodologies (Méthodologies de Référence, MR) that define standard conditions under which research involving personal health data may proceed without individual authorisation, provided the study conforms strictly to the methodology. Studies that do not conform to a reference methodology require an individual CNIL authorisation, which involves a formal dossier and review process, and in some cases a prior opinion from the CESREES (Comité Ethique et Scientifique pour les Recherches, les Etudes et les Evaluations dans le domaine de la Santé).
Relationship to Health Data Hub and SNDS
Access to the SNDS via the Health Data Hub is conditional on CNIL authorisation or conformity to the relevant reference methodology for SNDS-based research. The Health Data Hub operates under a CNIL-approved framework and acts as a trusted intermediary, but individual research projects accessing SNDS data through the platform must still obtain their own CNIL clearance. CNIL audits Health Data Hub operations and has previously issued formal notices regarding data hosting arrangements.
Relationship to Biobanks and Genomics
Banque ADN et Cellules and all French biobanks operating under the Code de la Sante Publique must comply with CNIL requirements for the collection, storage and reuse of biological samples and associated personal data.
Relationship to GDPR and EHDS
CNIL is France’s designated supervisory authority under GDPR and participates in the European Data Protection Board (EDPB), which coordinates enforcement across EU member states. In the context of EHDS, CNIL will play a role in overseeing French compliance with secondary use provisions, working alongside whichever body France formally designates as its HDAB. The HDAB designation remains unresolved as of 2025 (see ANS and Health Data Hub).
Relationship to ANS and Code de la Santé Publique
CNIL works in close coordination with ANS on health IT standardisation and data security requirements. The Code de la Sante Publique provides the legislative framework within which CNIL operates for health research, defining the categories of research that require ethics committee approval (CPP or CESREES) alongside CNIL clearance.
Connections
- Designated supervisory authority under: GDPR
- Oversees: Health Data Hub, SNDS
- Coordinates with: ANS, Health Data Hub
- Legislative basis: Code de la Sante Publique