AI system development: CNIL’s recommendations to comply with the GDPR

07 June 2024

To help professionals reconcile innovation and respect for people’s rights, the CNIL has published its first recommendations on the application of the GDPR to the development of artificial intelligence systems. Here's what you need to remember.

This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.

Designers and developers of AI systems often report to the CNIL that the application of the GDPR is challenging for them, in particular for the training of models.

The misconception that the GDPR would prevent AI innovation in Europe is false. On the other hand, we must be aware that training datasets sometimes include “personal data”, i.e. data on real people. The use of such data poses risks to individuals, which must be taken into account, in order to develop AI systems under conditions that respect individuals’ rights and freedoms, including their right to privacy.

Scope of the recommendations

Which AI systems are concerned?

These recommendations adress the development of AI systems involving the processing of personal data (for more information on the legal framework, see how-to sheet 1). The training of AI systems regularly requires the use of large volumes of information on natural persons, known as “personal data”.

The following are concerned:

  • Systems based on machine learning;
  • Systems whose operational use is defined from the development phase and general purpose systems that can be used for various applications (“general purpose AI”);
  • Systems for which the learning is done “once and for all” or continuously, e.g. using usage data for its improvement.

What are the steps involved?

These recommendations concern the development phase of AI systems, not the deployment phase.

The development phase includes all the steps prior to the deployment of the AI system in production: system design, dataset creation and model training, etc. 

How do these recommendations relate to the European AI Act?

The recommendations take into account the EU Artificial Intelligence Act recently adopted. Indeed, where personal data is used for the development of an AI system, both the GDPR and the AI Act apply. CNIL's recommendations have therefore been drawn up to supplement them in a consistent manner regarding data protection.  

For more information, see how-to sheet 0

Step 1: Define an objective (purpose) for the AI system

Step 2: Determine your responsibilities

Step 3: Define the "legal basis" that allows you to process personal data

Step 4: Check if I can re-use certain personal data

Step 5: Minimize the personal data I use

Step 6: Set a retention period

Step 7: Carry out a Data Protection Impact Assessment (DPIA)

The CNIL is continuing its work to help providers of AI systems.

It will soon publish new how-to sheets explaining how to design and train models in compliance with the GDPR: retrieval of data on the internet (web scraping); use of the legitimate interest as a legal basis, exercise of the rights of access, rectification and erasure; whether or not to use open licences... 

These how-to sheets will be subject to public consultation.