Determining the applicable legal regime
When it contains personal data, the creation of training datasets, as well as the development phase, must comply with the relevant regulations. The CNIL helps you determine the legal regime applicable to data processing in the development phase.
The principle
The development and deployment phases of an AI system constitute separate processing of personal data, subject to personal data protection regulations. There are different legal regimes depending on the processing:
- the regime resulting from the General Data Protection Regulation (GDPR) which is intended to apply to all processing of personal data, both in the public and private sectors, with the exception of processing that fall under the following two specific schemes;
- the specific regime for the law enforcement sectors (Title III of the French Data Protection Act);
- the regime concerning the national defence or the security of the State governed by the provisions of the French Data Protection Act.
The purpose of this how-to sheet is to define the cases where the data processing in the development phase is subject to the same legal regime as the data processing in the deployment phase, and the cases where they are subject to separate regimes.
As a reminder: the principles and recommendations formulated in the following how-to sheets concern only processing that fall within the scope of the GDPR.
In practice
In order to determine the regime for data processing in the development phase, two cases must be distinguished.
Case 1: the operational use of the AI system in the deployment phase is defined from the development phase
In the event that the operational use of the AI system in the deployment phase is identified as early as development phase and if the processing operations implemented during the development phase pursue exclusively the same purpose as those in the deployment phase, it may be considered that they are generally covered by the same legal regime (see Conseil d'Etat, 22 July 2022, N° 451653).
This will in particular be the case where the choice of the development of a specific AI system is one of the means identified to achieve the purpose set for the system to be deployed.
It should be noted that the ‘law enforcement’ regime (Title III of the French Data Protection Act) may apply to processing in the development phase if the following conditions are met:
- the operational use of the AI system is identified from the development stage, so that the processing operations implemented during the development phase have the same purpose only as those in the deployment phase;
- the use of the AI system exclusively pursues the purposes of preventing, detecting, investigating and prosecuting criminal offences or executing criminal penalties, including the protection against and the prevention of threats to public security;
- the controller in development is a ‘competent authority’.
Case 2: the operational use of the AI system in the deployment phase is not clearly defined in the development phase (general purpose AI system)
The development phase and deployment phase of the AI system can be decorrelated.
It is not always possible to clearly identify the purpose of the processing in the deployment phase from the development phase. Some AI systems (general purpose AI systems) are developed without a specific operational use and then eventually operated in a second stage.
The legal regime of the development phase is therefore not systematically the same as the one determined in the deployment phase.
In this case, it is generally considered, depending on a case-by-case analysis, that processing in the development phase is subject to the GDPR.
In this case, the creation of the training dataset falls within the scope of the GDPR.
This does not rule out, depending on the operational use of the AI system, that the processing during the deployment phase may be subject to the ‘law enforcement’ regime, if it is carried out by a competent authority for the purposes of the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal penalties.
- in the first case, it sells it to a company that uses it for statistical purposes to measure the influx of people entering a mall. In this case, processing in the development and deployment phase will be subject to the GDPR.
- in the second case, it sells it to a national police service that uses it to detect persons crossing prohibited areas for prosecution. In this case, the processing in the development phase will be subject to the GDPR, but processing in the deployment phase will be subject to the ’law enforcement’ regime.