Determining the applicable legal regime
When it contains personal data, the creation of datasets for AI systems as well as the development phase must comply with the relevant regulations. The CNIL helps you determine the legal regime applicable to data processing in the development phase.
The principle
The development and deployment phases of an AI system constitute separate processing of personal data. The legal regime applicable to each processing must be determined.
Different regulations may apply to these data processing: the GDPR is intended to apply to all processing of personal data, both in the public and private sectors, with the exception of processing under the regime set out by the Directive (EU) 2016/680 of 27 April 2016 and the national relevant dispositions (the law enforcement directive) or the regime relating to national defence or state security.
As a reminder: the principles and recommendations formulated in these how-to sheets concern only the processing, carried out during the development phase, which fall within the scope of the GDPR. This excludes developments that fall under the “police-justice” regime or that of processing involving national defence or state security.
In practice
To determine the legal regime for data processing in the development phase, two cases must be distinguished.
Case 1: the operational use of the AI system during the deployment phase is defined from the development phase
In the event that the operational use of an AI system is identified as early as in the development phase and if the data processing operations in the development phase are carried out exclusively for the same purpose as those in the deployment phase, it is possible to consider that they generally fall under the same legal regime (see Conseil d’Etat, 22 July 2022, No 451653).
This will be the case in particular where the choice of the development of a specific AI system is one of the means identified to achieve the purpose of the system to be deployed.
Case 2: the operational use of the AI system during the deployment phase is not clearly defined from the development phase (general purpose AI system)
The development and deployment phases of an AI system can be decorrelated.
It is not always possible to clearly identify the purpose of the data processing during the deployment phase as early as the development phase. Some AI systems (general purpose AI systems) are developed without a specific operational use and then eventually operated in a second stage.
The legal regime for the development phase is therefore not systematically the same as that determined in the deployment phase.
In this case, it is generally considered that the data processing in the development phase is subject to the GDPR, depending on a case by case analysis.
Example: an organisation wishes to develop a voice recognition model capable of identifying a speaker and his/her language in order to commercialise it for different operational uses in the production phase (e.g. tools for identifying people by voice assistants or voice translation applications on a mobile device, etc.).
In this case, the creation of the model training dataset falls within the scope of the GDPR.
This does not rule out, depending on the operational use of the AI system, the possibility that the data processing during the deployment phase may be subject to the ‘police-justice’ regime, if it is carried out by a competent authority for the purposes of prevention, detection, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
| Previous : What is the scope of the AI how-to sheets? | Table of contents | Next : Defining a purpose |
