The CNIL’s Action Plan on Artificial Intelligence

The CNIL’s action plan on artificial intelligence has four main components:

— Understanding how AI systems work and their impact on individuals

We need to be able to understand how AI systems work in order to assess the impact on the protection of personal data when processing or transmitting data collected by these tools. We also need to ensure that this data is protected against bias and discrimination, particularly when it is publicly accessible on the Web. To help with this understanding of AI systems, the CNIL’s Digital Innovation Laboratory (LINC) has published a dossier on generative AI in particular, detailing how it works, outlining the legal issues involved in its design and specifying the ethical and security challenges of AIS.

— Enabling and supervising the development of AI that respects personal data

This objective, which was mentioned in the 2022 annual report, concerns several actions already carried out by the CNIL. These include the publication of educational fact sheets on AI and a guide for professionals; also the publication of the CNIL’s position on the use of so-called augmented cameras, which use AI on images captured in the public space and therefore constitute new risks for fundamental rights and freedoms and whose use should be supervised by the public authorities. This issue of the use of augmented cameras by public authorities is a priority in the CNIL’s 2022–2024 strategic plan, and will also be a priority for its inspections in 2023.

In addition, this second part of the CNIL’s action plan will lead to the publication in autumn 2023 of several documents relating in particular to the rules applicable to the sharing and re-use of accessible data used to train AI models and to recommendations on the design of AI systems.

— Federating and supporting innovative players in the AI ecosystem in France and Europe

Company’s innovation in the field of AI need to take on board the issues surrounding the protection of personal data. To help them achieve this objective, the CNIL offers several types of support. Generally speaking, there is ‘sandbox’ support. In 2021, this will apply to companies in the health sector, and in 2022 to those in the education sector. In 2023, support will focus on the use of AI in the public sector. In a more specific way, the CNIL is offering support for suppliers of ‘augmented’ video surveillance as part of the experiment planned by the law relating to the 2024 Olympic and Paralympic Games. A final type of support, described as enhanced, has been in place since 2023. In return for a strong commitment on the part of companies, this last type of support includes legal and technical support, a review of the compliance of the processing operations implemented and, lastly, awareness-raising initiatives on data protection issues aimed at employees and managers.

— Auditing and controlling AI systems and protecting individuals

This final part of the CNIL’s action plan can be implemented at various stages of the use of AI systems that use personal data. A priori, each person using these AI systems must benefit from information measures on the use of personal data and be aware of the conditions for exercising their rights. In addition, companies must have carried out a data protection impact assessment beforehand to evaluate the risks and adopt the necessary measures to reduce their occurrence.

A posteriori, the CNIL intends to step up its control measures on several points in 2023: compliance with the position on the use of ‘augmented’ video surveillance, the use of algorithms in the fight against fraud and, finally, control procedures in the context of the use of generative AI and the processing of data by them.

The aim of the CNIL’s four-part action plan is to prepare for the implementation of the European regulation of AI. France has not yet created or assigned the role of national supervisory authority for artificial intelligence, as provided for in this AI Act regulation. In a study published in 2022, the French Conseil d’Etat recommended that this role of national supervisory authority for the regulation of artificial intelligence systems should be assigned to the CNIL.

In Spain, a decree issued in August 2023 formalised the creation of a national supervisory authority for artificial intelligence (the Spanish Artificial Intelligence Supervisory Agency, AESIA). This agency, which is attached to the Spanish Ministry of Economic Affairs and Digital Transformation and is different from the Spanish Data Protection Agency, is the first body created within the European Union for this purpose.