The French Data Protection Authority, CNIL, has reached a significant milestone in the regulation of artificial intelligence (AI) in France. After a period of consultation and thorough analysis, it has recently unveiled its first set of recommendations, consisting of 7 guidelines aimed at guiding the ethical and regulatory-compliant development of AI systems.
For several months now, CNIL has been actively involved in the AI domain, reflecting its growing importance in our society. This involvement has been manifested through the establishment of a dedicated entity for this subject matter as well as through a public consultation process. A total of 43 companies and organizations participated in this consultation, providing CNIL with a robust foundation upon which to formulate its recommendations.
Right from the start, CNIL clarifies a crucial point: compliance with the General Data Protection Regulation (GDPR) and innovation in AI are not necessarily mutually exclusive. This clarification is essential to dispel misconceptions that GDPR compliance would stifle innovation in the field of AI in Europe. However, the collection of personal data for training AI systems requires particular attention.
Definition of Purpose and Data Minimization
The first guideline of CNIL’s recommendations focuses on defining the purpose of the AI to be developed. This purpose will serve as a guide to frame and limit the collection of personal data necessary for its achievement. CNIL emphasizes the need for transparency and legitimacy in this process, highlighting the importance of aligning the purpose with the missions of the company or administration.
The complexity of defining a precise purpose is especially felt in the case of general-purpose AI systems or those intended for scientific research. In these situations, CNIL recommends adopting best practices such as identifying potential risks, specifying functions excluded from the outset, and clarifying the conditions of use of AI (open source, SaaS, API, etc.).
This guideline is closely linked to that concerning the minimization of personal data. The collection must be limited to what is strictly necessary, in accordance with the defined purpose. Additionally, the data retention period must be planned in advance and justified according to the purpose of the AI system, while ensuring transparent information for the individuals concerned.
Responsibility and Legal Bases
Another guideline highlights the responsibility of the actors involved in data processing for AI. CNIL distinguishes between data controllers and processors. The former are those who define the framework and objectives of data processing, while the latter act in accordance with the instructions of the data controllers.
The choice of the legal basis for data processing is also crucial. Consent is often preferred, but in the context of AI, it can be challenging to obtain. In such cases, CNIL recommends turning to the pursuit of a legitimate interest, while respecting certain conditions. A specific guideline on this topic is forthcoming from CNIL.
Finally, a last guideline emphasizes the importance of conducting impact assessments prior to the development of AI systems, especially to assess potential risks to the protection of personal data. This assessment is particularly crucial for systems identified as high-risk under the AI Act.
In conclusion, CNIL’s recommendations represent a significant step forward in the regulation of AI in France. They provide a clear framework and valuable guidelines to ensure the ethical and responsible development of AI systems, while safeguarding the personal data of individuals. Stakeholders in the AI domain, as well as data controllers and developers, must integrate these recommendations into their practices to build a safer and more ethical digital future.