Written by: Haim Ravia, Dotan Hammer
France’s Conseil d’État—the country’s highest administrative court—rejected challenges by three companies in the Cegedim group to CNIL fines totaling €1.8 million, delivering an important ruling on when pseudonymized health data remains personal data under the GDPR.
The companies operated two databases, fed by data collected from doctors’ practice management software and pharmacy systems. By March 2021, one database held data on 13.4 million medical consultations linked to 4 million patient codes, while the other contained approximately 78 million client identifiers from 8,500 pharmacies. The companies used these databases to produce quantitative studies and sell statistical health data to public and private clients. They argued that because patient names were replaced with codes, the data had been effectively anonymized and fell outside the GDPR’s scope.
The Conseil d’État disagreed, applying the CJEU’s March 2024 ruling in *OC v. Commission* (C-479/22). The court held that pseudonymized data can only be considered anonymized if the risk of re-identification is “insignificant”—meaning that identification would be “unrealizable in practice” because it would require a “disproportionate effort in terms of time, cost, and manpower.” The court then examined whether this standard was met.
It found that it was not. Despite the use of patient codes, the databases contained detailed information, including age, sex, socio-professional category, medical records, prescriptions, sick leave, vaccinations, medications purchased, and exact dates and times of medical visits or pharmacy purchases. Crucially, the data also included direct or indirect identifiers for healthcare professionals—notably ADELI and RPPS numbers, which the CNIL demonstrated could identify individual practitioners through a simple, publicly accessible online search. The court noted that the CNIL had demonstrated that it was possible to retrace individual care pathways and identify specific patients and their pathologies using only a standard spreadsheet program and the nomenclature provided by the companies themselves. The risk of re-identification was particularly high where prescribed treatments were rare and could be further increased through cross-referencing with other data held by the companies or with third-party geolocation data.
The court also upheld a finding against Cegedim Santé for unlawful data collection practices: its medical software automatically downloaded patient data from a government health insurance teleservice whenever doctors consulted it, without allowing doctors to view the data without simultaneously transferring it to the company—a practice that violated French social security provisions restricting access to that data to physicians only.
The Conseil d’État affirmed the proportionality of the overall fine, considering the gravity of the violations, the sensitive nature of the health data involved, the scale of the processing, and the number of affected individuals.
Click here to read the Conseil d’État’s decision (in French).
