French Council of State 2026 — Health Data Hub: DLP impact and EU transfers

On 20 March 2026, the French Council of State upheld CNIL’s authorization of the Health Data Hub operated on Microsoft data centers located in France, holding that there is no transfer to the United States. Key point: it is the actual data flows that trigger Chapter V, not the provider’s identity.

The facts

The Council of State dismissed challenges to deliberation No. 2025‑014 authorizing, for three years, the extraction and processing of SNDS data for DARWIN EU studies, hosted by Microsoft Ireland in France. The ruling stresses that the authorization “only allows the processing of health data hosted in data centers located in France and does not authorize their transfer to the United States,” and that the few data that could be transferred (user‑related) are protected by GDPR safeguards (pseudonymization, storage limitation, contractual framing) (Council of State, 20/03/2026).

This clarification emphasizes evidence of no outbound flows outside the EU/EEA through concrete legal and technical measures (localization, pseudonymization, clauses, security governance) rather than general statements.

The applicable legal framework

• GDPR, Chapter V (Arts. 44 et seq.): third‑country transfers subject to specific conditions (adequacy, SCCs, BCRs, derogations, TIA, supplementary measures). References: EUR‑Lex — GDPR (FR) and CNPD overview: CNPD — Chapter V. For a practical recap, see our page on the GDPR Chapter V.
• GDPR, Article 32: appropriate security (pseudonymization/encryption, confidentiality, integrity, resilience, testing). Reference: EUR‑Lex — Art. 32.
• The 20 March 2026 ruling holds: (1) no authorization to transfer health data outside the EU; (2) extraterritorial access risks are assessed against implemented safeguards (pseudonymization, French localization, contractual clauses and governance).

Practical outcome: if your data stays in the EU and you can demonstrate no outbound flows (or strict framing where necessary), you comply with Chapter V. The obligation becomes evidential and technical: document, monitor, and prevent egress.

The technical solution: DLP for “sovereign flows”

To meet both Article 32 (security) and Chapter V (transfers), a modern DLP is the pivot to prevent, detect, and document any unauthorized transfer outside the EU/EEA.

• Channel controls: email, web/HTTP(S), messaging, endpoints (USB, printing), SaaS, APIs, batch; policies by classification (personal, Art. 9, trade secrets).
• Geofencing and residency: block/quarantine sends to non‑EU/EEA domains/IPs or non‑compliant cloud tenants.
• Recognition and classification: dictionaries, regex, ML models, Sensitivity Labels, dynamic tags (e.g., “SNDS,” “pseudonymized‑patient”).
• Outbound pseudonymization/masking: irreversible masking before any necessary sharing, with logging.
• Logging and evidence: signed/timestamped logs, blocking reasons, approved exceptions, ILR/CNPD/CSSF audit artefacts.
• Standards alignment: ISO/IEC 27001 (A.5.12, A.8.10, A.8.24, A.5.23), NIST CSF 2.0 (PR.DS‑Exfil, PR.AC‑03), CIS Controls 3/13.

How Luxgap delivers

• ISO 27001 governance: define classification and DLP rules by data families and geozones (EU/EEA/third), anchor them in the RoPA and TOMs (Art. 32).
• Externalized DPO and CISO: map real flows, build the “allowed/blocked” matrix with technical evidence, prepare subcontractor clauses, TIAs, and a controlled exception policy.
• Managed SOC: 24/7 monitoring of DLP events and identity correlation, compliance (Chapter V) and security (Art. 32) reporting. Explore our managed SOC to industrialize monitoring.

Practically, we start with a 4–6 week “DLP Residency Sprint”: prioritize sources, labeling, geofencing, controlled tests, exception governance, then go to run.

EU/Luxembourg case study

A Luxembourg fiduciary subject to NIS 2 migrated to Microsoft 365 and an EU‑only analytics warehouse. In six weeks, we labeled three data families, enforced “EU‑only” defaults, blocked sends to non‑EU domains and required pseudonymization for any extra‑EU support, with signed logs and monthly reports. Outcome: zero unauthorized flows and audit‑ready proof for ILR/CNPD, supporting CNPD compliance in Luxembourg.

First practical steps

1. Map your flows: list channels (email, Teams/Slack, CRM, SFTP, API) and destination regions.
2. Label critical data: at least “EU‑only” and “Art. 9 — pseudonymize before exit” on two core sources.
3. Enable simple geofencing: start in audit mode, then enforce blocking after 2–3 weeks.
4. Set exceptions: pseudonymization + clauses + documented TIA, with DPO/CISO approval.
5. Prepare evidence: centralize DLP logs and issue a monthly “blocked/exception flows” report.

Official sources

• Council of State (France), 20 March 2026
• CNIL — Deliberation 2025‑013 (Légifrance)
• GDPR (EU 2016/679) — EUR‑Lex
• CNPD Luxembourg — Chapter V
• EMA — Data protection notice (DARWIN EU)

Bottom line: the ruling does not relax the GDPR; it requires concrete proof of no unauthorized transfers. A well‑governed DLP with EU geofencing, outbound pseudonymization and robust logging makes this demonstration straightforward and verifiable. For end‑to‑end support (records, TIAs, policies and controls), our certified DPOs can lead your program.