L’artificial intelligence (AI) is becoming a lever of competitiveness for companies, and the National Commission on Informatics and Liberty (CNIL) is positioning itself in favor of a harmony between technological development and respect for privacy. In a press release dated October 11, 2023, the French authority reaffirmed that compliance with the General Data Protection Regulation (GDPR) and innovation in AI can go hand in hand.
A Legal Framework Under Clarification
AI, defined by the European Parliament as a technology capable of simulating human abilities such as reasoning or creativity, is at the heart of companies’ productivity strategies. However, its use raises ethical and legal questions, particularly concerning the processing of personal data.
To address these issues, the CNIL launched an action plan at the beginning of 2023, aimed at framing the deployment of AI while respecting individual rights. This plan includes the creation of a dedicated service and the publication of practical sheets, thus providing guidelines for industry players.
The Concerns of AI Stakeholders Regarding the GDPR
Recent interactions between the CNIL and AI stakeholders in France have highlighted concerns about the potential restrictions that the GDPR could impose. Companies, public institutions, and actors in the health sector express a need for legal clarity to move forward serenely in the exploitation of AI.
Are the Principles of the GDPR Compatible with AI?
The CNIL emphasizes several fundamental principles of the GDPR that can apply to AI without hindering its development:
- Purpose of processing: Data must be collected for specific purposes, although the CNIL admits a certain flexibility for AI systems, provided their functions are clearly defined from the design stage.
- Minimization of processing: Data must be limited to what is necessary, but this does not prevent the use of large datasets for training AIs, with particular attention to the relevance of the selected data.
- Duration of retention: Data should not be retained indefinitely, but extended retention periods are conceivable for AI training databases.
- Reuse of databases: The CNIL considers that the reuse of data is possible, subject to the legality of the initial collection and the compatibility of the purposes.
Towards Enhanced Trust in AI
The CNIL asserts that compliance with the GDPR should not be seen as a hindrance, but rather as a guarantee of trust for European citizens in AI technologies.
European Regulatory Perspectives
It is important to note that the European Parliament submitted a proposal for a regulation on April 21, 2021, aimed at establishing harmonized rules for AI, complementing the GDPR, with specific provisions for data processed by AI systems.
In conclusion, the CNIL positions the GDPR not as an obstacle, but as a pillar for an ethical and responsible AI, capable of integrating into the digital ecosystem while protecting individual rights.
