On April 8, 2024, the French data protection authority (CNIL) published recommendations on the development of artificial intelligence (AI) systems. In particular, CNIL highlighted the recommendations follow from its action plan on AI published in May 2023.

More specifically, CNIL clarified that the recommendations provide legal and technical explanations between the General Data Protection Regulation (GDPR) and AI. These include:

• determining the applicable legal regime;
• defining a purpose of processing;
• the legal qualification of AI system providers (e.g., controller, processor, subprocessor);
• the legal basis of processing;
• carrying out tests and verification;
• carrying out an impact assessment;
• data protection in system design; and
• data protection in data collection and management.

For example, regarding the legal qualification of an AI system provider under the GDPR, CNIL's recommendation details that who determines the 'why' and 'how' of the use of personal data are essential in determining whether an AI system provider is a controller. In practice, a vendor that develops an AI system based on pre-trained data, but which is fine-tuned or adjusted using their own data, may be considered a data controller.

In addition, CNIL provided that it will publish further recommendations on AI within the framework of the GDPR.

You can read the press release here and access the recommendations here, both only available in French.