France: Data Protection Authority adopted recommendations on legitimate interest for Artificial Intelligence system development

On 19 June 2025, the French Data Protection Authority (CNIL) adopted guidance on using legitimate interest as a legal basis for developing Artificial Intelligence (AI) systems under the General Data Protection Regulation. The guidance applies to private organisations that process data without relying on consent and to public bodies engaging in activities beyond their core public missions, including human resources management. It clarifies that legitimate interest can only be used if three conditions are met: the interest pursued is lawful, the processing is necessary, and it does not override individuals’ rights, which requires a balancing test. Data controllers must assess and document compliance with these conditions and implement safeguards, particularly when a data protection impact assessment is required.