CNIL publication dated March 5, 2026
Artificial intelligence is experiencing significant growth in the healthcare sector, particularly for diagnostic support, disease prediction, and the optimization of care pathways. The development of such systems, however, generally involves the processing of health data, which is subject to a strict legal framework under Article 9 of the General Data Protection Regulation (GDPR).
In this context, on 5 March 2026, the French Data Protection Authority (CNIL) published a practical guide entitled “AI and Healthcare: Developing and Evaluating AI Systems in Compliance with Regulation”, aimed at supporting stakeholders in the sector. This publication continues the CNIL’s work on artificial intelligence and should be read alongside its other practical guidance documents.
One of the main interests of this new guide lies in its references to several authorization decisions issued by the CNIL concerning existing projects involving the development of AI systems in healthcare, which constitute a useful resource for similar initiatives.
A Structured Approach Based on the AI System Lifecycle
The CNIL proposes an analysis structured around three stages in the lifecycle of an artificial intelligence system in healthcare:
- The creation – optional – of a health data warehouse for later reuse in different projects.
- The development of AI systems.
- The assessment of the impact of the deployment of AI systems in the healthcare sector.
The Creation of Health Data Warehouses
In some projects, organizations may wish to centralize different databases and allow their later reuse, particularly for research projects or the development of AI systems.
This corresponds to the creation of a health data “warehouse”, which requires compliance with specific formalities:
- Either the data controller obtains the explicit consent of the data subjects.
- Or, failing that, the controller submits a declaration of compliance with the CNIL reference framework on health data warehouses. If the project cannot fully comply with this framework, the controller must request specific authorization from the authority.
The CNIL also recalls that subsequent processing operations carried out using data from the warehouse—such as training an AI system—constitute separate processing activities that must themselves be assessed under the applicable regulatory framework.
The points reiterated by the Commission in this new guide had already been addressed in detail in its reference framework on health data warehouses.
Developing an AI System Using Health Data
The most common situation involves establishing a data processing operation specifically intended to develop an AI system in the healthcare sector.
The CNIL states that the development of such a project is in principle classified as research, study, or evaluation in the field of health. In this case, the data controller must either comply fully with one of the “reference methodologies” published by the CNIL or submit a specific authorization request to the authority.
The CNIL also emphasizes that the development of an AI system is an iterative process, comprising several stages – each of which may involve the processing of personal data – such as:
- The preparation and matching of databases.
- Annotating or extracting data characteristics.
- Training and optimizing the model.
- Validating its technical and clinical performance.
The CNIL nevertheless acknowledges that these different stages may be linked to a single general purpose, corresponding to the development of the AI system, provided that this purpose is defined with sufficient precision and is based on objective criteria that make it possible to determine when the objective has been achieved.
Evaluating the Impact of Deployed AI Systems
The authority also addresses the evaluation phase once AI systems have been deployed within the healthcare system. Such evaluation may concern, in particular:
- The impact of the system on the patient care pathway.
- The effects on professional practices.
- The consequences in terms of epidemiological surveillance.
These evaluations are themselves considered research or studies in the healthcare field and must therefore comply with the formal requirements applicable to this type of processing (see previous section).
Checklist to Ensure Compliance of Processing Activities
Finally, the practical guide includes a summary table presented as a checklist of questions, listing the main actions required to properly frame AI projects in the healthcare sector. Among the key points are:
- Identifying the applicable legal regime (GDPR, the French Data Protection Act, sector-specific regulation).
- Defining a specific purpose pursuing a public interest objective.
- Clarifying the roles and responsibilities of the various stakeholders.
- Determining a legal basis under Article 6 GDPR and an applicable exception for processing sensitive data under Article 9.
- Complying with the principles of data minimization and storage limitation.
- Informing data subjects and organizing the exercise of their rights.
- Implementing appropriate security measures.
- Regulating data transfers outside the European Union.
- Where applicable, conducting a Data Protection Impact Assessment (DPIA).
A Practical Resource for Healthcare AI Projects
With this new guide, the CNIL continues its work supporting stakeholders who develop or use artificial intelligence systems. However, the document primarily serves as a reminder of the regulatory framework applicable to data processing in health research and to the requirements related to AI system development, rather than as a detailed practical guide. Its reading should therefore be complemented by the other resources published by the CNIL, to which the guide refers in order to further explore the legal and operational aspects of these projects.
