CNIL's Recommendation : AI Providers & Legal Responsibilities

In light of the development of AI tools, AI System providers must also consider data protection. But how are they legally qualified? As a controller, joint controller or processor?The French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) published a guide about the legal qualification of AI System providers.

‍

‍Key points to determine the qualification :

· The qualification is on a case by case basis, but some principles can be applied.

· If a Provider decides both the purpose and the means of processing personal data, they are a controller. This may happen if the Provider takes the initiative to develop the AI System and constructs its training dataset by independently selecting data.

· Providers can also be joint controllers. This happens when controllers jointly determine the purpose and means of processing. As an example, in the case of AI Systems, joint controllers feed the training dataset together for a joint purpose.

· A processor processes personal data on behalf of a controller; they act as a service provider. The controller is the one giving instructions about the processing, and the processor carries them out. For example, an AISystem Provider who develops the system as a service provided to one of its customers, following their instructions, is a processor.

·  In practice, two or more academic hospitals, who jointly develop an AI System, pursue a common purpose and decided together on the means of processing, are joint controllers. For example, if they jointly decided to develop a system for the analysis of medical imaging training and chose together the protocol to be followed and the data to exploit, they would be joint controllers.

‍

Link to the Guide :

https://www.cnil.fr/en/determining-legal-qualification-ai-system-providers