On the occasion of the 16th InCyber Forum, CNIL President Marie-Laure Denis detailed all the measures introduced by the French personal data regulator to take into account the many challenges related to AI. .
The National Commission for Freedom in Informatics (CNIL) conducted research on artificial intelligence before the arrival of ChatGPT at the end of 2022. In fact, applications for implementing personal data processing involving AI technology have been solicited for years. This is reflected in many areas such as medical diagnostics, resume classification, and enhanced cameras. But in generative AI, the combination of his two factors – access to large amounts of data and computing power of computers – has reached a new level.
“While generative artificial intelligence is admired by some, it is also sometimes heavily criticized. Therefore, the CNIL has recently announced that it has developed a system of Requested regarding data usage issues. This is a file that well illustrates the complexity of regulation, in that it requires clear provisions for the protection of personal data, labor rights, literary and artistic property, and the right to undertake.'' Marie-Laure Denis declares.
Even if you understand key technologies, you can still fail.
The concerns expressed reflect the need to create conditions for the ethical, responsible and respectful use of European values, as with any new major technology. “To meet this challenge, we have developed an action plan to understand the capabilities of AI systems and their impact on people, and to clarify the legal framework that gives visibility to stakeholders and users in this field. while controlling how this technology is implemented to protect both individuals and businesses from risk,” added Marie-Laure Denis.
Therefore, the first pillar of this action plan is understanding. This is a prerequisite for the CNIL, but it becomes even more important as AI systems can be subject to failures, attacks, and have unintended consequences for individuals and society. “Given the complexity of systems using artificial intelligence, there can be multiple sources of error and bias. These can arise from the design stage due to lack of representativeness of the training data. Errors can also be caused by the conditions of use. For example, a system that detects illegal activities through video surveillance will have more errors if it is deployed in locations where cameras with insufficient resolution are installed. It is possible,” said the CNIL president.
Artificial intelligence systems differ from traditional computerized systems in that their statistical nature makes problem identification difficult. This is the whole issue of explainability of decisions suggested or made by AI. “To address these understanding challenges, I created a specialized service for artificial intelligence within the CNIL in 2023. It is currently made up of lawyers, engineers, and AI analysts, and has a multidisciplinary team. Developing expertise: The service organizes regular dialogue with AI solution providers in all application areas to strengthen its expertise and disseminate it across all CNIL services. Marie-Laure Denis explains.
Market support by clarifying the legal framework
The second axis of the action plan implemented by Marie-Laure Denis and her team is support, which includes, inter alia, the clarification of the legal framework. This approach concerns businesses, government, and the public. This should allow the EU to use a new legal framework designed by Thierry Breton, the European Commissioner for the Internal Market.
“In April 2021, the European Commission announced an initiative to ensure that artificial intelligence systems used in the European Union are as secure, transparent, ethical, fair and under human control as possible. At the end of the legislative work, European institutions came together to classify AI systems according to their level of risk. This is especially relevant for generative AI, such as transparency of training data,” recalls Marie-Laure Denis.
The AI method is currently nearing completion. The European Parliament and the Council are expected to formally adopt it in the coming weeks. However, regulations on artificial intelligence will only apply two years after they come into force. This transition period is necessary to allow stakeholders to adapt. “Despite all the circumstances, AI devices are already partially in daily use. And user organizations like citizens already have real questions that can't wait. That's why CNIL “We are mobilizing companies that use GDPR to provide concrete answers to citizens who have rights to their data, primarily rights derived from the GDPR,” the CNIL president elaborates.
Targeted support for the most innovative companies
CNIL's support strategy is specifically oriented towards the most innovative companies in this field. For example, the National Informatics and Freedom Commission has launched an enhanced support offer and selected three high-potential digital companies, including France's Hugging Face, which publishes an open source platform of artificial intelligence resources. did.
CNIL also offers bespoke support to providers of enhanced video surveillance, offering solutions that can detect suspicious activity, such as cars arriving from the opposite direction and causing crowd movement. “We accompanied the provider of the enhanced camera within the framework of the experiment established by law related to the Olympic and Paralympic Games,” said Marie-Laure Denis.
Finally, at the end of the consultation and public consultation phase, CNIL published seven practical sheets on the organization of learning databases. Purpose: To enable stakeholders to take the GDPR into account. This first batch of seats will be augmented by his second batch by summer 2024, which will focus on the development of AI systems. “All these initiatives pursue the same objective: to promote a system that is compatible with European values, without hindering innovation and the emergence of new French and European players,” Marie said. Laure Denis commented:
Understanding and Clarity Does Not Eliminate Control
However, understanding AI technology and supporting your organization is not enough. “Regulation also means having the ability to control artificial intelligence technologies. To this end, the CNIL needs to have the means, develop specific expertise and define methodologies. and tools to audit after the fact,” said the CNIL president.
Taking the example of generative AI like ChatGPT, research needs to be done at three levels. First is the application level, or the “chat” layer where users interact with the AI system. It is important to ensure that users are informed about how the data they submit will be processed.
“We need to make sure in particular that the people concerned with the data in the database can exercise their rights of access, rectification and deletion, even if it is available on the Internet,” says Marie-Laure Denis. Finally, the investigation is conducted at the level of the underlying model. This is the “GPT” layer and is the most complex part to implement on an already trained model, as it has billions of parameters learned from hundreds of millions of texts from various sources.
“The right of access and the right to object to the use of these data needs to be specifically interpreted, which of course is a big challenge. Questions therefore abound and coordination at European level is essential. To promote this, the European Data Protection Board (EDPB), which brings together the European CNIL, has started some work on generative AI,” Marie-Laure Denis emphasizes.
CNIL, a key regulatory body for AI In conclusion on AI Regulation, the President of the CNIL discussed governance issues regarding the application of AI law. “The very strong entrenchment between the regulation of AI systems and the regulation of data, especially personal data, argues for the CNIL to play an important role in the regulation of these systems.The reality on the ground is that the CNIL “Every day we are becoming more and more convinced that it is and will continue to be essential in the regulation of AI, its algorithms, and artificial intelligence, complementing the GDPR, which continues to be applied in all aspects,” added Marie-Laure. Denis concludes:
