Introduction to the self-assessment guide for AI systems

24 August 2022

The aim of the self-assessment guide on the following pages is to provide a reminder of the main data protection issues in the most commonly-encountered scenarios.

The CNIL invites all organisations (providers or users of AI systems) planning to implement a processing using artificial intelligence (AI) technologies, or having already initiated this process, to ask themselves the questions presented in this analysis grid.

This list has been compiled as comprehensively as possible on the basis of best practices and emerging signals from scientific research in the field. In order to be applicable to all sectors and all types of AI systems, these fact sheets have been developed to cover as many scenarios as possible, without excluding risks related to specific techniques such as continuous learning or automatic annotation.

The aim of this grid is to allow the self-assessment of all relevant aspects in terms of personal data and ethics for a processing project. A functional analysis by the CNIL can only be carried out following a formal request as part of a request for advice for example. Besides, the purpose of this grid is to provide information, mainly in terms of the protection of personal data. It is not intended to supersede other applicable texts: sector-specific legislation, civil liability regimes, etc.

These fact sheets use the terms provider and user of AI systems. The CNIL uses the following definitions:

PROVIDER

The provider is a natural or legal person, public authority, agency or other organisation that develops an AI system or has one developed with a view to placing it on the market or putting it into service under its own name or trademark, whether for a fee or free of charge.

USER

Any natural or legal person, public authority, agency or other organisation using an AI system under its own authority, except where the system is used in the course of a personal non-business activity.

END USER

The user of the AI system should not be confused with the end user, in other words the individual concerned by the system: the concept of use therefore corresponds to use in a business context.

In relation to the definitions of the GDPR, the providers and users can assume the roles of data controller and/or data processor if the AI system implements processing of personal data.

This analysis of roles and responsibilities is to be carried out on a case-by-case basis as indicated in the fact sheets.


 

Would you like to contribute?

Write to ia[@]cnil.fr