Share This Article
The French Data Protection Authority (CNIL) has published useful recommendations on how to use AI solutions processing personali data in compliance with the GDPR.ย
Here are the key takeaways from the CNIL’s latest recommendations on how to exploit artificial intelligence in compliance with the GDPR for AI solutions that process personal data:
1. Development Phases: The CNIL emphasizes the importance of adhering to GDPR from the inception phase of AI development, covering system design, database building, and the learning phase ๐ We have so many clients that are running AI related pilot projects and ignore compliance obligations because of the limited scope. But even limited artificial intelligence projects require GDPR compliance;
2. Purpose Definition: A clear, explicit, and legitimate purpose for AI systems is pivotal. Whether for specific operational use or general purposes, outlining the potential capabilities and functionalities is crucial for GDPR compliance ๐ Some AI solutions are of general purpose, but the GDPR requires a purpose definition and an ad hoc assessment;
3. Responsibility Clarification: Identifying whether you’re a Data Controller, Processor, or fall under other roles defined in the EU AI Regulation is fundamental to determining your compliance obligations ๐ It seems obvious, but it might not be the case if the provider has a prominent role in determining the modalities of operation of the AI;
4. Legal Basis Identification: Establishing a legal basis for personal data processing, whether through consent, legitimate interest, or other GDPR provisions, is essential ๐ Legitimate interest seems to be the most obvious but a substantiated LIA shall be run to prove the underlying legitimate interest;
5. Data Reuse and Minimization: The CNIL advocates for the lawful reuse of personal data and stresses the importance of data minimization, ensuring that only necessary data for the defined purpose is processed ๐ Given the massive capabilities of AI solutions defining what is necessary appears to be burdensome. However, it is an assessment process that needs to be run;
6. Retention and DPIA: Setting a defined retention period for personal data and conducting a Data Protection Impact Assessment (DPIA) are recommended to mitigate risks and maintain data protection standards ๐ It can be hard to argue that a GPAI does not process personal data on a large scale given its processing power.
The recommendations provided by the CNIL to ensure GDPR compliance of AI solutions are useful and should be considered to be part of the internal policy that any company willing to exploit artificial intelligence on the one hand and to avoid that third partiesโ AI scraps their copyright protected and data should adopt. At DLA Piper, we are assisting several clients on the topic, reach out to us if you want to know more.
You can read on the topic the webpage dedicated to AI Act related articles.
