France: National Commission on Informatics and Liberty published recommendations on responsable AI innovation

On 7 February 2025, the National Commission on Informatics and Liberty (CNIL) published recommendations to guide the development of machine learning and artificial intelligence systems in compliance with the General Data Protection Regulation (GDPR). These guidelines explain that for general-purpose AI systems, the principle of purpose is applied in an adapted manner, allowing developers to describe their system's type and main functionalities without defining all future applications at the outset. While large training databases are permitted, data should be selected and cleaned to optimise training while minimising unnecessary personal information. Retention periods may be long if justified and protected by appropriate security measures, particularly for databases requiring significant investment and recognised by the scientific community. The reuse of publicly available databases is generally allowed, provided the data was lawfully collected and its reuse aligns with the original purpose. Individuals must be informed when their personal data is used in AI training, though the level of detail and method of communication can be adjusted based on risks and operational constraints. When contacting individuals directly is impractical, such as with AI models trained on third-party data, general information on an organisation's website may suffice. GDPR rights remain applicable but can be difficult to enforce in AI models. The CNIL urges developers to integrate privacy protections from the design stage, anonymising data where possible and exploring solutions to prevent AI from revealing confidential personal information. In some cases, cost, feasibility, or technical limitations may justify restrictions on these rights.