The French Data Protection Authority (CNIL) is still seeking input from Artificial Intelligence (AI) stakeholders on how to ensure that AI systems comply with data protection laws. Use of large amount of data and data protection are essential for AI development and deployment, and the CNIL’s questionnaire provides an overview of their main concerns for data protection authorities in this respect.

CNIL’s interest in AI

As explained in our previous blog entry, the CNIL (la Commission Nationale de l'Informatique et des Libertés), the French Data Protection Authority, is taking point on AI regulation and is currently soliciting input from AI stakeholders through a questionnaire detailing its main concerns. Recognizing the strong correlation between AI and data protection, it underscores the critical need for effective and responsible management of data in AI systems.

The interest of the CNIL in AI systems is linked to the fact that data is essential for AI development and deployment and that during the training phase, AI models must be exposed to large amounts of data to learn how to identify patterns and make predictions, a practice that needs to be aligned with the GDPR principles. Maintaining data integrity ensures that AI models are accurate and unbiased. In the production phase, robust data protection is vital to prevent privacy issues as AI processes new data. Maintaining transparency and accountability in AI decisions requires rigorous data management and ensuring traceability, which are strong principles based on the GDPR. Regulatory compliance must be implemented early on to avoid legal and reputational repercussions.

This is the reason why the CNIL is developing a lot its AI knowledge through its new AI department to manage such compliance and to act as the designated AI regulatory body under the future AI Act.

CNIL’s focus points

The questionnaire from the CNIL focuses on the following key points:

  1. Purpose of Processing: The CNIL is asking for thoughts on defining the purpose of processing when training an AI model, considering that AI can be applied across various sectors. It also seeks to understand the conditions under which an AI system's design has a scientific research or statistical purpose and how these research and commercial purposes might be differentiated once the AI system is marketed.

  2. Data Minimization: In line with data protection principles, AI database creation requires careful data selection and minimization. The CNIL is seeking for insights into current best practices and minimization measures implemented to comply with these principles, highlighting the need for responsible data collection and usage.

  3. Data Protection by Design and Default: The CNIL aims to understand how AI practitioners are adhering to the principle of data protection by design and default, reflecting the integration of data protection measures from the conception of the AI system. Insights are sought on the operational implementation of technical, contractual, and organizational measures.

  4. Balancing Rights and Interests: When AI database creation and model training are based on the data controller's legitimate interests, it is crucial to balance these interests with the rights and interests of individuals whose data is processed. The CNIL is interested in understanding how this balance is being struck, including potential impacts on privacy and other fundamental rights, and the compensatory measures used to limit processing impacts.

Stakeholders are encouraged to contribute with concrete examples regarding AI practices and sending responses to [email protected]. The CNIL also encourages contributors to share examples of publicly accessible datasets that both highlight compliance challenges and embody good practices.