Introduction to the self-assessment guide for AI systems

24 August 2022

The aim of the self-assessment guide on the following pages is to provide a reminder of the main data protection issues in the most commonly-encountered scenarios.

The CNIL invites all organisations (providers or users of AI systems) planning to implement a processing using artificial intelligence (AI) technologies, or having already initiated this process, to ask themselves the questions presented in this analysis grid.

This list has been compiled as comprehensively as possible on the basis of best practices and emerging signals from scientific research in the field. In order to be applicable to all sectors and all types of AI systems, these fact sheets have been developed to cover as many scenarios as possible, without excluding risks related to specific techniques such as continuous learning or automatic annotation.

The aim of this grid is to allow the self-assessment of all relevant aspects in terms of personal data and ethics for a processing project. A functional analysis by the CNIL can only be carried out following a formal request as part of a request for advice for example. Besides, the purpose of this grid is to provide information, mainly in terms of the protection of personal data. It is not intended to supersede other applicable texts: sector-specific legislation, civil liability regimes, etc.

These fact sheets use the terms provider and user of AI systems. The CNIL uses the following definitions:

FOURNISSEUR

Une personne physique ou morale, une autorité publique, une agence ou tout autre organisme qui développe ou fait développer un système d’IA en vue de le mettre sur le marché ou de le mettre en service sous son propre nom ou sa propre marque, à titre onéreux ou gratuit.

UTILISATEUR

Toute personne physique ou morale, autorité publique, agence ou autre organisme utilisant sous sa propre autorité un système d’IA, sauf lorsque ce système est utilisé dans le cadre d’une activité personnelle à caractère non professionnel.

UTILISATEUR FINAL

L'utilisateur du système d'IA ne doit pas être confondu avec l'utilisateur final, c'est à dire la personne concernée par le système : la notion d'utilisation correspond ainsi à une exploitation dans un cadre professionnel.

In relation to the definitions of the GDPR, the providers and users can assume the roles of data controller and/or data processor if the AI system implements processing of personal data.

This analysis of roles and responsibilities is to be carried out on a case-by-case basis as indicated in the fact sheets.