CNIL and HAS Partner to Strengthen Digital Health Privacy and AI Governance in France

What Happened: CNIL and HAS Announce Strategic Partnership

On March 10, 2026, the French National Commission for Information Technology and Civil Liberties (CNIL) and the French National Authority for Health (HAS) signed a partnership agreement to strengthen best practices in digital health. The collaboration specifically targets personal data protection and fundamental rights related to digital tools in healthcare, including artificial intelligence (AI).

The partnership aims to:

• Promote data protection and rights in digital health tools, with a focus on AI governance.
• Adapt European regulatory requirements to the French healthcare context.
• Improve data security practices and integrate digital and AI requirements into healthcare certification and evaluation processes.

A key milestone is a joint recommendation expected in the second quarter of 2026 on the proper use of AI in healthcare, which will outline legal and regulatory frameworks. This initiative addresses emerging challenges like data exploitation and sharing in AI-driven healthcare tools, aiming to provide operational guidance to secure practices, prevent rights violations, and support responsible innovation.

Why It Matters: Navigating the Intersection of Healthcare and Data Privacy

This partnership is significant because it directly addresses the complex regulatory landscape at the intersection of healthcare, data privacy, and AI. Digital health technologies—from telemedicine platforms to AI diagnostic tools—process vast amounts of sensitive personal data, making them subject to stringent regulations.

GDPR Compliance in Healthcare: The General Data Protection Regulation (GDPR), in effect since 25 May 2018, imposes strict requirements on processing health data, which is classified as a special category under Article 9. Organizations must ensure lawful bases, implement robust security measures, and uphold data subject rights like access and erasure. The CNIL-HAS collaboration aims to provide tailored guidance to help healthcare entities meet these obligations, particularly as they adopt new digital tools.

AI Governance Implications: Under the EU AI Act (Regulation (EU) 2024/1689), AI systems used in healthcare, such as those for recruitment or medical diagnostics, are classified as high-risk under Annex III. Obligations for high-risk AI systems, including conformity assessments and transparency requirements, apply from 2 August 2026. The joint recommendation expected in Q2 2026 will help organizations align with these rules, addressing issues like algorithmic bias and data integrity. For more on AI governance in healthcare, see our guide to AI compliance in medical imaging.

Broader Regulatory Context: The partnership also aligns with other EU frameworks, such as the NIS2 Directive (Directive (EU) 2022/2555) for cybersecurity in essential sectors like health, and the Digital Operational Resilience Act (DORA), which applies to financial entities but underscores the importance of ICT risk management. By adapting these European requirements to the French context, CNIL and HAS aim to create a cohesive compliance environment that protects patient data while fostering innovation.

What Organizations Should Do: Actionable Compliance Steps

Healthcare providers, technology vendors, and other stakeholders in the digital health ecosystem must proactively adapt to the evolving guidance from CNIL and HAS. Here are key steps to enhance data privacy and AI governance:

1. Conduct Data Protection Impact Assessments (DPIAs): Under GDPR Article 35, DPIAs are mandatory for high-risk processing, such as using AI in healthcare. Regularly assess risks related to data collection, storage, and sharing in digital health tools. Tools like BigID or Securiti AI can automate data discovery and mapping to streamline this process—contact vendors for pricing details.
2. Implement Robust Security Measures: Align with frameworks like ISO/IEC 27001:2022 for information security management and the NIST Cybersecurity Framework 2.0 (published February 2024) for risk management. Ensure encryption, access controls, and incident response plans are in place, especially for cloud-based health platforms.
3. Prepare for AI Act Compliance: For high-risk AI systems in healthcare, start mapping obligations under the EU AI Act, such as maintaining technical documentation and ensuring human oversight. Refer to resources like our EU AI Act compliance roadmap for guidance. Monitor the joint CNIL-HAS recommendation in Q2 2026 for sector-specific insights.
4. Enhance Transparency and Consent Practices: Under GDPR and AI regulations, provide clear information to patients about data usage and AI involvement. For example, the Illinois AI Video Interview Act (effective 1 January 2020) requires consent for AI-analyzed video interviews—similar principles apply in healthcare contexts.
5. Leverage Compliance Tools: Platforms like AIGovHub offer integrated solutions for GDPR compliance and AI governance, helping organizations manage regulatory requirements across jurisdictions. Explore features for automated reporting and risk assessments to stay ahead of audits.

For broader insights, check our guide to AI governance in emerging technologies, which covers wearables and data centers relevant to health tech.

Related Resources and Next Steps

The CNIL-HAS partnership underscores the critical need for ongoing vigilance in digital health privacy. As regulations evolve, organizations should:

• Monitor updates from CNIL and HAS, especially the joint AI recommendation in Q2 2026.
• Engage with industry groups to share best practices on data protection and AI ethics.
• Invest in training for staff on GDPR and AI governance, as AI literacy obligations under the EU AI Act apply from 2 February 2025.

This content is for informational purposes only and does not constitute legal advice. For tailored guidance, consult with legal and compliance experts, and use tools like AIGovHub to track regulatory changes in real-time. Stay informed by subscribing to our updates on EU AI Office developments and other key trends.