L’intelligence artificielle (IA) becomes a lever of competitiveness for companies, the Commission nationale de l’informatique et des libertés (CNIL) advocates for harmony between technological development and respect for privacy. In a press release dated October 11, 2023, the French authority reaffirmed that compliance with the General Data Protection Regulation (GDPR) and innovation in AI can go hand in hand.
A Legal Framework Under Clarification
AI, defined by the European Parliament as a technology capable of simulating human capabilities such as reasoning or creativity, is at the heart of companies’ productivity strategies. However, its use raises ethical and legal questions, particularly regarding the processing of personal data.
To address these challenges, the CNIL launched an action plan at the beginning of 2023, aimed at regulating the deployment of AI while respecting individual rights. This plan includes the creation of a dedicated service and the publication of practical fact sheets, thus providing guidelines for stakeholders in the sector.
The Concerns of AI Stakeholders Regarding the GDPR
Recent interactions between the CNIL and AI stakeholders in France have highlighted concerns regarding the potential restrictions that the GDPR could impose. Companies, public institutions, and healthcare stakeholders express a need for legal clarity to proceed smoothly in leveraging AI.
Are GDPR Principles Compatible with AI?
The CNIL emphasizes several fundamental principles of the GDPR that can apply to AI without hindering its development:
- The purpose of processing: Data must be collected for specific purposes, though the CNIL admits some flexibility for AI systems, provided their functions are clearly defined from the design stage.
- Data minimization: Data must be limited to what is necessary, but this does not preclude the use of large datasets for training AIs, with particular attention to the relevance of the selected data.
- Retention period: Data should not be retained indefinitely, but extended retention periods are feasible for AI training datasets.
- Reusing databases: The CNIL considers that reusing data is possible, subject to the legality of the initial collection and the compatibility of purposes.
Toward Enhanced Trust in AI
The CNIL asserts that compliance with the GDPR should not be seen as a hindrance, but rather as a guarantee of trust for European citizens in AI technologies.
European Regulatory Perspectives
It is important to note that the European Parliament submitted a proposal for a regulation on April 21, 2021, aimed at establishing harmonized rules for AI, complementary to the GDPR, with specific provisions for data processed by AI systems.
In conclusion, the CNIL positions the GDPR not as an obstacle, but as a pillar for ethical and responsible AI, capable of integrating into the digital ecosystem while protecting individuals’ rights.
