Today, data protection has become a major concern for users. In this context, the General Data Protection Regulation (GDPR) stands as a fundamental standard.
In France, the National Commission on Informatics and Liberty (CNIL) plays a central role as the regulatory authority responsible for ensuring the application of GDPR within companies.
What are the fundamental principles of GDPR, the new guidelines issued by CNIL, and their implications for organizations? How can these requirements be integrated into the daily activities of businesses ?
The Fundamental Principles of GDPR
Lawfulness, Fairness, and Transparency: | Organizations must process individuals’ personal data in compliance with current laws and regulations while ensuring clear and transparent communication about data processing procedures. |
Purpose Limitation: | Personal data can only be obtained for specific, explicit, and legitimate purposes. Any deviation from these purposes exposes the organization to sanctions for non-compliance with current regulations. |
Data Minimization: | This principle involves limiting the collection of information strictly necessary for the business activity. It is also recommended to delete, anonymize, or implement mechanisms to limit the collection to only the necessary data. |
Data Accuracy: | This principle aims to ensure the integrity of the information used. Organizations must therefore implement security measures to prevent data leaks and their use by unauthorized third parties. |
Storage Limitation: | Before collecting personal data, companies must determine a retention period that can be defined by a specific duration (e.g., 2 years) or in reference to a specific framework (such as the end of a contract). This period must be in line with the purpose of data processing. In case of uncertainty, it is advisable to refer to CNIL recommendations regarding retention periods. |
Data Security: | Each data controller or processor must implement appropriate security measures to minimize the risk of data breaches. These measures can be organizational, technical, or physical, as evidenced by Article 32 of the GDPR. |
Accountability and Responsibility: | Data controllers and processors are required to document all their compliance efforts. The principle of accountability focuses on creating a record of personal data processing activities, as required by Article 30 of the GDPR, which allows for the cataloging of all relevant information about data processing. |
The New CNIL Guidelines on AI: 7 Sheets for Ethical AI
Continuing in the same context, CNIL has recently published practical sheets to help integrate GDPR into AI development, thus promoting responsible innovation in the EU’s digital space.
These guidelines are the result of a public consultation launched as part of CNIL’s “AI plan,” initiated in May 2023, aiming to address the concerns of AI stakeholders who sometimes view GDPR as a barrier to innovation. Refined through 42 varied contributions, these practical sheets provide tailored recommendations for AI developers and users. They also offer essential tools for AI actors to develop technology that respects individual rights. This initiative demonstrates CNIL’s commitment to promoting balanced technological innovation, considering both the potential of AI and the importance of privacy.
Here is a description of the 7 sheets published by CNIL:
Introductory Sheet – The Scope of Practical Sheets on AI:
CNIL defined this scope based on the European Parliament’s definition of AI in the proposed AI regulation. This sheet focuses on the development phase of AI systems, also covering data processing subject to GDPR.
Sheet 1 – Determine the Applicable Legal Framework:
To clarify misunderstandings about the objective and scope of the sheet, due to the absence of a definition of “legal framework” and indications on the applicability of GDPR or the “law enforcement directive,” CNIL specified the notion of “legal framework” and added additional illustrations for general-purpose AI systems. The objective of this sheet is to help the data controller determine which data protection rules apply when developing AI systems.
Sheet 2 – Define a Purpose:
Some contributors expressed concerns about the criteria for defining the purpose for general-purpose AI systems, finding them either too flexible or too rigid. CNIL considered these concerns and clarified the criteria in the final version of Sheet 2, making a clear distinction between recommendations that are best practices and those that are not.
Regarding the reuse of scientific research data for other purposes, CNIL emphasized that using anonymized data or models without personal data is not problematic. However, reusing personal data initially collected for research purposes for other objectives is legal only if these objectives are compatible and comply with GDPR principles.
Sheet 3 – Determine the Legal Qualification of AI System Providers:
Several contributors requested clarifications on roles and qualifications in the context of GDPR, in relation to the AI regulation proposal. In this context, CNIL added explanations to clarify what it means to be an “AI system provider” according to GDPR and provided an example illustrating the case where a model has been adjusted using personal data. Some contributors found the qualification criteria and examples too restrictive. CNIL responded that the legal qualification of AI system providers must be assessed on a case-by-case basis, and this sheet aims to provide guidance for this analysis, in line with the European Data Protection Board’s guidelines 07/2020.
