AI and GDPR: the CNIL publishes new recommendations to support responsible innovation

GDPR enables innovative AI while respecting personal data

The AI Action Summit, organized by France from February 6th to 11th, 2025, will host numerous events highlighting AI’s potential for innovation and competitiveness in the coming years.

Since 1978, France has established regulations to govern the use of personal data by digital technologies. In Europe, these rules were harmonized through the General data protection regulation (GDPR), whose principles have inspired regulations in many countries around the world.

Recognizing the need to clarify the legal framework, the CNIL actively works to provide security for stakeholders, fostering AI innovation while ensuring the protection of fundamental rights. Since launching its AI Action Plan in May 2023, the CNIL has issued a series of recommendations for AI system development. With those clarifications, GDPR compliance will build trust among individuals and provides legal certainty for businesses.

Adapting GDPR principles to the specificities of AI

Some AI models are anonymous and thus not subject to the GDPR. However, other models—such as a large language model (LLM)—may contain personal data. The European data protection board (EDPB) recently provided relevant criteria on the application of the GDPR to AI models.

When the GDPR applies, individuals’ data must be protected, whether within training datasets, within models that may have memorized data, or through model usage via prompts. While the fundamental principles of data protection remain applicable, they must be adapted to AI’s specific context.

The CNIL has determined that:

• The determination of the purpose will be applied flexibly to general-purpose AI systems: an operator who cannot define all potential applications at the training stage may instead describe the type of system being developed and illustrate key potential functionalities.
   
• The data minimisation principle does not prevent the use of large training datasets. However, the data should generally be selected and cleaned to optimise algorithm training while avoiding the unnecessary processing of personal data.
   
• Retention of training data can be extended if justified and if the dataset is subject to appropriate security measures. This is particularly relevant for databases requiring significant scientific and financial investment, which sometimes become recognised standards within the research community.
   
• Reuse of databases, including those available online, is possible in many cases, provided that the data was not collected unlawfully and that its reuse aligns with the original purpose of collection.

New recommendations

Today, the CNIL is publishing two new recommendations to promote the responsible use of AI while ensuring compliance with personal data protection. These recommendations confirm that GDPR requirements are sufficiently balanced to address the specific challenges of AI. They provide concrete and proportionate solutions to inform individuals and facilitate the exercise of their rights:

• When personal data is used to train an AI model and may potentially be memorised by it, the individuals concerned must be informed.
  
  The way this information is provided can be adapted based on the risks to individuals and operational constraints. Under the GDPR, in certain cases—especially when AI models rely on third-party data sources and the provider cannot contact individuals directly—organizations may limit themselves to general information (e.g., published on their website). When multiple sources are used, as is common with general-purpose AI models, a broad disclosure indicating the categories of sources or listing a few key sources is generally sufficient.

See CNIL’s recommendations on informing individuals

• European regulations grant individuals the right to access, rectify, object and delete their personal data.
  
  However, exercising these rights can be particularly challenging in the context of AI models — whether due to difficulties in identifying individuals within the model or modifying the model itself. The CNIL urges AI developers to incorporate privacy protection from the design stage and pay special attention to personal data within training datasets by:
  • striving to anonymise models whenever it does not compromise their intended purpose;
  • developing innovative solutions to prevent the disclosure of confidential personal data by AI models.

In some cases, the cost, technical impossibility, or practical difficulties may justify a refusal to comply with a request to exercise these rights. However, where the right must be guaranteed, the CNIL will consider reasonable solutions available to the model creator and may allow for flexible timelines. The CNIL also emphasizes that scientific research in this area is evolving rapidly and urges AI stakeholders to stay informed of the latest advancements to ensure the best possible protection of individuals' rights.
 

See CNIL’s recommendations on individuals' rights

► See all CNIL recommandations on AI (in French)

Consultation with AI stakeholders and civil society

These recommendations were developed following a public consultation. Various stakeholders—including businesses, researchers, academics, associations, legal and technical advisors, trade unions, and federations—were able to share their perspectives. This allowed the CNIL to issue recommendations that closely align with their concerns and the real-world applications of AI.

Read the summary of contributions (In French)

The CNIL’s efforts to ensure a pragmatic and comprehensive application of the GDPR in the AI sector will continue in the coming months. This includes issuing new recommendations and providing support to organisations.

Additionally, the CNIL is closely following the work of the European Commission’s AI Office, particularly in the development of a code of good practices for general-purpose AI. These efforts are coordinated with broader initiatives to clarify the legal framework at the European level.