TLDR: France’s data protection authority, CNIL, has finalized extensive recommendations for developers of AI systems to ensure compliance with the General Data Protection Regulation (GDPR). These guidelines, published on July 22, 2025, clarify GDPR applicability to AI models, establish crucial security requirements, and set conditions for annotating training data. The aim is to strike a balance between fostering innovation in AI and safeguarding individual privacy rights.
The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s independent data protection authority, has released its comprehensive recommendations on July 22, 2025, detailing how artificial intelligence developers must adhere to the General Data Protection Regulation (GDPR). This move addresses a significant regulatory gap in the rapidly advancing field of AI development. The guidance clarifies the applicability of GDPR to AI models, outlines essential security requirements, and specifies conditions for annotating training data.
The initiative comes in response to the swift progress of artificial intelligence across various commercial sectors, where these technical tools are increasingly used for data processing, model training, and automated decision-making systems that directly impact individual privacy rights.
Key Security Objectives for AI Development
Data Confidentiality: This mandates the protection of both restricted and publicly accessible information throughout the development process. The CNIL emphasizes that “a lack of security in the database can lead to losses of data confidentiality,” even when dealing with publicly available datasets.
Performance and System Integrity: Measures must be in place to address risks associated with poor system performance that could negatively affect end-users. While such risks often manifest during the deployment phase, the CNIL stresses that “the majority of measures must be taken” during development.
Availability: Ensuring the continuous accessibility and functionality of AI systems.
Rights Management for AI Systems
The CNIL’s guidance also clarifies how individual rights, as stipulated by GDPR, apply to AI model development and deployment. Organizations are required to implement procedures for identifying individuals within training datasets and models, a particularly challenging task for generative AI systems.
For generative artificial intelligence, the authority mandates the establishment of internal procedures to query models using selected request lists to verify what personal data the system might have memorized. If individuals cannot be identified within the models but their data exists in training databases, organizations must inform them about the risks of memorization.
Furthermore, the CNIL highlights the importance of establishing clear mechanisms for responding to data subjects’ requests for rectification, access, and erasure of personal data. For instance, if a data subject requests the correction of inaccurate personal data used to train or run an AI model, the developer should implement a verification process and promptly update the data. The CNIL suggests using version control systems to track changes and ensure consistent application of rectifications across datasets.
Future Work and Strategic Plan
The publication of these recommendations marks a crucial step for the CNIL, reflecting its commitment to supporting AI development that respects data protection while fostering innovation. As part of its 2025-2028 strategic plan, the CNIL will continue its work in several complementary areas.
In the second half of 2025, the CNIL plans to release new recommendations to further clarify the responsibilities of various actors in the AI system creation chain, including model designers, reusers, and integrators, under the GDPR. Key objectives include clarifying GDPR implications for non-anonymized models and studying the case of open-source AI, which is critical to AI technology development.
The CNIL also recommends conducting Data Protection Impact Assessments (DPIAs) for AI systems that pose high risks to individual rights. This assessment framework must consider AI-specific risks such as automated discrimination, the generation of fictional content about real persons, and vulnerabilities unique to artificial intelligence systems.
Recent enforcement actions by CNIL underscore the growing scrutiny of AI systems in France, including rejections of AI-powered age verification cameras in tobacco shops and stricter oversight of biometric analysis technologies.
Also Read:
- European Parliament Study Highlights Generative AI’s Copyright Challenges
- India Urgently Needs Rights-Based AI Framework to Safeguard Constitutional Values Amidst Rapid AI Deployment
These new guidelines, along with previous recommendations, demonstrate the CNIL’s practical approach to balancing innovation with the protection of individuals’ rights and compliance with applicable regulations.
