Health Data: A New Transparency Requirement Imposed by France
May 13, 2026
From now on, when a data hosting provider responsible for the health data of French patients decides to transfer this data outside the EEA (European Economic Area) to a third country deemed safe, it will have to publish and keep updated a map of this transfer (under the new article R.1111-11 of the French Public Health Code).
As such, the hosting provider will be required to publish the third countries concerned, any remote access to the data carried out from these countries, and the risks of unauthorized access. This is a first: this transparency requirement stems from a decree issued by the French legislature (Decree No. 2026-209 of March 24, 2026). It is added to other conditions that must be met (for example informing clients using the hosting provider of the risks related to the transfer of personal data, or unauthorized access to it through non-European legislation) before proceeding with a transfer to a third country.
As for its implementation, although the decree establishing this requirement entered into force on March 27, 2026, the details regarding the mapping have not yet been published. They will be released once the regulatory framework (“certification reference framework”) is updated — the French Digital Health Agency is responsible for this. A ministerial order will then have to approve it.
The public as well as data hosting providers will then have a clearer overview of this new disclosure obligation they must comply with. For now, no work schedule has been communicated, but the draft revision of the reference framework is already open for public consultation.
