The CNIL issues its guidelines on artificial intelligence subject to consultation

The CNIL issued its guidelines on how to comply with the GDPR in the development and usage of artificial intelligence that are now subject to a consultation.

The French data protection authority, the CNIL, issued guidelines that include 7 “how-to sheets” that offer insights into the fundamental principles of the GDPR as applied to the development phase of AI systems.

The most prominent points raised by the CNIL are as follows:

1. Purpose Limitation: AI systems that use personal data or that may affect individuals must be developed and used for a specific and legitimate purpose ▶ This seems like an obvious principle, but how does it fit with the concept of general purpose AI under the AI Act?
2. Data Minimization: only personal data essential to the purpose of the AI system should be collected and used ▶ There is no doubt that this is a correct principle, but the unique ability of AI lies precisely in being able to derive from a data set information that human beings cannot comprehend. This scenario undermines the concept of data minimization because humans could not understand why a piece of information is essential;
3. Data Retention: the CNIL confirms that the principle of data retention limitation does not preclude establishing extended durations for training databases as long as they can be justified by the legitimate purpose of AI systems ▶ Information cannot simply be removed from AI memory because that would be like asking a child to forget information. AI can be made to not answer some questions, but that is a different concept.
4. Data Re-usage: it is possible to reuse databases, including publicly available data, for the formation of AI systems, provided that the data have not been collected in a blatantly illegal manner and that the purpose of reuse is consistent with the initial purpose of the collection of personal data ▶ This issue raises the issue of the legal basis of processing which was identified by the Garante, the Italian data protection authority, in the decision on ChatGPT against OpenAI. You can read on the topic the article “The Italian case on ChatGPT benchmarks generative AI’s privacy compliance?“.

The CNIL states unequivocally that AI development and privacy considerations can coexist harmoniously, provided there is sound governance and careful content oversight. However, the above principles do not take into account how generative AI systems work.

The consultation regarding the guidelines issued by the French data protection authority on artificial intelligence ends on November 16, 2023, and we have already been approached by clients willing to contribute to it. If you want to join forces, just reach out to us!