Defining a purpose

16 October 2023

The creation of a dataset containing personal data involves the processing of personal data which, pursuant to the GDPR, must have a purpose that is specified, explicit and legitimate. The CNIL helps you define the purpose(s) taking into account the specificities of AI systems development.

The principle

The purpose of the processing is the aim of the use of personal data. This objective must be specified, that is to say determined upstream, from the definition of the project and be included in the record of processing activities. It must also be explicit, that is to say, known and understandable. Finally, it must be legitimate, that is to say compatible with the tasks of the organisation.

Since the data are collected for a specific and legitimate purpose, they must not be further processed in a manner incompatible with that initial purpose. The principle of purpose limitation restricts how the controller may use or reuse these data in the future.

The requirement of a specific, explicit and legitimate purpose is particularly important, as it determines the application of other principles of the GDPR, including:

the principle of transparency: the purpose of the processing must be brought to the attention of the data subjects so that they are able to know the reason for the collection of the various data concerning them and to understand the use which will be made of them;
the principle of data minimisation: the data selected must be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
the principle of storage limitation: the data may only be retained for a limited period, which must be defined according to the purpose for which it was collected.

Find out more: Defining a purpose

In practice

Two hypotheses should be distinguished according to the legal regime depending on whether the operational use of the AI system in the deployment phase is identified from the development phase:

Case 1: the operational use of the AI system during the deployment phase is identified from the development phase

Case 2: the operational use of the AI system during the deployment phase is not clearly defined from the development phase (general purpose AI system)

The operational use of AI systems in the deployment phase is not always clearly identified in the development phase. This is the case for general purpose AI systems.

Examples:

An organisation may set up a dataset for training a model for classifying objects in images (persons, vehicles, food, etc.) and make it publicly accessible, without any specific operational use being foreseen in the development of the model.

This model can be freely reused in accordance with the associated license (possibly adapted, e.g. using transfer learning technology) by third-party organisations for the development of computer vision systems. The purposes can be varied, such as the detection of persons by “augmented camera” systems for the measurement of crowds on station docks or the detection of defects on images taken as part of product quality checks.

An organisation creates a dataset for training a language model to identify the language register of a text. This model can be used for various tasks: writing and summarizing articles, letters, speeches, learning French, etc.

A purpose defined in too general terms cannot be considered to be determined and explicit. This would be the case, for example, of a purpose defined as ‘the development and improvement of an AI system’.

The purpose of the developmental processing can only be considered as determined, explicit and legitimate if it is sufficiently precise. It is considered sufficiently precise when it refers cumulatively to:

the ‘type’ of system developed, such as, for example, the development of a large language model, a ‘computer vision’ system or a generative AI system for images, videos or sounds. The types of systems must be presented in a sufficiently clear and intelligible way for the data subjects, taking into account their technical complexities and rapid developments in this area.

technically feasible functionalities and capabilities, which means that the controller must draw up a list of capabilities that he or she can reasonably foresee at the development stage.

Examples of purposes considered to be compliant:

Development of a large language model (LLM) able to answer questions, generate text according to context (emails, letters, reports, including computer code), perform translations, summaries and corrections of text, perform text classification, analysis of feelings, etc.;
Development of a voice recognition model capable of identifying a speaker, his or her language, age, gender, etc.;
Development of a computer vision model capable of detecting different objects such as vehicles (cars, trucks, scooters, etc.), pedestrians, street furniture (dumpsters, public benches, bicycle shelters, etc.), road signs, tricolor lights, etc.

On the contrary, referring only to the type of AI system that one wishes to design, without referring to the technically feasible functionalities and capabilities, does not allow the purpose to be regarded as sufficiently precise.

Example of a purpose considered non-compliant:

Development of a generative AI model.

For the purposes of transparency and precision, it is further recommended that:

the purpose refers to the foreseeable capacities most at risk

The controller should be able to identify, upstream, the foreseeable capabilities of the AI system that present the most risks in the deployment phase. This would, for example, be the case of AI systems identified as “high risk” under the proposed Artificial Intelligence Regulation.

