News: Jeanne BOSSI MALAFOSSE

Decree No. 2026-209 of March 24, 2026 [1] published in the Official Journal on March 26, 2026, amends the regulatory part of the Public Health Code to incorporate obligations relating to the location of hosting and to transparency concerning transfers of personal health data outside the European Economic Area (hereinafter “EEA”), which had until...

DELSOL Avocats is proud to be ranked in 11 Legal 500 EMEA 2026 categories : M&A : Smaller deals – Tier 1 The regions – Tier 1 Industry focus : Healthcare and life sciences – Tier 2 Construction – Tier 3 Data privacy and data protection – Tier 3 Private equity : venture/growth capital – Tier 3 Dispute resolution : Commercial litigation – Tier 4...

On March 4, 2026, Decree No. 2026-153 [2] (“Decree”) was published, defining the procedures under which the Minister of Health may impose financial penalties on publishers of digital health services (services numériques en santé - "DHS") in the absence of a certificate of compliance with the interoperability, ethics, and security standards...

On 13 March 2026, the French Data Protection Authority (hereinafter "the CNIL") published its recommendation on the deployment of a web filtering proxy server [3], adopted by deliberation no. 2026-022 of January 29, 2026 [4], following a public consultation conducted in 2025 that received fourteen contributions. A web filtering proxy server...

The CNIL and the French National Authority for Health ("HAS") signed a partnership agreement on 10 March 2026 aimed at strengthening best practices in personal data protection and promoting fundamental rights relating to digital tools in the healthcare, social and medico-social sectors [6]. The partnership is intended to enable both...

In Circular No. 6519/SG [7] dated 5 February 2026, Prime Minister Sébastien Lecornu sets out the framework for the State’s digital public procurement and reiterates the requirement to rely on the SecNumCloud qualification for hosting data of particular sensitivity, including health data. The circular establishes digital sovereignty as the...

In its decision of 10 February 2026, WhatsApp Ireland Ltd v European Data Protection Board (Case C-97/23 P) [8], the Court of Justice of the European Union (“CJEU”) held that a decision of the European Data Protection Board (“EDPB”) constitutes an act that may be challenged before the EU courts. In this case, following complaints relating to data...

In 2023, the CNIL established a dedicated service for the economic analysis of issues related to personal data, with the aim of strengthening its expertise and informing its decisions through impact assessments, sectoral analyses, and quantitative studies evaluating the economic effects of its rulings. It is indeed essential for a data...

DELSOL Avocats is proud to be listed in 6 Chambers and Partners 2026 rankings : Construction - Band 3 Corporate/M&A : Mid-Market - Band 2 Corporate/Commercial Litigation : Highly Regarded - Band 2 Pharma/Life sciences - Band 3 Tax - Band 6 General Business Law - Spotlight In addition to these collective rankings, Jeanne BOSSI MALAFOSSE...

On 8 January 2026, the French data protection authority (CNIL) issued two rulings against Free Mobile [10] and Free [11] (the “Companies”), imposing fines of €27 million and €15 million respectively for various breaches of the General Data Protection Regulation (GDPR). In this case, the Companies were alerted in October 2024 that an attacker had...

On 27 December 2025, Decree No. 2025-1335 [15] (the “Decree”) was published in the French Official Journal. In particular, this Decree : sets out the arrangements for monitoring and supervising compliance with the periodic certification obligation applicable to healthcare professionals ; specifies the procedures applicable in the event of a...

In a judgment dated September 4th, 2025 [19] , the Court of Justice of the European Union (CJEU) provided major clarifications regarding the concept of personal data. In this case, the Court was asked to rule, in particular, on the qualification, in terms of the definition of personal data, of comments made by individuals to a controller (the...

On 9 September, in accordance with the Regulation on artificial intelligence (“AI Act”) [20], the French Ministry of Economy and Finance unveiled the list of national authorities responsible for artificial intelligence and the division of their respective powers [21]. The diagram presented by Bercy distinguishes between the authorities...

In a ruling dated September 3, 2025 [22] , the General Court of the European Union (“GCEU”) dismissed the appeal brought by the French member of parliament Philippe Latombe, seeking annulment of the “Data Privacy Framework” established by the European Commission’s adequacy decision of July 10, 2023, allowing the transfer of personal data from the...

DELSOL Avocats has advised the AGORiA Santé consortium, in partnership with BIOGROUP, on obtaining the CNIL’s (French data protection authoritys) first authorization to combine biology and SNDS (French national health data system) data in a health data warehouse. Created in 2021, the AGORIA Santé consortium comprises AstraZeneca France, Takeda...

On 10 July 2025, the code of practice (“Code”) [24] for general purpose artificial intelligence models (“GPAI models”) was published. Provided for in Article 56 of Regulation 2024/1689 on Artificial Intelligence (“AI Act”), the Code forms part of the regulation’s phased implementation and is intended to help GPAI model providers comply with their...

On June 26th, 2025, the French Data Protection Authority (CNIL) announced the launch of the Privacy Auditing of AI Models (PANAME) project — which it will lead and legally frame — with the goal of developing a tool that can test the confidentiality of artificial intelligence models (“AI Model(s)”). This initiative comes against the backdrop of EU...

On July 1st 2025, the Minister for Health and Access to Care, Yannick Neuder, presented the national strategy for artificial intelligence (AI) and healthcare data [27] ("Strategy") at an exceptional Strategic Committee meeting. Set up to take advantage of the development of AI in the healthcare field (e.g., improving the quality of care,...

In a ruling dated June 18, 2025 [30], the Social Chamber of the Court of Cassation held that an employee’s right of access to his professional emails covered not only metadata but also the content of the emails. Called upon to rule on the scope of the right of access in a dispute between an employee and his employer in the context of his...