The French Data Protection Authority (CNIL) Publishes Guidance on the Regulation of Artificial Intelligence
CNIL aims to regulate generative AI.

The EU AI Act, introduced in April 2021 and reaching a political consensus in December 2023, was published in the Official Journal of the EU on July 12, 2024. It entered into force on August 1st, 2024. This regulation will serve as a foundational framework for AI development both within the EU and globally.
The French Data Protection Authority (CNIL) also takes an active role in the implementation of artificial intelligence regulation. In May 2023, the CNIL released its “AI Action Plan” and initiated significant efforts to clarify the legal framework, aiming to ensure the security of stakeholders.
In particular, the CNIL is concerned about the deployment of generative AI.
"Generative" artificial intelligence encompasses systems capable of creating various types of content, including text, computer code, images, music, audio, and videos. When these systems can execute a wide array of tasks, they are categorized as general-purpose AI systems, such as those incorporating large language models (LLMs).
These systems are typically used to enhance creativity and productivity by generating new content and analyzing or modifying existing content, such as providing summaries, corrections, or machine translations.
However, because of their probabilistic nature, these systems might generate results that are inaccurate yet still seem plausible. This represents risks for the users.
In this regard, the CNIL recommends:
- Starting from a Concrete Need: Avoid deploying a generative AI system without a specific purpose; instead, ensure it meets already identified uses.
- Framing Uses: Define a list of authorised and prohibited uses based on the associated risks (e.g., not providing personal data to the system, or not entrusting it with decision-making).
- Acknowledging Limitations of Those Systems: Be aware of the system's limitations, particularly regarding the risks it may entail or pose to the interests and rights of individuals.
- Choosing a Robust system and a Secure Deployment Mode: For example favor the use of local, secure and specialized (fine-tuned) systems. Otherwise, if using a third-party provider, determine to what extent they may reuse the data provided to the AI system, and adapt usage accordingly.
- Training and Raising Awareness: Educate end-users, about both prohibited uses and the risks involved in official uses.
- Implementing Appropriate Governance: Ensure compliance with the GDPR and these recommendations, in particular by involving all stakeholders from the outset (data protection officer, information systems officer, CISO, business managers, etc.)[1].
The CNIL published the first recommendations on the development of artificial intelligence systems on 7 June 2024[2]. The CNIL also plans to issue additional recommendations on generative AI systems in the near future.
[1] www.cnil.fr
[2] www.cnil.fr/fr/ai-how-to-sheets

