What CNIL Found
On May 26, 2026, France's Commission Nationale de l'Informatique et des Libertés issued Deliberation SAN-2026-008, fining IQVIA Operations France — the French subsidiary of the US health analytics group — €5 million for violations across its two authorized health data warehouses. The fine carries a secondary penalty of €10,000 per day if IQVIA fails to remediate the identified breaches within six months.
IQVIA operates the LRX warehouse (authorized 2018), sourced from approximately 14,000 French pharmacies, and the EMR warehouse (authorized 2021), drawing on data from several thousand physicians. These warehouses serve legitimate commercial purposes: pharmaceutical market research and pharmacovigilance studies. CNIL did not dispute the purpose. What investigators found instead was a pattern of structural failures that went well beyond technical oversights.
CNIL identified five categories of violations. Pharmacy patients were not informed that their dispensing data was being transmitted to IQVIA — a direct breach of Article 14 GDPR, which requires data controllers to disclose transfers when personal data is obtained from third parties. Investigators audited four pharmacies; not one had disclosed the arrangement to customers. The EMR warehouse information sheets contained inaccuracies, and IQVIA's right-to-object mechanism was inoperable — patients who tried to exercise their rights reached a dead end. On the security side, the EMR warehouse lacked multi-factor authentication, and connection logs were never analyzed. Most critically, the LRX warehouse was used for studies falling outside the scope of its CNIL authorization — unauthorized processing of sensitive health data. And IQVIA's pharmacy software was designed to transmit patient data even when customers had explicitly refused. The bypass was not a bug; it was a design feature.
IQVIA's Pseudonymization Argument — and Why It Failed
IQVIA's central defense was that its warehouse data was fully anonymous, and therefore outside GDPR's scope entirely. The company pointed to the CJEU's September 4, 2025 ruling in Case C-413/23 P (EDPS v. Single Resolution Board), which established a recipient-relative test for personal data classification. Under that test, pseudonymized data is not automatically personal data for every party in the chain — if a downstream recipient lacks the re-identification key and has no realistic means of reversing pseudonymization, the data may fall outside GDPR's scope for that recipient specifically.
The logic deserves to be taken seriously. A blanket rule treating all pseudonymized data as personal data regardless of context could undermine legitimate health research and restrict data-sharing architectures that have genuine scientific value. The SRB judgment was widely read as opening a legal corridor for architectures that rigorously separate keys from derived datasets — and IQVIA's system did, on paper, separate identifiers from analytics outputs.
CNIL's restricted committee rejected the argument on straightforward grounds. IQVIA is not a downstream recipient without key access — it is the original controller that retains the re-identification keys for both warehouses. From that position, re-identification is not a theoretical risk but a practical capability the company actively holds. The committee stated that pseudonymization measures "only reduce the risks of correlation... but do not eliminate them" when the controller itself holds the linkage mechanism. The SRB corridor was designed for recipients who genuinely cannot re-identify — not for the party that created and controls the mapping in the first place.
There was also a structural contradiction in IQVIA's position: the company had previously sought and obtained CNIL authorization for both warehouses — a step only required for special-category personal data under GDPR Article 9. Having applied for that authorization, IQVIA could not credibly argue the same data was anonymous.
Implications for 125 Warehouses — and a Looming EU Framework
This decision is not isolated. At the time of the ruling, approximately 125 authorized health data warehouses operated in France across 102 distinct actors — pharmaceutical companies, insurers, research organizations, and hospitals — many relying on pseudonymization architectures structurally similar to IQVIA's. CNIL's reasoning in SAN-2026-008 implies that any operator retaining or controlling re-identification keys remains subject to the full Article 9 special-category regime, regardless of how technically sophisticated the separation appears.
The stakes will intensify under the European Health Data Space Regulation (Regulation (EU) 2025/327), which entered into force on March 26, 2025. EHDS creates a formal secondary-use framework for health data, requiring processing within certified secure environments, prohibiting re-identification attempts, and channeling access through national health data access bodies. Secondary use provisions apply from March 2029 — four years for industry to restructure. But CNIL's action makes clear that existing architectures are subject to active enforcement now, not only once EHDS rules kick in.
Proportionate — But the Sector Must Adapt
The health data analytics industry deserves a predictable regulatory framework. IQVIA's warehouses serve genuine scientific purposes — pharmacovigilance and drug safety research depend on large, well-curated datasets, and compliance regimes that make such work prohibitively risky push it offshore or underground. Regulators should be mindful that chilling health data innovation carries its own public health costs.
That said, the failures CNIL documented go well beyond the pseudonymization dispute. Patients could not exercise their right to object. Security logs were unmonitored. Software bypassed explicit refusals. These are foundational GDPR obligations that IQVIA accepted when it sought authorization. The €5 million fine — substantially below GDPR's 4% global annual turnover ceiling — is proportionate to five compounding violations by a large commercial actor.
The actionable lesson for the sector is specific: the SRB ruling does not create a pseudonymization exemption for data controllers. It created one for data recipients who genuinely lack re-identification capability. Companies building health data architectures need to isolate key-holding functions in genuinely independent trusted third parties — not treat technical separation within a single legal entity as a legal firewall. EDPB Guidelines 01/2025 on pseudonymization, adopted in January 2025, provide the architectural roadmap. With 125 French warehouses watching and EHDS secondary-use rules approaching, the clarification now carries continent-wide weight.