The French DPA, the CNIL, released on 23 May 2026 new versions of its Methodologies of Reference for Clinical Research MR001 and MR003.


PharMarketing is proud to have contributed several times in the past year to help improve these MR via the Trade Association France Biotech.


  • New MR001 https://www.legifrance.gouv.fr...
  • New MR003 https://www.legifrance.gouv.fr...
  • Appendix 'Security'https://www.legifrance.gouv.fr...
  • Appendix 'Quality Controlhttps://www.legifrance.gouv.fr...

    These MR are only available in French at this time, but we were told by the CNIL that they plan to translate them in English in the future.
  • The French DPA is the ONLY DPA in EU/EEA/UK/CH to oblige organizations to comply with these MR: in other words, the MR are not just guidelines for information, it is mandatory to demonstrate compliance.
  • Moreover, it has extraterritoriality. If a French organization recruits patients in the US, or in any country outside France, the principles of MR001 apply.
  • Great news: it looks to us that The MR001 now makes Home Trial Visits legal, see clauses 31 and 32: a CRO can have the postal address of the patient in order to select a nurse close to the patient, and the right competencies related to the pathology and the procedures to do.


For any questions on the updates to MR001 and MR003, or on other MR from French CNIL, contact Bertrand at b.p.lebourgeois@pharmarketing.net





Examples of Non-Compliance 


with Health Data Privacy


Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.


Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!


France:


Fact:


The French DPA, the CNIL fined CRO IQVIA 5 million euros for illegal processing of patient data in big healthcare data warehouses. IQVIA receives pseudonymised patient data transmitted by pharmacies in town. But patients were not informed that their health date would be sent to IQVIA, infringing article 13 and 14 of the GDPR on transparency. Read article from the CNIL (in French): https://www.cnil.fr/fr/donnees...


Takeaway:


Always inform people that you are collecting or processing their personal data.


Fact:


On 21 May 2026, healthcare payer Almerys experienced a massive cyberattack: over 15 million of social security numbers and over 44 million payment lines were leaked.


Almerys acts as an intermediary between patients, healthcare professionals and health insurance companies. In addition to the social security number, the following have been leaked: first name, last name, date of birth, and links between members of the same family.


Many big and small health insurance companies are impacted, for example SwissLife, Generali, BNP, AG2R La Mondiale, etc. A similar important breach had taken place in 2024 also.


The hacker said that Almerys was not using MFA (Multi-Factor Authentication) to protect the accounts.More details here: https://frenchbreaches.com/blo...


Takeaway:


Multi-Factor Authentication should have been implemented.

We cannot comment further as the circumstances of the breach are not described in the article/


Fact:


Several other organisations in the healthcare sector have experienced cyberattacks in May in France: for example optician networks Atol, Auchan Optique and Optic 2000.

Read details on https://frenchbreaches.com/


United Kingdom:


Fact:


On 23 April 2026 the UK government announced that data from UK Biobank had been advertised for sale online. The UK Biobank holds the records of more than half a million volunteers. At the time we write, the NHS HRA is investigating this suspected breach. Read more here: https://www.hra.nhs.uk/about-u...


United States:


Fact:


Jennifer Kamrass confessed her worries to her therapist: her marriage, her finances, and self-esteem. Therapists are legally and ethically bound to confidentiality, but two years later, a transcript of every word Kamrass had typed to her psychologist using the app Talkspace was subpoenaed in court by her former employer.


Talkspace executives assure investors data is anonymized, but experts say that such anonymity can be broken.


Read article from Proofnews: https://www.proofnews.org/woma...


Takeaway:


It's not clear from Proofnews' article how Karmrass' former employer got hold of the personal data, and if it was via a legal mean.

  • Firstly, Talkspace pseudonymises personal data (identifiers are redacted as per HIPAA), but personal data are not fully anonymised.
  • Secondly, in the US, it is not against the law to sell redacted health data without patient's consent.
  • Third, users of Talkspace in the US are not given the option to oppose to the reuse of their health data. So, probably the employer managed to acquire Kamrass' health data from a broker.


We can see here clearly that HIPAA and other US privacy laws don't provide enough protection to data subjects.


Fact:


The Centers for Medicare and Medicaid Services' new health directory allegedly exposed the Social Security numbers of healthcare professionals, The Washington Post reports. The database was opened to the public for several weeks as part of the center's data transparency initiatives. The CMS said it has "taken steps to address it promptly and reinforce safeguards around data submission and validation."
Read article from the Washington Post: 
https://www.washingtonpost.com...


Takeaway:


It is good practice in IT to test and review a system before making it live. Here it would have been necessary to check that no unwanted personal information was visible on the internet, before making the information live to the general public.

Fact:


Lack of transparency in Healthcare providers' privacy notices:

Dark patterns force patients to share their data with big healthcare networks, even when the privacy form they’re signing explicitly says they can opt-out. A lack of opt-out standards and alleged use of dark patterns could make it difficult for consumers to obtain documents they consented to and know what sensitive health data has been collected and shared.


