What is the scope of the AI how-to sheets?

The how-to sheets relate to dataset creation activities and their use in the development of AI systems where all or part of that data is personal data. In practice, three cases may be encountered:

• It is certain that no personal data is present in the dataset: the how-to sheets are not applicable (although some recommendations may be relevant as good practices).
   
• It is certain that personal data are present: the how-to sheets apply. This is the case for AI systems developed from videos or images of people, voice recordings, structured personal data, etc. It should be noted that the European texts lay down the rule that ‘mixed’ datasets are governed by the GDPR, if both types of data are inextricably linked.
   
• Personal data may be present: this is a frequent case for which the collection of personal data is not expressly desired. For example:
  • residual presence of persons or license plates in images;
  • occurrences of surnames, first names, addresses, etc. in textual data such as comments or prompts, etc.
    
    In the latter case, the how-to sheets apply. However, verification operations may be carried out as a result of the collection in order to delete the remaining personal data. This can be achieved:
     
  • by manual verification, e.g. when annotating the data;
  • by automatic verification, e.g. by using techniques for detecting persons/faces in images, by nameentity recognition methods (NER), etc.

In such cases, provided that the original personal data has been anonymized, and for processing operations subsequent to such deletion, the data loses its personal character and the application of the how-to sheets is no longer mandatory. Issues related to the risks associated with the use of the system will be the subject of how-to sheets published at a later date.

The CNIL’s how-to sheets concern the development of systems implementing artificial intelligence techniques involving the processing of personal data. These are referred to as ‘AI systems’.

The definition of AI systems covered by these how-to sheets is aligned with the definition of the EU AI Act just adopted (see box below): an AI system is a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

In practice, the AI systems concerned include systems based on machine learning (supervised, unsupervised, by reinforcement) and systems based on logic and knowledge (knowledge-based, inference and deduction engines, symbolic reasoning, expert systems, etc.), as well as hybrid approaches.

The how-to sheets concern those systems whether operational use in the deployment phase is defined at the development stage, or whether they are general purpose AI systems (GPAI), for example relying on “foundation” models, because of their ability to be reused and adapted for different applications and use cases.

They also cover all AI systems as defined above, whether training is done “once and for all” or continuously. In the case of continuous learning, the data collected when the system is deployed is reused for the system’s iterative improvement.

Finally, the how-to sheets also concern the process of training  existing AI models (fine-tuning / transfer learning), regardless of their integration into a system itself, where they involve personal data.

As illustrated in the previous diagram, the establishment of an AI system based on machine learning requires, in principle, the succession of two distinct phases:

• the development phase: it consists of designing, developing and training an AI system. 
• the deployment phase: it consists of putting into use the AI system developed in the first phase.

The development phase includes all stages from the development of the AI system to its deployment (production phase), namely:

• the design of the system: choice of the architecture, including the learning method(s) and, where appropriate, the selection of pre-trained models, identification of the necessary data and first tests, pilots;
• the establishment of the database: collection and pre-processing (cleaning, annotation, feature extraction, data allocation);
• learning: model training, possible fine tuning, adjustment and validation of hyperparameters, performance tests;
• and sometimes integration: when the final product expected at the end of the development phase is a system and not a model (for instance a general purpose AI system), inserting the trained model into the information system, connecting to other software components, developing a user interface, writing a user documentation, etc.

In many cases, the development of an AI system will be based on fine-tuning or transfer learning. The CNIL considers that this phase constitutes a second phase of development, distinct from that which produced the original model.

In the case of continuous learning, data is collected during the deployment and development phases (through the use in production of the system), for future improvement. Continuous training is therefore included in this development phase via a feedback loop.

It should be noted that in addition to these two phases, there is a phase of shutdown of the AI system or deletion of personal data that it contained. These sheets do not specify the operations to be carried out during this phase, which are also covered by the regulations on the protection of personal data.

Regulations on the protection of personal data

The how-to sheets concern, in particular, use cases relating to the phase of development of an AI system (scientific research, research and development, personalisation of a commercial product, improvement of the public service provided to the user, etc.) for which the GDPR is applicable.

Data processing in the development phase of the AI system subject to the scope of the Law enforcement directive as well as those relevant to State security and national defense are therefore excluded from the scope of these how-to sheets. However, the recommendations provided can serve as inspiration.

Other applicable regulations

If these how-to sheets are intended to clarify how the development of AI systems can comply with personal data protection obligations, other regulations, which are not addressed directly, may apply. This is, for example, the case of rules on intellectual property law or the regulation on data governance (DGA), which regulates data intermediation services or data altruism.

Others are not yet applicable. This is particularly the case with the proposal for a European AI regulation which aims to frame the development and deployment of AI systems within the European Union.

Finally, sector-specific regulations apply to AI systems developed or deployed for certain applications subject to specific regulation (health, finance, critical systems, etc.). It is up to each controller to determine the applicable regulations and to turn to the relevant regulators.