France: Adopted CNIL recommendations on sharing data via APIs providing a methodology and several practical examples

On 24 November 2023, the French Data Protection Authority (CNIL) published recommendations regarding the sharing of data through Application Programming Interfaces (APIs) to facilitate the implementation of its recent recommendation on this subject. The CNIL's recommendations on API-based data sharing encompass all API categories for personal data, and the introduced roles of data holder, API manager, and data reuser apply to organisations, irrespective of their public or private nature. Moreover, the legal scope focuses on technical measures without defining a general legal framework, advising on fulfilling legal obligations through technical methods. Legal responsibility is not determined by roles but assessed case by case, considering factors like text provisions and API deployment. In addition, the methodology advocates best practices and risk analysis, suggesting integration with Data Protection Impact Assessments (DPIA) and third-party frameworks. Risk factors include database access, authentication techniques, and organisational measures. Practical implementation involves tools like Validata, GitGuardian, Swagger, general API management tools, and data reuse licenses, emphasising a case-by-case selection.