AI: CNIL publishes its first recommendations on the development of artificial intelligence systems
Following a public consultation, the CNIL publishes its first recommendations on the development of artificial intelligence systems. They must help professionals reconcile innovation with respect for people’s rights for the innovative and responsible development of their AI systems.
Reconciling the development of AI systems with privacy issues
Many stakeholders have raised questions to the CNIL regarding the application of the General Data Protection Regulation (GDPR) to artificial intelligence (AI), particularly since the emergence of generative AI systems. In May 2023, the CNIL published its “AI action plan” and launched an important work to clarify the legal framework in order to secure the actors.
An analysis of these systems shows that their development can be reconciled with the challenges of protecting privacy. Moreover, taking this imperative into account will make it possible to develop ethical systems, tools and applications that are faithful to European values.
This is the condition for citizens to trust these technologies. For this, it is important that actors have clear and practical elements to inform their strategic decisions on the development or use of AI that they will have to make in the coming months.
The first recommendations of the CNIL
For a personal data-friendly use of AI
To clarify the applicable rules, the CNIL is today publishing a first set of recommendations for the use of AI that respects personal data.
These CNIL recommendations are used to support players in the AI ecosystem in their efforts to comply with the legislation on the protection of personal data. They provide concrete answers, illustrated by examples, to the legal and technical challenges linked to the application of the GDPR to AI. The points addressed in these first recommendations make it possible in particular to:
- determine the applicable legal regime;
- define a purpose;
- determine the legal classification of the actors;
- defining a legal basis;
- carry out tests and checks in the event of re-use of the data;
- carry out an impact assessment if necessary;
- take data protection into account when designing the system;
- take into account data protection in the collection and management of data.
The CNIL also proposes a summary of its recommendations in order to recall the main principles and allow all actors to apply it to their projects.
View the summary of recommendations
Recommendations developed in consultation with AI actors
These recommendations were drawn up after a series of meetings with public and private stakeholders to gather their questions on the subject and a two-month public consultation. Stakeholders (companies, researchers, academics, associations, legal and technical councel, trade unions, federations, etc.) were thus able to express themselves and allow the CNIL to propose recommendations as close as possible to their questions and the reality of AI uses.
During the public consultation, 43 contributions were received by the CNIL from various actors in the AI ecosystem:
- 29 for-profit organisations in various sectors (AI, finance, health, aeronautics, online platform operators, online advertising, video games, etc.);
- 7 non-profit organisations (representative associations of civil society, research institutes, think tanks, etc.);
- 4 individuals;
- 3 public institutions.
The contributions received by the CNIL made it possible to enrich and consolidate the recommendations, published in their finalised version. Several clarifications and amendments have therefore been made, for example on the scope of the recommendations and their articulation with the recently adopted European AI Act, the use of web scraping tools, the carrying out of a data protection impact assessment (DPIA), etc.
They also raised structuring questions (information of persons, conditions to be met in order to mobilise the legal basis of “legitimate interest”, exercise of the rights of individuals, etc.) which the CNIL will deal with in future publications.
The CNIL makes available a summary of the contributions as well as elements of response to the questions formulated by the contributors.
Read the summary of contributions
Next steps
In the coming months, the CNIL will supplement these initial recommendations with other how-to sheets relating in particular to the legal basis of legitimate interest, the management of rights, the information of data subjects as well as annotation and security during the development phase. This work will also be subject to public consultation.