Image for article type news
Official Guidelines

France: CNIL publishes FAQs on EU AI Act and GDPR

July 12, 2024
Summary

The French data protection authority, CNIL, released FAQs on the EU AI Act and its relationship with GDPR, detailing the AI Act's risk classifications, supervisory authorities, and specific areas where it supersedes GDPR. The AI Act, effective from August 21, 2024, categorizes AI systems into four risk levels and outlines the conditions under which GDPR applies to AI. It specifies exceptions for law enforcement's use of real-time biometric identification, processing sensitive data to address biases, and re-using personal data in AI regulatory sandboxes. CNIL emphasizes the integration of GDPR's data protection impact assessment with the AI Act's fundamental rights impact assessment.

CNIL's FAQs clarify the EU AI Act's risk classifications and its interplay with GDPR.

On July 12, 2024, the French data protection authority (CNIL) published a series of frequently asked questions (FAQs) on the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act) following its publication in the Official Journal of the European Union. The AI Act will enter into force 20 days after its publication on August 1, 2024. In particular, CNIL considered the four risk classifications of artificial intelligence (AI) systems provided under the AI Act, including unacceptable risk, high risk, specific transparency risk, and minimal risk. CNIL also outlined the responsible supervisory authorities at the