Headline: France’s CNIL Closes Public Consultation on Guidelines for GDPR-Compliant AI Systems Development
Lead: France’s Data Protection Authority, the National Commission on Informatics and Liberty (CNIL), has concluded the public consultation period for its guidelines on developing artificial intelligence (AI) systems in compliance with the European Union General Data Protection Regulation (GDPR). The guidelines, known as the How-To Sheets, provide practical instructions for organizations and AI developers to ensure GDPR compatibility in their research and development. The How-To Sheets address key topics such as legal bases for processing personal data, data protection impact assessments, and data minimization. The guidelines aim to foster safe and GDPR-compliant innovation in the AI sector.
In a statement, CNIL emphasized the importance of the Guidelines in ensuring that AI systems development aligns with the principles and requirements of the GDPR. The How-To Sheets were specifically designed to provide practical guidance to data protection officers, legal professionals, and AI developers involved in the development of AI systems.
We recognize that there are open questions surrounding GDPR compliance in the development of AI systems, and our How-To Sheets aim to address those concerns. We want to foster innovative and compliant AI development within the boundaries of data protection, said a CNIL spokesperson.
The How-To Sheets cover seven essential topics, including determining the applicable legal regime for AI system development, defining the purpose of processing personal data, and identifying the appropriate legal basis for data processing. Additionally, the Sheets emphasize the importance of conducting data protection impact assessments when necessary and incorporating data protection principles into AI system design choices.
One significant clarification provided by CNIL relates to the legal bases for processing training data containing personal data. According to the How-To Sheets, the purpose limitation principle acknowledges that the purpose for processing may not always be clearly identifiable in the developmental phase of certain AI systems. In such cases, the purpose of processing must identify the type of system and the foreseeable functionalities and capabilities. However, referring solely to the type of AI system without specifying the technical possibilities will not meet GDPR transparency requirements.
Regarding data protection impact assessments, the How-To Sheets state that assessments must address AI-specific risks, such as the risk of producing false content about individuals. The Sheets also ensure that the principles of data minimization and storage limitation are adhered to when processing personal data. While large datasets containing personal data can be used in the AI development phase, the Sheets stress the importance of avoiding unnecessary personal data and implementing appropriate data security measures.
Furthermore, the Guidelines offer guidance on the reuse of datasets, explaining that the reuse of existing datasets in AI development can be compatible with GDPR if the initial collection of personal data was compliant and the purpose of reuse aligns with the initial purpose of collection.
The CNIL’s How-To Sheets have welcomed positive responses from the AI community. AI developers and organizations operating in France will now review their data processing practices in light of CNIL’s practical examples and align them with GDPR requirements.
CNIL plans to release additional guidance in the coming months, signaling their commitment to actively engage with AI developers to promote safe and GDPR-compliant innovation from the outset of AI projects. AI developers are advised to keep a close eye on CNIL’s future guidance to ensure ongoing compliance with evolving regulations.
In conclusion, the CNIL’s closure of the public consultation on the Guidelines for GDPR-Compliant Development of AI Systems marks a significant milestone in the regulation of AI and data protection in France. The How-To Sheets offer practical advice to AI developers, providing clarity on legal bases for processing training data containing personal information, data protection impact assessments, data minimization, storage limitation, and dataset reuse. As AI continues to advance, CNIL’s efforts reflect a commitment to striking a balance between innovation and protecting individuals’ data rights.
