Cloix Mendès-Gil

Artificial Intelligence (AI), a pivotal digital topic in 2023, falls under the purview of the GDPR. As AI algorithm development often involves processing substantial volumes of data, which may include personal information, adherence to the data protection principles set forth by the European regulation is crucial.

On October 11, 2023, the French Data Protection Authority (Commission Nationale Informatique et Libertés – CNIL) provided initial guidance addressing this complex intersection.

This announcement marks CNIL’s first formal response to industry professionals’ calls for legal clarity. Some stakeholders have voiced concerns that GDPR principles like purpose limitation, data minimization, restricted retention, and reuse might hinder AI research and applications.

However, CNIL affirms that GDPR compliance and AI development can coexist, provided specific boundaries are respected.

Regarding the principle of purpose, outlined in Article 6 of the GDPR, CNIL recognizes the need for a degree of flexibility in AI contexts. While it’s impractical to define all potential applications of an algorithm at the training stage, the system’s type and primary functions should be predetermined.

The principle of data minimization also demands a pragmatic approach. It doesn’t necessitate minimal data usage, but rather the utilization of data proportionate to the intended purpose. This does not preclude using extensive datasets for algorithm training, but the use of superfluous personal data remains prohibited. CNIL reiterates the importance of data security in this process.

Similarly, the principle of limited data retention doesn’t preclude setting extended durations for training databases when justified. CNIL acknowledges that these databases often represent significant scientific and financial investments and sometimes become widely used community standards.

CNIL clarifies that reusing data sets, especially publicly accessible ones, is generally permissible, provided they were not collected illicitly.

To assist professionals, CNIL has published a series of practical AI sheets for GDPR-compliant tool development. These sheets offer detailed guidance on applying GDPR principles:

The introduction outlines the scope of the sheets.
Sheet 1 covers the legal regime for data processing during AI system development.
Sheet 2 addresses determining data processing purposes for AI system learning databases.
Sheet 3 discusses the legal status of AI system suppliers.
Sheet 4 guides on choosing the legal basis for processing and additional checks based on data collection or reuse.
Sheet 5 details conducting a data protection impact assessment.
Sheets 6 and 7 advise on incorporating data protection in AI system design, data collection, and management.
An exemplary documentation model is included in the appendix.

These sheets are open for public consultation until November 16, 2023, inviting industry feedback. Additional sheets on legitimate interest, rights management, and data subject information are expected by year-end.

Our IT Contracts, Data & Compliance Department is available to assist in managing innovative projects and ensuring regulatory compliance.

For any queries, please reach out to us.

Effective negotiation is crucial for the success of IT projects, yet it often takes a backseat to the primary goal: efficient project execution and successful completion.

Contrary to common belief in IT projects, a strong contract isn’t just about parties aggressively defending individual interests. In practice, project execution may diverge from the interests defended during negotiations, leading to a contract that is impractical and often unbalanced.

If a dispute arises, the facts might be detrimental, especially if the contract doesn’t reflect the actual practices. This results in a contract that is challenging to interpret later[1], diminishing the legal certainty it’s supposed to provide. For instance, a contract that advocates a big bang startup approach but actually unfolds in phases is a typical example.

Therefore, it’s not only essential to engage in pre-signing negotiations but also to structure them through a clearly defined, written process outlined in a letter of intent or a preliminary agreement.

1. Contractual negotiations: striking a balance

A “win-win” stance is advisable in the negotiation phase, recognizing that a successful IT project requires collaborative effort. Focusing on mutual interests rather than individual gains is key[2].

These contracts pave the way for months, sometimes years, of partnership.

Negotiations should ensure balance for both parties. Otherwise, short-term gains from defending personal interests may lead to the ultimate detriment: project failure.

Legally, agreement on essential elements is enough to conclude a contract[3].

2. Legal framework for contractnegotiations

Negotiations should start with a mutual written agreement[4].

The titles of negotiation contracts (like preparatory agreements or letters of intent) have little impact on parties’ liability. Judges will assess whether the drafted agreement could objectively lead to liability[5].

These contracts will define the negotiation aim[6], ensuring practical aspects of the project’s organization and vital information exchange are well addressed.

This pre-contract prepares parties for the final agreement, outlining necessary steps.

3. Informative contract negotiations

Information crucial for securing management consent and ensuring “workable” project organization is vital.

Professional service providers often hold more information due to their experience. Certain specific information, like atypical billing practices, should be communicated to ensure equal knowledge levels and project success[7].

For instance, if a client can’t allocate operational staff to workshops without disrupting business, they should inform the service provider. This might lead to redefining the project’s organization and adjusting costs and timelines.

Creating a dynamic during negotiation stages is crucial for sharing information beneficial for project completion.

4. Organizing the project through negotiations

Defining the IT project’s organization should involve all project participants, not just top management and legal departments.

a. Project team organization

Discuss the formation of a project team for each party during negotiation.

Participants should be motivated and have aligned objectives. The availability of customer-side players is also crucial and should be confirmed pre-project.

b. Quality organization: project quality plan

A project quality plan ensures that teams don’t work in silos with disparate tools, preventing misunderstandings.

Depending on the project complexity, appointing a contract manager or plan implementation manager might be useful.

c. Organizing project processes

Before contract signing, discuss the project implementation process and cover:

Scope change management process: essential for resource organization and project scope control.
Change management process: necessary for ensuring the client’s organization adapts to the new solution.

d. Other negotiable project elements

Consider factors like task micro-scheduling, project governance, and roles during the acceptance phase.

These pre-contracts and detailed negotiation processes significantly reduce project failure risks by adding vital technical and legal elements to the future contract.

In our ongoing series on avoiding IT project failure, upcoming topics include:

#2 Legal tools for relationship management: penalties, success fees, timetables, payment management, etc.
#3 Contract management strategies.
#4 Project methodology for customer collaboration: Agile method.
#5 Tools for litigation avoidance.
#6 Litigation conduct.
#7 Types of expertise.

For any inquiries, please contact us.

[1] Terré, François, Philippe Simler, Yves Lequette, et François Chénedé. Droit civil: les obligations. 12e éd., 2019. Précis. Paris: Dalloz, 2018, §251, p. 272.

[2] See especially on this subject William Ury’s work, “Getting to Yes: Negotiating Agreement Without Giving In.” Seuil, Paris, 2021.

[3] Contrasting with certain European legal systems, German law, for example, is more stringent. It requires agreement on all contractual points before considering a contract concluded. German Civil Code, Art. 154 states: “As long as the parties have not agreed on all points of a contract that, according to the declaration of even one party, should be agreed upon, the contract is not concluded in case of doubt. An agreement on individual points is not binding, even if a written record has taken place.”

[4] It should be noted that negotiation contracts offer an additional advantage as there is no implied pre-contract wherein parties commit to responding to faults made during negotiation (Even in the presence of general conditions otherwise applicable in the parties’ relations in other contracts, Cass. com., April 9, 1996, Galerie Kleber – Max Mara, Bull. civ. IV, n°117, p. 99, RTD civ. 1997. 121, comment Maistre).

[5] C.Civ., art. 1100: Obligations may arise from the voluntary performance or the promise of performance of a duty of conscience towards another.

[6] In practice, these contracts will contain the following elements: an agreement to negotiate; negotiation deadlines; the qualifications of the individuals charged with discussion; modalities of the discussions – location, timing, intervals between party responses; responsibilities in case of a breakdown; typically, negotiations are not based on an obligation of result to negotiate, but an obligation of means (Soc. Dec. 19, 1989, n°88-13388).

[7] C.civ., art. 1112-1. This information is generally considered relevant and can, for example, lead to the re-examination of certain contract conditions (see Terré, François, Philippe Simler, Yves Lequette, and François Chénedé, “Civil Law: Obligations,” 12th ed., 2019, Precis, Paris: Dalloz, 2018, §332, p. 370). Note that the pre-contractual duty of disclosure does not concern information that motivates a contracting party but is not directly linked to the successful execution of the project – for instance, the future economic profitability of the system is not mandatory pre-contractual information. Even though a client may negotiate for an ROI clause in the contract, the provider is not obliged to indicate expected operational gains on their own), or at least leads to the modification of certain contractual conditions, the provider must make the client understand the importance of this information.