Sheet 4 – Ensure that Processing is Lawful:
Existing AI systems can be used to meet legal obligations under certain conditions. In cases of incidental processing of sensitive data, especially through web scraping, it is crucial to limit collection and quickly delete such data. For the reuse of public databases, CNIL highlighted the importance of assessing the legality of their use on a case-by-case basis, emphasizing the responsibility of the data controller to ensure this legality.
Sheet 5 – Conduct an Impact Assessment if Necessary:
regulation proposal, as well as for models from third parties. CNIL confirmed that DPIA would be mandatory for high-risk systems and recommended that model creators conduct a DPIA to transmit to users. Clarifications were also provided on the criteria necessitating a DPIA, such as “innovative uses” and “large-scale processing,” without specifying precise thresholds.
Sheet 6 – Consider Data Protection in System Design:
Contributors raised obstacles to applying the minimization principle during AI system development, particularly regarding the preparation of appropriate architecture before data testing. CNIL clarified that the minimization principle does not define an explicit threshold and does not prohibit the collection of large amounts of data but emphasizes the importance of anticipating data collection and using only what is strictly necessary. Regarding the role of an ethics committee, CNIL believes that consultation is a good practice but should not replace competent authorities. An alternative could be consulting or mobilizing an “AI referent.”
Sheet 7 – Consider Data Protection in Data Collection and Management:
Some contributors expressed concerns about the limitation on the retention period of training data, which can complicate AI system audits and bias assessments. CNIL emphasized the importance of these analyses for system security during deployment and clarified its position by modifying the sheet to indicate that it is possible to retain training data for audit purposes after selection, provided appropriate security measures are in place.
New CNIL Guidelines: Key Implications for Businesses
The new CNIL guidelines, aimed at integrating GDPR into AI development, can significantly impact business practices, presenting both challenges and opportunities.
Main Challenges
Costs and Resources: Implementing adequate data protection measures requires significant investments in internal resources, costs, and time. This includes training on security best practices, which incurs training costs and mobilizes resources during these sessions. Additionally, time must be allocated for various tasks related to the implementation and maintenance of these measures. These efforts are crucial for ensuring data security but represent a considerable commitment in terms of time, costs, and internal resources.
Limited Data Utilization: Non-compliance with regulations significantly limits data utilization by businesses, exposing them to risks such as sanctions and fines. This situation restricts their ability to fully leverage available data, impacting their potential for innovation and competitiveness in the market.
Compliance Complexity: The complex nature of AI technologies sometimes makes it difficult to understand and implement GDPR regulatory requirements, posing an additional challenge for businesses.
Main Opportunities
Trust Enhancement: The new CNIL guidelines offer significant opportunities for business practices by strengthening trust among various stakeholders. By clarifying standards and providing precise guidelines, these directives help establish a transparent and reliable framework for data collection and processing.
Responsible Innovation: This notion relies on the ethical use of technology, developing AI systems that adhere to high ethical standards, thus ensuring transparency and social responsibility of businesses.
Competitive Advantage: The ability to effectively manage data protection risks can be a major competitive advantage for businesses. By demonstrating their commitment to data privacy and security, companies can enhance their reputation in terms of credibility.
Regulatory Compliance: Regulatory compliance allows businesses to avoid potential fines and sanctions related to non-compliance. Companies thus reduce legal and financial risks associated with possible data breaches.
How to Integrate GDPR into Business Practices
To integrate GDPR compliance requirements into their practices, businesses must understand that GDPR applies to all professionals, regardless of their size or sector. However, its application varies based on the nature, context, purposes, and risks of data processing.
In this context, CNIL adopts a pragmatic approach by supporting actors in their compliance efforts. Recognizing the awareness challenges for small and medium-sized enterprises (SMEs), CNIL has developed a specific action plan, providing tailored tools, practical sheets, and a well-defined support approach to facilitate understanding and implementation of GDPR requirements for all businesses.
Ensuring effective GDPR compliance also requires promoting smooth collaboration between legal, technical, and operational teams. This collaboration enables a comprehensive understanding of regulatory requirements combined with precise risk identification. It allows teams to implement solutions tailored to the entire organization, ensuring continuous and robust compliance with data protection standards.
In conclusion, we see that today, user data protection is a fundamental practice for businesses to ensure the security of personal information. These companies must take well-defined measures to comply with CNIL directives and GDPR in general, strengthening user trust and avoiding legal repercussions.
In this context, TOP is involved and committed to these advancements, offering a solution compliant with the AI Act and GDPR to reduce employee turnover within companies, continuously evolving its algorithms and data processing practices to adhere to these essential regulatory standards and thus generate reliable and unbiased results. For more information on TOP’s commitment to data protection, you can consult our related content through the following links: