The CNIL creates an Artificial Intelligence Department and begins to work on learning databases

26 janvier 2023

The CNIL is creating an Artificial Intelligence Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, it will propose initial recommendations on the subject of learning databases in the coming weeks.

Creation of an Artificial Intelligence Department (AID)

Five CNIL’s agents will work in the Artificial Intelligence Department, including legal experts and specialized engineers. This department will be part of CNIL's Technology and Innovation Directorate, whose director, Bertrand PAILHES, is a former National coordinator for the Artificial Intelligence strategy.

The main missions of the Artificial Intelligence Department will be:

  • improve the understanding of AI systems for the CNIL, professionals and individuals;
  • strengthen CNIL's expertise for the identification and prevention of privacy risks related to the implementation of these systems;
  • prepare for the implementation of the European regulation on AI (under discussion at the European level);
  • develop relationships with the ecosystem (academia, start-ups, companies, etc.).

A transversal role within the CNIL

The AID will closely collaborate with the directorate in charge of legal advice, led by Thomas DAUTIEU, to issue "soft law" documentation (guidelines, recommendations, etc.) and to address requests for advice submitted by the government. This directorate may also request the assistance of AID to advise public or private actors on projects involving the use of AI systems of particular complexity.

More generally, , this new department is intended to work with all CNIL departments. The AID will also support the investigation of claims and the adoption of corrective measures in case of breaches related to the use of an AI system.

The AID will also support the investigation of claims and the adoption of corrective measures in case of breaches related to the use of an AI system.

It will be in charge of the technical expertise related to artificial intelligence with specific aspects to this technology. It will contribute to the work of the European Data Protection Board (EDPB) and will also conduct experimentation projects in connection with the LINC.

This evolution of the CNIL notably echoes a study by the French Council of State published on August 30, 2022 on the use of artificial intelligence in administrations. The Council of State recommends strengthening the CNIL's resources and changing its role so that it also becomes one of the national supervisory authorities responsible for regulating AI systems. It also highlights the importance for the CNIL to play the role of coordinating and supervising authority, according to the provisions of the future European regulation, and thus to ensure the networking of public institutions ranging, from market surveillance authorities to sectoral regulators.

As of now, and notwithstanding future legislative evolutions, the creation of this department responds to a societal challenge that is growing in importance every day and is in line with the work on artificial intelligence initiated long ago by the CNIL.

The answer to a society-wide issue

Artificial intelligence is making spectacular technological progress, and is about  to assist humans in a wide range of tasks. In the private sector, AI is seen as a factor for performance and profitability, while its use in administrations could improve the quality of public service provided to the user.

The use of this technology regards all kind of actors, regardless of their field of activity or size. By ricochet, every person is necessarily directly or indirectly confronted to AI, for example, when using a voice assistant, in a selection process for job applications or in the fight against tax fraud.

If the benefits linked to the use of algorithms and AI are undeniable, their operation relies on the processing of a large amount of data, very often personal data, and their implementation thus entails risks for privacy.

In addition, AI raises issues related to the information for users as well as the understanding of the way these systems operate, but also issues for data processors and regulators in the context of their audit and control missions.

The creation of the AI department responds to these challenges by providing a new tool to the regulator to organize transparency and understanding of a technology that is often perceived as a "black box" in order to ensure balanced regulation and to enable organisations, individuals and the CNIL to control the risks to privacy.

A dynamic initiated in 2017 and continued today

The CNIL has been working for several years on the subject of artificial intelligence, which constitutes a new generation of algorithms or, in the sense of the General Data Protection Regulation, a “data processing”. To date, its action has taken three forms:

  • the identification of ethical and legal issues related to the use of AI;
  • the instruction of cases involving the use of AI and the issuance of tools and resources improving the understanding of this technology;
  • and the management of associated risks.

The creation of an AI department thus structures and consolidates a long-standing dynamic.

Identification of ethical and legal issues

In 2017, the CNIL organised a broad public debate on algorithms and AI that was complemented by a citizen consultation. This was conducted in conjunction with several research institutes (CREOGN, CNAM, ENSC, INSA), public institutions (ministries and universities), professional federations and companies. It resulted in the production of a summary report containing recommendations and highlighting the major issues raised by the use of AI systems when processing personal data (How can Humans keep the upper hand ? The ethical matters raised by algorithms and artificial intelligence).

Field investigation of cases involving the use of AI

The CNIL has already and for many years had the opportunity to work regularly on the subject of artificial intelligence through cases of operational implementation (the so-called "intelligent" or "augmented" cameras in public spaces, the white paper on voice assistants or the work related to the deployment of facial recognition that implements AI processing). In addition to systems that may be used in the private sector, the CNIL has also given its opinion on projects on which the government has requested its opinion, for example, the project of targeting fraud and valuing requests (CFVR) which aims to improve tax control operations.

The publication of tools and resources to improve the understanding of AI and the management of associated risks

The CNIL published on April 5, 2022 a web section that clarifies the challenges posed by artificial intelligence and the conditions under which to deploy AI systems that respect the key principles of the GDPR. The content published is aimed at the general public and professionals, who are offered a self-assessment guide for artificial intelligence systems. In addition, content intended for a more informed public is available on the CNIL's Digital Innovation Laboratory (LINC) website.  In particular, it describes the new security risks posed by AI systems.

CNIL launches work on machine learning databases today

AI systems, especially those based on machine learning, very often require the use of large volumes of personal data to train the algorithms. The CNIL publishes a work program to support professionals and guarantee the respect of people's rights.

What are the objectives of this project?

Many public or private organizations wishing to build databases for the training and development of AI have expressed to the CNIL questions about the legality of certain uses.

The purpose of the upcoming work is therefore to clarify the CNIL's position on this point and to promote good practices, under the requirements of GDPR, but also in view of the proposed regulation on AI currently debated at the European level.

The provision of a framework for analysing the regulations on the protection of personal data and of concrete answers should enable organizations to create or use databases in compliance with the fundamental rights and freedoms of individuals.

The CNIL will regularly publish support tools on the subject that will complement its initial practical information sheets.

What is the scope?

The scope of the reflections initiated by the CNIL covers:

  • AI systems whose development or improvement requires the constitution of a database (machine learning systems and expert systems);
  • data collection from all types of sources (data collection from data subjects, data collection from data brokers, data collection from open sources, etc.);
  • the phases of the development of an AI system necessary for its production or improvement (design system, data pre-processing, training, continuous training, etc.). The production phase is therefore excluded from this project;
  • various uses relating to the development or improvement of an AI system (scientific research, research and development, improvement of a commercial product, etc.), regardless of the purpose of the AI system in production and the legal regime applicable to the processing (General Data Protection Regulation, Law Enforcement Directive and the French Data Protection Act).

On the other hand, issues related to the AI models learned from the collected data, and in particular those related to their dissemination and reuse, are excluded from this project and will be the subject of separate work.

What will be the publications at the end of this project?

CNIL's work will result in several publications during 2023 on:

  • tools to support the creation and use of databases: these discussions will be conducted in close collaboration with the CNIL working group on the opening and sharing of data announced during the air 2021 event;
  • practical sheets to respond to the most common situations encountered by learning database users (building a warehouse, using pseudonymized data, etc.).

What are the next steps?

On the basis of its existing expertise but also meetings with public and private actors on the constitution of databases for the development or improvement of an AI system, the CNIL will propose recommendations. They will be submitted to a public consultation allowing the greatest number of people to express their views on the tools thus developed. The contributions will be analysed at the end of the consultation in order to adjust and clarify its future tools, which it will publish on