France: Adopted CNIL recommendations on development of AI systems in compliance with GDPR

On 8 April 2024, the French Data Protection Authority (CNIL) adopted its recommendations on the development of artificial intelligence (AI) systems in compliance with the General Data Protection Regulation (GDPR). The Recommendations are the result of a public consultation and are addressed to professionals who develop AI systems. The Recommendations include 7 steps to the responsible development of AI systems, including defining a purpose for the AI system, determining the developers' responsibilities, defining the legal basis authorising the processing of personal data, checking if personal data can be reused, minimising the personal data processed, defining a shell life, and conducting a data protection impact assessment (DIAP). In regard to data protection, in the second step, CNIL recommends determining the developers' responsibility, which means determining whether the data is being used as a controller (RT) or a processor (ST), with the former having direct contact with the data subjects and the latter being in a subcontract relationship with the controller. The third step, which developers should follow, is defining the legal basis for the processing of personal information, which can be based on consent, compliance with a legal obligation, execution of a contract, execution of a mission of public interest, safeguarding vital interests, and the pursuit of a legitimate interest. In the last steps, CNIL specifies measures to be followed regarding the system design choices and privacy by design requirements.