CNIL and AI: Understand, Support and Control

The National Commission for Informatics and Liberties (CNIL) did not wait for the arrival of ChatGPT, at the end of 2022, to conduct work on artificial intelligence. It has indeed been solicited for years on the implementation of personal data processing involving AI technologies. This is reflected in many areas: medical diagnosis, CV sorting, augmented cameras… But with generative AI, a new level has been reached thanks to the combination of two factors: access to massive volumes of data and the computing power of computers.

“If generative artificial intelligence is praised by some, it is also, sometimes vehemently, criticized by others. The CNIL has thus recently been solicited on the issue of the use of data from what I could call the “voice actors”, i.e. the dubbers, especially for the training of AI systems. This is a file that illustrates well the complexity of regulation in that it requires to articulate personal data protection, right to work, literary and artistic property, and right to undertake,” declares Marie-Laure Denis, president of the CNIL.

Understanding a major technology, not exempt from failures

The expressed concerns reflect, as for any new major technology, the need to create the conditions for an ethical, responsible and respectful use of European values. “To meet this challenge, we have put in place an action plan that should allow us to understand the functioning of AI systems and their impacts on people, to clarify the legal framework to give visibility to the actors of the sector and to the users, while controlling the modalities of implementation of this technology to protect both individuals and legal entities from the risks it carries,” adds Marie-Laure Denis.

The first pillar of this action plan is therefore to “understand”. This is a prerequisite for the CNIL, all the more crucial as AI systems are subject to failures and attacks or can have unforeseen consequences on individuals or society. “Given the complexity of systems using artificial intelligence, the sources of errors and biases can be multiple. They can occur from the design stage, due to a lack of representativeness in the training data. These errors can also result from the conditions of use. For example, a system for detecting incivilities by video surveillance may be subject to more errors if it is deployed on a park of cameras whose resolution is insufficient,” notes the president of the CNIL.

Where artificial intelligence systems differ from more traditional computerized systems is in the difficulties posed by the identification of the problem, due to their statistical nature. This is the whole issue of the explainability of decisions proposed or made by AI. “To respond to these challenges of understanding, I created in 2023 a service dedicated to artificial intelligence within the CNIL. It is currently composed of lawyers, engineers and AI analysts who develop a multidisciplinary expertise. This service organizes a regular dialogue with AI solution providers in all application areas in order to strengthen its expertise and disseminate it in all CNIL services,” explains Marie-Laure Denis.

Supporting the market by clarifying the legal framework

The second axis of the action plan implemented by Marie-Laure Denis and her teams is support, which notably involves clarifying the legal framework. This approach concerns businesses, administrations, and citizens. It should allow them to appropriate the new legal framework designed by the legislator, under the impetus of the European Commissioner for the Internal Market, Thierry Breton.

“In April 2021, the European Commission made a regulation proposal (AI Act) which specifies new rules to ensure that artificial intelligence systems used in the European Union are as safe as possible, transparent, ethical, impartial, and under human control. At the end of the legislative work, the European institutions converged towards a classification of AI systems according to their level of risk. Added to this is a framework for general-purpose AI models, which particularly concerns generative AI, for example through transparency on training data,” recalls Marie-Laure Denis.

The AI Act is now nearing completion. The European Parliament and the Council should formally adopt it in the coming weeks. However, the regulation on artificial intelligence will only be applicable two years after its entry into force. This transition period is necessary to allow the concerned actors to adapt. “Despite everything, AI devices are already partly used daily. And user organizations like citizens already have practical questions that cannot wait. That’s why the CNIL is mobilizing and trying to provide concrete answers to companies that use AI as well as to citizens who have rights over their data, rights mainly derived from the GDPR,” details the president of the CNIL.

Support targeting the most innovative companies

The CNIL’s support strategy is particularly oriented towards the most innovative companies in the field. For example, the National Commission for Informatics and Liberties has launched an enhanced support offer that led it to select three high-potential digital companies, including the French company Hugging Face, publisher of an open-source platform of resources in artificial intelligence.

The CNIL also offers tailor-made support to providers of augmented video surveillance whose solutions allow detecting suspicious behaviors, like a car that would arrive in the opposite direction and trigger a crowd movement. “We have accompanied the providers of augmented cameras within the framework of the experiment provided for by the law relating to the Olympic and Paralympic Games,” notes Marie-Laure Denis.

Finally, at the end of a phase of consultation and public consultation, the CNIL published seven practical sheets relating to the constitution of learning databases. Objective: to help actors take into account the GDPR. This first batch of sheets will be enriched by the summer of 2024 by a second batch focusing on the development of AI systems. “All these works pursue the same objective: to promote systems compatible with European values without hindering innovation and the emergence of new French or European players,” comments Marie-Laure Denis.

Understanding and clarification do not exclude control

The phases of understanding AI technologies and supporting organizations are however not sufficient. “Regulation also implies having the ability to control artificial intelligence technologies. For this, the CNIL must have means, develop a particular expertise and define a methodology. We also need tools to audit AI systems, both a priori and a posteriori,” says the president of the CNIL.

If we take the example of generative AIs like ChatGPT, the investigations must take place at three levels. First at the application level, that is to say the “chat” layer from which users interact with AI systems. It is a matter of ensuring that users are informed about how the data they submit is processed.

“We must in particular verify that the people concerned by the data from the databases, even if they are available on the Internet, can exercise their rights of access, rectification and deletion,” specifies Marie-Laure Denis. Finally, the investigations take place at the level of the underlying model. This is the “GPT” layer, the most complex part to implement for already trained models, due to the billions of parameters learned from hundreds of millions of texts from various sources.

“The rights of access and opposition to the use of these data must find a concrete translation and it is of course a real challenge. The questions therefore abound and coordination at the European level is essential. To promote it, the European Data Protection Committee (EDPB), which brings together the European CNILs, has initiated several works on generative AIs,” emphasizes Marie-Laure Denis.

The CNIL, an essential regulatory body for AI To conclude on the subject of AI regulation, the president of the CNIL discussed the issue of governance for the application of the AI Act. “The very strong adherence between the regulation of AI systems and that of data, in particular personal data, argues for the CNIL to have an important role to play in the regulation of these systems. I add that the reality on the ground confirms a little more each day that the CNIL is and will be essential in the regulation of AI, its algorithms and the regulation on artificial intelligence, complementing a GDPR which continues to apply in all its dimensions,” concludes Marie-Laure Denis.