CNIL publishes its first recommendations on the development of Artificial Intelligence Systems

From Data Bytes 46 summarising updates from April 2024¹

On 8 April 2024, following a public consultation, the French data protection authority ("CNIL") published its first recommendations on the development of artificial intelligence ("AI") systems processing personal data. These recommendations apply to the following AI systems:

•  Machine learning-based systems
• AI Systems with predefined operational use during development and general-purpose AI systems used to power various applications
• AI Systems with one-time or ongoing learning processes.

Notably, the CNIL's recommendations have been prompted by growing concerns stemming from the intersection of the General Data Protection Regulation (GDPR) and AI, with particular attention directed towards the emergence of generative AI systems. Anticipating these challenges, the CNIL previously released its "AI plan" in May 2023 and has since been working to elucidate the legal framework in order to ensure stakeholder security.

To guide the strategic decision-making of those engaged in AI development and deployment, the CNIL has released seven initial recommendations. These guidelines were developed in collaboration with 43 AI stakeholders and underscore legal and technical aspects of AI usage, particularly concerning compliance with the European Union's GDPR and the new AI Act. Indeed, the CNIL's recommendations are designed to complement these regulations, with a specific focus on data protection during the development phase of AI systems. 

Upon determining the applicable legal regime, the CNIL advises stakeholders to adopt the following seven steps:

1. Define the processing purpose for the AI system.
2. Determine the legal qualification of AI system providers (e.g. controller, processor, sub-processor) and their respective responsibilities under the GDPR.
3. Establish the legal basis for processing personal data under the GDPR.
4. Conduct tests and verifications surrounding the legality of the AI system's reuse of personal data.
5. Minimise the processing of personal data.
6. Integrate "data protection by design" into the AI system by defining personal data retention periods.
7. Conduct data protection impact assessments to identify and mitigate potential risks.

In the upcoming months, the CNIL will release further recommendations pertaining to AI within the framework of the GDPR, inviting public consultation for further refinement and feedback.

1 https://www.cnil.fr/fr/ia-la-cnil-publie-ses-premieres-recommandations-sur-le-developpement-des-systemes-dintelligence;https://www.cnil.fr/fr/developpement-des-systemes-dia-les-recommandations-de-la-cnil-pour-respecter-le-rgpd. 

Authors: Nicolas Quoy, Partner; Antoine Boullet, Senior Associate.