France | Regulatory Framework
Status:
Effective: N/A
high CNIL practical sheet: informing individuals about personal data use in AI development
AI: Inform the data subjects
I. Regulatory Summary
Requires AI developers/controllers to enhance privacy notice design and operational timing—particularly for web-scraped or third‑party data—including public-facing notices when individual outreach is infeasible, and clearer explanations of AI development data flows.
II. Full Description
CNIL explains that transparency is essential for individuals to understand why and how their data are used and to exercise their rights. It details obligations for both first-party and third-party data (including web scraping and API-based access), as well as the content and accessibility of notices. It highlights the ‘disproportionate effort’ derogation for indirect collection and recommends layered notices and clear explanations of the AI development lifecycle (training dataset, model, outputs).
III. Scope & Application
Guidance on GDPR transparency duties for organisations processing personal data to develop AI models or systems. Covers direct vs indirect collection (including web scraping), timing of notices, layered and intelligible information, and key derogations (e.g., disproportionate effort) with a fallback to general/public information.
IV. Policy Impact Assessment
Requires AI developers/controllers to enhance privacy notice design and operational timing—particularly for web-scraped or third‑party data—including public-facing notices when individual outreach is infeasible, and clearer explanations of AI development data flows.
Primary Focus: transparency_notice_ai_training