France | Regulatory Framework
Status:
Effective: N/A
high CNIL practical sheet: enabling data subject rights in AI training datasets and models
AI: Comply with and facilitate the exercise of data subject rights
I. Regulatory Summary
Requires AI developers/controllers to implement practical workflows for rights requests that address dataset/model distinctions, identification challenges, and the need to deliver meaningful access while protecting third-party rights. This typically implies updated DSAR playbooks, documentation of sources, and staff training.
II. Full Description
CNIL explains that individuals whose data are collected, used, or reused to develop an AI system have GDPR rights (access, rectification, erasure, restriction, portability where applicable, objection, and withdrawal of consent). It discusses difficulties specific to models (as distinct from datasets) and recommends proportionate solutions that preserve rights without blocking innovation. It emphasises clear communication with requesters, identification handling, provision of intelligible copies of personal data (including annotations/metadata), and respect for others’ rights (including IP and trade secrets).
III. Scope & Application
Guidance for organisations developing AI systems using personal data on how to respect and facilitate data subject rights under the GDPR. Covers rights in relation to training datasets and, where applicable, AI models themselves, and recommends proportionate, realistic processes to handle requests given technical constraints.
IV. Policy Impact Assessment
Requires AI developers/controllers to implement practical workflows for rights requests that address dataset/model distinctions, identification challenges, and the need to deliver meaningful access while protecting third-party rights. This typically implies updated DSAR playbooks, documentation of sources, and staff training.
Primary Focus: data_subject_rights_ai_training