top of page

CNIL's Recommendations into AI Systems

In the dynamic landscape of artificial intelligence (“AI”), regulatory bodies play a crucial role in upholding data privacy and ethical AI development. On 8 April 2024, the Commission Nationale Informatique & Libertés (“CNIL”), the French data protection supervisory authority, unveiled a set of seven recommendations. These recommendations, presented as practical “sheets”, offer valuable insights for developers navigating the intersection of AI and the European Union’s General Data Protection Regulation 2016/679 (“EU GDPR”). We have briefly outlined these recommendations below.


1. Determine the applicable legal regime


  • This sheet outlines the legal considerations surrounding the development and deployment of AI systems, particularly regarding the handling of personal data. It distinguishes between cases where the processing in both phases falls under the same legal regime and cases where separate regimes apply:

⇾ Case 1: When the operational use of the AI system in the deployment phase is clearly identified during development and serves the same purpose, it typically falls under the same legal regime. However, if the system is exclusively for purposes related to preventing, investigating or prosecuting criminal offenses, it may fall under the "police-justice" regime.

⇾ Case 2: In situations where the operational use of the AI system is not clearly defined during development, such as with "general purpose" AI systems, the legal regime of the development phase may not align with that of the deployment phase. Processing during development is generally subject to the EU GDPR, but deployment may fall under different regimes depending on the specific operational use, such as the "police-justice" regime if used for law enforcement purposes.


2. Define a purpose


  • This sheet emphasises the importance of determining a clear, explicit, and legitimate purpose for processing personal data, especially in the context of developing AI systems.

  • The purpose must be established early in the project and must align with the organisation's missions. This ensures alignment with the organisation’s mission and sets the trajectory for subsequent steps.

  • Adhering to this principle is crucial as it influences other EU GDPR principles such as transparency, minimisation of data and limiting retention periods.

  • It ensures that data subjects are aware of why their data is collected and how it will be used and it restricts data usage to only what is necessary for the intended objective.


3. Determine the legal qualification of AI system providers


  • This sheet highlights the different roles organisations can play in setting up learning databases containing personal data in the context of developing AI systems.

  • These roles include the AI system provider who develops and markets the system, as well as importers, distributors and users of the systems.

  • Each actor's qualification under the EU GDPR (as a data controller, joint controller or subcontractor) must be determined on a case-by-case basis depending on their involvement in the data processing activities.


4. Define a legal basis


  • This sheet emphasises that organisations intending to construct learning databases containing personal data must ensure their actions comply with legal requirements.

  • The CNIL offers guidance to determine obligations based on the organisation's responsibilities and data collection or reuse methods.

  • The data controller must establish a legal basis and conduct additional checks based on how the data is collected or reused.

  • Various methods, such as direct collection from individuals or gathering from open internet sources, can be employed, sometimes necessitating additional precautions, especially when data is initially collected for a different purpose.


5. Carrying out an impact assessment if necessary


  • This sheet underscores the necessity of conducting a Data Protection Impact Assessment (“DPIA”) when building a database for training an AI system, especially when it poses potential risks to individuals' rights and freedoms.

  • A DPIA involves mapping and evaluating the risks associated with processing personal data, with the goal of devising an action plan to mitigate these risks to an acceptable level. Tools provided by the CNIL aid in this process, helping to assess risks before implementation and ensuring ongoing monitoring.

  • Key components of a DPIA include assessing the likelihood and severity of risks to individuals, analysing measures to uphold individuals' rights, evaluating individuals' control over their data, and ensuring transparency in data processing.

  • It is essential to conduct the DPIA before implementing the processing and to update it iteratively as the treatment's characteristics and risk assessment evolve.


6. Take data protection into account in the design of the system


  • This sheet highlights that, to ensure data protection compliance in developing an AI system, a preliminary reflection during the design phase is essential. This process involves considering five key levels:

⇾ Defining the system's objective, which lays the groundwork for subsequent decisions.

⇾ Determining the methodology, which influences the database's characteristics and operational framework.

⇾ Identifying data sources, including considerations of compliance with data protection laws, open sources and third-party data.

⇾ Selecting only necessary data from these sources, weighing their usefulness against potential impacts on individuals' rights and freedoms.

⇾ Validating design choices, which may involve conducting pilot studies or seeking input from ethics committees.


7. Take data protection into account in data collection and management


  • This sheet highlights that, in developing an AI system, managing and monitoring learning data are crucial tasks.

  • The CNIL outlines how data protection principles intersect with the management of learning data.

  • Specifically, once data and their sources are identified, the AI system provider must collect and build its database.


Aria Grace Law CIC


Aria Grace Law CIC is dedicated to assisting clients in adopting a proactive approach to compliance, particularly in integrating data protection principles into the design of AI systems. Our data privacy team has experience in engaging with various data protection supervisory authorities, including the CNIL. With a focus on proactive compliance, we partner with organisations to ensure regulatory adherence and seamless integration of data protection principles into AI development. If you have any questions or require further assistance, please get in touch with us at


Article by Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 3 May 2024


bottom of page