Artificial Intelligence: CNIL guidelines on development and training databases

Artificial Intelligence (AI), a pivotal digital topic in 2023, falls under the purview of the GDPR. As AI algorithm development often involves processing substantial volumes of data, which may include personal information, adherence to the data protection principles set forth by the European regulation is crucial.

On October 11, 2023, the French Data Protection Authority (Commission Nationale Informatique et Libertés - CNIL) provided initial guidance addressing this complex intersection.

This announcement marks CNIL's first formal response to industry professionals' calls for legal clarity. Some stakeholders have voiced concerns that GDPR principles like purpose limitation, data minimization, restricted retention, and reuse might hinder AI research and applications.

However, CNIL affirms that GDPR compliance and AI development can coexist, provided specific boundaries are respected.

Regarding the principle of purpose, outlined in Article 6 of the GDPR, CNIL recognizes the need for a degree of flexibility in AI contexts. While it's impractical to define all potential applications of an algorithm at the training stage, the system's type and primary functions should be predetermined.

The principle of data minimization also demands a pragmatic approach. It doesn't necessitate minimal data usage, but rather the utilization of data proportionate to the intended purpose. This does not preclude using extensive datasets for algorithm training, but the use of superfluous personal data remains prohibited. CNIL reiterates the importance of data security in this process.

Similarly, the principle of limited data retention doesn't preclude setting extended durations for training databases when justified. CNIL acknowledges that these databases often represent significant scientific and financial investments and sometimes become widely used community standards.

CNIL clarifies that reusing data sets, especially publicly accessible ones, is generally permissible, provided they were not collected illicitly.

To assist professionals, CNIL has published a series of practical AI sheets for GDPR-compliant tool development. These sheets offer detailed guidance on applying GDPR principles:

  • The introduction outlines the scope of the sheets.
  • Sheet 1 covers the legal regime for data processing during AI system development.
  • Sheet 2 addresses determining data processing purposes for AI system learning databases.
  • Sheet 3 discusses the legal status of AI system suppliers.
  • Sheet 4 guides on choosing the legal basis for processing and additional checks based on data collection or reuse.
  • Sheet 5 details conducting a data protection impact assessment.
  • Sheets 6 and 7 advise on incorporating data protection in AI system design, data collection, and management.
  • An exemplary documentation model is included in the appendix.

These sheets are open for public consultation until November 16, 2023, inviting industry feedback. Additional sheets on legitimate interest, rights management, and data subject information are expected by year-end.

Our IT Contracts, Data & Compliance Department is available to assist in managing innovative projects and ensuring regulatory compliance.

For any queries, please reach out to us.