Read article from Calmatters: https://calmatters.org/economy...


Takeaway:


Always inform data subjects clearly, transparently and with simple words on which of their personal data are collected, who will process their data, in which country, for how long it will be kept, and how patients can exercise their rights (e.g. get a copy of such personal data, oppose to a processing, etc.).




Privacy News


from around the Globe:




Global:


On 12 May 2026, the ICH M11 Expert Working Group has issued a final overview presentation (at Step 4 of the ICH harmonisation process) for ICH M11: The Clinical electronic Structured Harmonised Protocol (CeSHarP), a guideline adopted in November 2025. Read here: https://ich.org/news/ich-m11-e...


Chile:


Chile's Privacy Law No. 21,719 which amends Law No. 19,628 on the protection of personal data, will become effective on 1st December 2026. It mandates the appointment of a Data Protection Officer ('DPO'), who must be based in Chile and speak Spanish. This applies to organisations based outside of Chile which process personal data from people based in Chile. If you need to appoint a local DPO, contact us at contact@pharmarketing.net


In addition, organisations must ask Chile's DPA review their privacy compliance and get a certificate which is valid for 3 years


European Union:


On 16 April 2026, the European Data Protection Board, the EDPB brings clarity to data processing for scientific research, speeds up the finalisation of the anonymisation guidelines and approves first European data protection seal as a tool for transfers: 


  • Scientific research: 
  • Further processing for scientific research purposes is presumed to be compatible with the initial purpose for collecting individuals’ personal data. Therefore, controllers are not obliged to do the purpose compatibility test
  • Controllers can rely on “broad consent” where the purposes of research are not fully known at the time of collecting the personal data.
  • The EDPB clarifies when the right to erasure can be considered likely to render impossible or seriously impair the objective of conducting scientific research.
  • The EDPB also explains when controllers may reject an individuals’ objection to the processing of their personal data for scientific research purposes
  • Europrivacy seal:
  • The scope of the Europrivacy certification scheme has been extended to include controllers and processors established outside Europe who are subject to Art. 3(2) GDPR, either because they provide goods or services to individuals in Europe or because they monitor their behaviour.
  • Data importers outside Europe who are not subject to the GDPR can now apply to the Europrivacy certification scheme for the transfers of data they receive: this way, such vendors can demonstrate compliance with GDPR to their clients in EU/EEA


Read here: https://www.edpb.europa.eu/new...


France:


The French DPA, the CNIL, released on 23 May 2026 new versions of its Methodologies of Reference for Clinical Research MR001 and MR003: see details in the article above.


Germany:


German regulators release guidance for AI embedded in medical devices
Germany's federal energy and telecommunications regulator, the Hessian Ministry for Digitalisation and Innovation and the Federal Commissioner for Data Protection and Freedom of Information
issued guidance for entities developing AI that is embedded into medical devices. The guide was developed to provide information on how the legal requirements of the AI Act impact regulations for medical devices.


Full story: https://www.bundesnetzagentur....


United Kingdom:


New legal requirements for clinical trials came into force on 28 April 2026. Find out more on the changes: https://www.hra.nhs.uk/plannin...


NHS Modernisation bill: On 13 May 2026, following the King’s Speech, the government introduced the NHS Modernisation Bill to parliament. This Bill will introduce the single patient record, allowing fragmented health information to be joined up around the country, and will cut layers of bureaucracy so more time and money can be spent on frontline services. Read more: https://www.gov.uk/government/...


United States: FDA


Real-Time clinical trials (RTCT): The U.S. Food and Drug Administration announced on 28 April 2026 two major steps as part of an initiative to advance the implementation of real-time clinical trials (RTCT)

  • First, the agency unveiled the successful initiation of two proof-of-concept clinical trials that will report endpoints and data signals to the agency in real time
  • Second, the agency released a Request for Information (RFI) regarding a proposed pilot program for RTCT that will launch this summer. Submission ends 29 June 2026.


Read FDA's press release: https://www.fda.gov/news-event...


United States: California


Governor Newsom signs first-of-its-kind executive order to prepare workers and businesses for potential AI disruption. Read more: https://www.gov.ca.gov/2026/05...


United States: Connecticut


Senate Bill 4 introduces new data broker registration rules mirroring California's Delete Act while amending Connecticut's Data Privacy Act to ban geolocation data sales and add specific provisions for facial recognition technology.


United States: New Jersey:


After the New Jersey Data Privacy Act went into effect on January 15, 2025, the Attorney General (AG) has been issuing cure notices. 10 cure letters were issued between March 24, 2025, and November 13, 2025. The statute’s 30-day right-to-cure period sunsets on July 1, 2026. Read more: https://www.troutmanprivacy.co...



  1. TOMs means Technical and Organizational security Measures


  1. France's Methodologies of Reference are guidelines that organisations can use if they want:

No, it's mandatory to check that your organisation complies with such Methodologies of Reference, and then to notify the CNIL of such compliance online