France: Adopted CNIL Technical Recommendation on sharing data via APIs

On 7 July 2023, the French Data Protection Authority (CNIL) published a Technical Recommendation paper on sharing personal data via Application Programming Interface (APIs). In the Recommendation, the CNIL highlights the importance of data protection practices. The Recommendation applies to all types of data sharing and involves three categories of actors, data holders, API managers, and data reusers. The Recommendation provides criteria for when API usage is recommended and outlines risk factors for organisations to consider. APIs are recommended for data sharing in several cases, when data is frequently updated, or reusers need regular access, storing data by the reuser is unnecessary, reusers don't need access to the entire dataset, but only a subset and security methods may require updates. The CNIL recommends using APIs for sharing personal data, especially when shared with many reusers or the public. Using APIs provides better security and control over data access, accuracy, and purposes of use. It also facilitates standardised and secure data exchange between the data holder, manager, and reuser. In other cases, the suitability of using APIs should be compared to other data-sharing techniques. The CNIL states that the following recommendations should be prioritised based on identified vulnerability factors, information and data traceability, governance and respect for individuals' rights, data accuracy, data minimisation, and data security. The recommendations aim to enhance data protection, governance, and the rights of individuals while minimising risks associated with data misuse or breaches.