A few months after the publication of a study in which the French Council of State recommended that the CNIL be the national supervisory authority pursuant to the upcoming AI Act, the CNIL published its AI action plan, available here in French, that outlines its priorities for the coming years:
Ensuring compliance with GDPR principles
The CNIL highlighted that the design and operation of AI systems raise challenges for data protection, including the fairness and transparency of data processing, protection against scraping of publicly available data, and safeguarding users data during collection, reuse and processing operations, and that it will focus on these points. The CNIL also announced that it will pay particular attention to the rights of individuals regarding their data and their protection against discrimination.
Providing guidance to stakeholders
The purpose of the CNIL’s work is also to address issues raised by various stakeholders regarding the GDPR – AI Act interplay. The CNIL has already published different AI-related resources and plans to publish a guide for companies on how to comply with privacy and data protection rules when designing AI systems that will be open to public consultation. Several other guidance documents are also expected starting from Summer 2023 regarding conception of AI systems, building of databases for machine learning, and regarding data sharing and re-use.
Assisting stakeholders
The CNIL also aims to support and promote stakeholders within a framework that complies with rights and freedoms. This is also an objective that is in line with the CNIL’s previous work, for instance with projects that the CNIL advised on through its sandboxes in the healthcare sector in 2021 and education in 2022. The CNIL indicated that it opened in 2023 a new support program for AI companies to accompany them in their compliance with GDPR rules.
Auditing and investigating AI systems
The CNIL is planning to monitor compliance of AI systems by implementing auditing tools for AI systems, focusing on augmented cameras and AI usage in fraud prevention. Of course, one of the CNIL’s strategic areas of focus will be undertaking investigations and following up complaints on AI systems, in cooperation with other authorities and the EDPB. The CNIL finally emphasizes the importance for stakeholders that are processing personal data for AI systems to conduct data protection impact assessments (DPIA) and ensure respect of individuals rights.
The CNIL's 2023 AI action plan underscores a dual commitment: fostering AI innovation while also safeguarding individuals' rights through the promotion of responsible AI usage. This clearly indicates their belief that AI innovation and individual rights protection are not mutually exclusive but can coexist. We look forward to seeing how the plan will be implemented, particularly in light of the final version of the AIA.
Authored by Patrice Navarro, Julie Schwartz, Gabriel Lecordier, and Clément Taieb.
