CNIL Issues Landmark AI Development Guidelines for GDPR Compliance in France

CNIL Finalizes GDPR Guidelines for AI System Development

On July 22, 2025, the French data protection authority, Commission Nationale de l'Informatique et des Libertés (CNIL), released detailed recommendations for AI developers to ensure compliance with the General Data Protection Regulation (GDPR). These guidelines clarify how GDPR applies to AI models, define security requirements, and detail conditions for annotating training data.

This move fills a significant regulatory gap as AI adoption grows, especially given CNIL's recent enforcement actions, including rejections of AI-based age verification cameras in tobacco shops and increased oversight of biometric technologies.

Security Requirements for AI Development

CNIL outlines three key security objectives for AI systems:

• Data Confidentiality: Protect all data, even publicly accessible datasets, throughout development. The authority warns that poor database security can compromise confidentiality regardless of data type.
• Performance and System Integrity: Address risks from poor AI performance, mainly during deployment but requiring development-phase measures.
• Information System Security: Adapt traditional cybersecurity measures to AI environments. CNIL highlights risks in system components like backups, interfaces, and communications rather than AI models alone.

CNIL also requires Data Protection Impact Assessments (DPIAs) for AI systems posing high risks, considering AI-specific issues such as automated discrimination, deepfake content about individuals, and vulnerabilities unique to AI.

Data Annotation Compliance Framework

Annotation—the labeling of training data—is critical for AI quality and respecting people's rights. CNIL emphasizes:

• Minimization: Annotations must include only data necessary for the AI’s function.
• Accuracy: Labels must be precise and based on relevant criteria.
• Clear Procedures: Annotation workflows should be well documented, with defined task ownership and validation phases.
• Quality Control: Regular checks through random sampling and inter-annotator agreement are essential.

Technical Implementation Requirements

Organizations must verify the reliability of training data and annotations throughout the AI system lifecycle. This includes ongoing quality checks to prevent data degradation and processes to detect threats like data poisoning.

Version control and logging are recommended to monitor changes and guard against unauthorized modifications. Encryption must protect backups and communications, especially for web-exposed or federated learning systems, using up-to-date cryptographic protocols.

Access control is key, with differentiated authentication for users and administrators. CNIL advises anonymization or pseudonymization techniques such as data redaction, random noise addition, and generalization.

Rights Management for AI Systems

The guidance clarifies how GDPR rights apply during AI development and deployment. Key points include:

• Identifying individuals in training data and models, a challenge for generative AI.
• For generative AI, organizations must internally check models for personal data memorization using targeted query lists.
• If individuals aren't identifiable in models but exist in training data, they must be informed about memorization risks.
• Rights exercises may require retraining models periodically, balancing cost and efficiency.
• When retraining isn’t feasible, output filters or other controls should prevent personal data generation.
• CNIL favors general prevention rules over blacklists of individuals who exercised their rights.

Industry Impact Assessment

Marketing technology companies face direct impacts from these recommendations. CNIL’s past actions against tracking tools show heightened scrutiny on privacy within digital marketing.

Programmatic advertising platforms using machine learning for targeting and optimization must reassess compliance risks, especially when analyzing customer behavior or demographics without clear legal grounds.

Vendors developing AI marketing tools should implement CNIL’s security measures, including verified development libraries, secure file formats for model imports, and strong access controls. The new requirements go beyond standard cybersecurity to address AI-specific threats.

Summary

• Who: CNIL, France’s data protection authority, issuing guidelines for AI developers and organizations processing personal data.
• What: GDPR compliance rules for AI including security, data annotation, and rights management.
• When: Published July 22, 2025, effective immediately for new AI systems and for assessing existing ones.
• Where: France, with broader implications across the EU for AI systems processing personal data.
• Why: To close regulatory gaps in AI development and safeguard individual privacy amid growing AI use in sectors like marketing.

For IT and development professionals working with AI, aligning your projects with these guidelines is critical. Understanding CNIL’s framework can help avoid regulatory pitfalls and ensure your AI systems respect GDPR obligations.

Explore practical AI compliance courses to stay ahead at Complete AI Training.