What is the scope of the AI how-to sheets?

The how-to sheets relate to dataset creation activities and their use in the development of AI systems when all or part of that data is personal data. In practice, three cases may be encountered:

• It is certain that no personal data is present in the dataset: the how-to sheets are not applicable (although some recommendations, in terms of good practice, may be relevant);
• It is certain that personal data are present: the how-to sheets apply (note that the European texts lay down the rule that ‘mixed’ datasets are governed by the GDPR, if both types of data are inextricably linked);
• Personal data may be present: this is a frequent case for which the collection of personal data is not expressly desired. For example:
  • residual presence of persons or license plates in images;
  • occurrences of surnames, first names, addresses, etc. in textual data such as comments or prompts, etc.

In the latter case, the how-to sheets apply. However, verification operations may be carried out as a result of the collection in order to delete the remaining personal data. This can be achieved:

• by manual verification, e.g. when annotating the data;
• by automatic verification, e.g. by using techniques for detecting persons/faces in images, by name entity recognition (NER) methods, etc.

In such cases, provided that the original personal data has been anonymized, and for processing operations subsequent to such deletion, the data loses its personal character and the application of the sheets is no longer mandatory. Issues related to the risks associated with the use of the system in the deployment phase will be the subject of how-to sheets published at a later date.

The CNIL’s how-to sheets concern AI systems based on the collection and use of personal data:

• machine learning systems (statistic/stochastic systems):
  • supervised learning (based on annotated data);
  • unsupervised learning;
  • reinforcement learning.

• Systems based on logic and knowledge (deterministic systems), in particular:
  • inductive (logical) programming;
  • knowledge-based systems;
  • inference and deduction engines;
  • symbolic reasoning;
  • expert systems.

These latter systems do not proceed through statistical learning, but use data to build knowledge bases, relationships between concepts (ontologies), or to test and validate results. Please note: some so-called hybrid AI systems combine several of the approaches listed above.

The how-to sheets cover all the AI systems mentioned above, whether operational use in the deployment phase is defined from the development stage, or whether they are general purpose AI systems, for instance relying on “foundation” models, because of their ability to be reused and adapted for different applications and use cases.

They also concern all the AI systems mentioned above, whether learning is done “once and for all” or continuously. In the case of continuous learning systems, the data collected when the system is deployed is reused for the iterative improvement of the system.

As illustrated in the previous diagram, the establishment of an AI system based on machine learning requires, in principle, the succession of two distinct phases:

• the development phase: it consists of designing, developing and training an AI system;
• the deployment phase: it consists of putting into use the AI system developed in the first phase.

The development phase includes all stages from the development of the AI system to its deployment (production phase), namely:

• the design of the system: choice of the architecture, including the learning method(s) and, where appropriate, the selection of pre-trained models, identification of the necessary data and first tests, pilots;
• the dataset creation: collection and pre-processing (cleaning, annotation, feature extraction, data allocation);
• learning: training of the system, possible fine-tuning, adjustment and validation of hyperparameters, performance tests.

In the case of continuous learning, data is collected during the deployment and deployment phases (though the use in production of the model), for future improvement. Continuous training is therefore included in this development phase via a feedback loop.

It should be noted that in addition to these two phases, there is a phase of shutdown of the AI system or deletion of personal data that it contained. These sheets do not specify the operations to be carried out during this phase, which must respect the principle of limiting the duration of data retention.

The how-to sheets concern, in particular, use cases relating to development phase of an AI system (scientific research, research and development, personalisation of a commercial product, improvement of the public service provided to the user, etc.) for which only the GDPR is applicable, i.e., in the majority of cases, excluding other specific legal regimes.

Data processing in the development phase of the AI system subject to the scope of the Police Justice Directive as well as those relevant to State security and national defence are therefore excluded from the scope of these how-to sheets.