These risks may also be taken into account for the realisation of the DPIA (see How-to Sheet 5).

Learn more: Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)

the purpose refers to functionalities excluded by design

The description of the system’s capabilities may include the design choices of the system leading to limiting its functionality, such as:

the ability of a LLM to treat only short text such as publications on social networks;
the calculation time required for a computer vision system to perform its detections, which could be too long to perform real-time detection;
>the list of classes provided for a classification algorithm that would thus exclude the detection of other categories (feelings, objects, etc.).

These limitations could be specified in particular at the end of the testing and validation stages of the development phase, which allow the controller to specify the functional scope of the AI system.

the purpose specifies, as far as possible, the conditions of use of the AI system

The controller may specify the conditions of use of the AI system with regard to the operational uses identified as early as the development phase. These may include, for example, known use cases of the solution or the modalities of use (open source distribution of the model, marketing, SaaS availability, etc.).

The controller could also provide examples of operational use cases or purposes of the AI system (e.g. traffic regulation for a computer vision system capable of detecting and quantifying vehicle flows).

Special case: creation of a dataset for scientific research purposes

Possible derogations

Data processing carried out for the purpose of scientific research benefits from derogations and adjustments to certain data protection obligations (e.g. in relation to individuals’ rights or retention periods).

The controller must always define the purpose of the research and processing of data implemented. However, in the field of scientific research, it can be accepted that the degree of precision of this objective is lower or that the research purposes are not specified in their entirety, given the difficulties researchers may have in identifying it entirely from the beginning of their work. It will then be possible to provide information to clarify the objective as the project progresses.

As a reminder, any processing of data for scientific research purposes must be subject to appropriate safeguards for the rights and freedoms of the data subject, such as anonymisation or pseudonymisation (referred to in Article 89 GDPR).

What is ‘scientific research’ within the meaning of the GDPR?

The notion of ‘scientific research’ is to be understood broadly in the GDPR. In summary, the aim of the research is to produce new knowledge in all areas in which the scientific method is applicable.

In order to assist controllers in determining whether they can benefit from the provisions on scientific research, the CNIL proposes a set of criteria to assist the controller in determining whether the processing which pursues a research purpose falls within the scope of scientific research:

In some cases, it will be possible to assume the creation of datasets for AI pursues a scientific research purpose due to the nature of the organisation (e.g. a university or a public research centre) or the type of funding (e.g. funding from the French National Research Agency, ANR).
Otherwise, the following criteria (based on the OECD Frascati Manual and its definition of R & D) should be considered together. As these criteria are cumulative, the controller will in principle have to demonstrate that they are all fulfilled in order for the processing to be considered scientific research within the meaning of the GDPR. Otherwise, a case-by-case analysis is necessary to qualify the processing.
- The novelty: the processing should be aimed at achieving new results. The purpose of the research can help in the qualification of scientific research. In this respect, the publication of articles in a peer-reviewed journal or the grant of a patent makes it possible to meet the criterion of novelty.
- Creativity: this criterion is based on original and non-obvious notions and hypotheses – the contribution of the work to scientific knowledge or the state of the art. The development of collective knowledge that not only benefits the moral entity that supports the research project is a strong indication to qualify it as a scientific research.
- Uncertainty: the processing must be uncertain as to the final outcome.
- Systematicity: the processing must be part of planning and budgeting, implement a scientific methodology. Adhesion to relevant industry standards of methodology and ethics is a strong indicator to qualify as scientific research.
- Transferability/reproducibility: the processing should lead to results that can be replicated or transferred to a wider field. For example, the publication of the study carried out and the presentation of the research methodology adopted is a strong indication to highlight the willingness of the project leader(s) to share the results of their research.

The proposed definition of scientific research within the meaning of the GDPR is included in a guide more broadly dedicated to the reuse of publicly available data, currently subject to public consultation. It is possible to participate by following this link.

Find out more: