Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL requests comments on new AI recommendations

On June 10, 2024, the French data protection authority (CNIL) announced the reopening of a public consultation on the development of its recommendations on artificial intelligence (AI). In particular, CNIL highlighted the publication of its recommendations on AI first published in April 2024.

CNIL outlined that the consultation aims to focus on recommendations on topics including:

  • data scraping for model training;
  • open-source AI models;
  • the management of people's rights; and
  • the application of the General Data Protection Regulation (GDPR) to AI models trained with personal data.

CNIL clarified that it is seeking comments on seven recommendations including:

  • legal basis for legitimate interest and the development of AI systems;
  • legitimate interest and the dissemination of open-source models;
  • legitimate interest and data scraping;
  • informing individuals of the use of their personal data to develop AI models;
  • respecting and facilitating the exercise of data subject rights;
  • data annotation to ensure data quality; and
  • ensuring data security during the development of an AI system.  

In addition, CNIL noted that it also seeks responses on a questionnaire related to the GDPR, to assess under what circumstances AI systems fall within the scope of the GDPR. Specifically, CNIL detailed the potential risk of AI models regurgitating training data in their use.

Data scraping and legitimate interest

Notably, regarding web scraping on the basis of legitimate interest, CNIL provided that organizations must define the precise collection criteria in advance and apply filters to exclude the collection of unnecessary data categories, pursuant to Article 5(1)(c) of the GDPR. Organizations must also ensure that irrelevant data that is collected must be deleted immediately after collection or as soon as it is identified. CNIL stated that particular measures should be instituted to exclude the collection of non-relevant sensitive data. More specifically, CNIL recommended:

  • excluding, by default, the collection of data from certain websites, health forums, websites used by minors);
  • scraping from websites which expressly object to data scraping for AI training purposes;
  • limiting the collection of freely accessible data made public by data subjects;
  • anonymizing and pseudonymizing data after data collection;
  • providing data subjects with the option to object to data processing; and
  • registering contact details with CNIL.

CNIL clarified that an AI data scraping registry has not yet been established, and is subject to public consultation.

CNIL noted that legitimate interest is the most commonly used legal basis for the development of AI systems. Such a legal basis requires risk assessments for individuals and the implementation of measures to protect individuals and their data, particularly when data scraping. Data scraping must be subject to specific safeguards to ensure data subject rights, with CNIL proposing the creation of a voluntary register to record data scraping practices.

Regarding open-source AI models, CNIL considers such practices to be beneficial for data protection, providing increased transparency for individuals on how the AI model and AI system work. However, CNIL explained that the openness of the AI model must be real to ensure the effective exercise of data subject rights. Finally, CNIL outlined the risk of memorization, extraction, or regurgitation of information used in AI model training and the potential risk to the confidentiality of personal data.

Public comments can be submitted here until September 1, 2024.

You can read the press release here, the recommendations here, and the GDPR questionnaire here, all only available in French.

Update: July 2, 2024

CNIL publishes AI recommendations in English

On July 2, 2024, CNIL requested public comments on the seven recommendations on the development of AI systems in English. 

You can access the press release here