INTERVIEW – For the president of the CNIL, the challenge is to reconcile data protection and innovation.
Artificial intelligence algorithms, so-called augmented surveillance cameras, sanctions against digital giants, verification of the age of minors on the internet… The digital transformation of society at a forced march places the National Commission for Computing and Freedoms ( Cnil) at the heart of all the subjects that affect the daily life of the French.
LE FIGARO. – The use of AI systems is accelerating in all parts of society. How do you see the role of the CNIL in the regulation of AI?
Marie-Laure DENIS. – Our desire is not to curb the promises of artificial intelligence while guaranteeing a reasoned use of data which is in line with European values. This immediately excludes social rating or recognition of emotions. It is also necessary to prevent as far as possible certain risks, such as bias or discrimination, by ensuring the relevance and reliability of the data that drive the systems.
We will now look at mobile applications. There is a real privacy issue
Marie-Laure Denis
Another requirement is to find the right balance in terms of the amount of data used, the security and the retention period of this information. It is also necessary to guarantee the explicability of the algorithms. We are therefore going to focus on two projects: the constitution of learning databases and the articulation of the draft European regulation on artificial intelligence with the GDPR, the regulation on personal data.
What’s at stake?
It is crucial that these two major texts go hand in hand, to benefit both European citizens and businesses, by allowing the European artificial intelligence industry to flourish. This is also one of the aims of the “sandboxes” that we have launched in the health and education sectors, to support innovative projects, from their conception, in order to allow them to explore the opportunities this technology while protecting the data.
The Cnil creates an artificial intelligence service…
Yes. Our role is set to grow in the regulation of AI. We are in the process of putting together a team, at this stage, of five to six lawyers and engineers to better understand all these subjects. We also want to produce more resources for the general public, professionals and specialists, and work hand in hand with the artificial intelligence ecosystem.
Read alsoLaurence de Charette: “Artificial intelligence, will the creature escape its creator?”
For example, on the occasion of the bill on the Olympic Games, still under discussion, support is provided by the Cnil for the algorithms that will be deployed by the suppliers of so-called augmented cameras. As a regulator, we will also have the ability to control them once implemented. It must be ensured that personal data is used responsibly there.
Do generative AI models like ChatGPT pose GDPR challenges?
It is true that these systems generating texts, images or sounds are developing very quickly. They use open sources of data on the internet, which have generally not been verified, to train, in a way that is not very transparent. These are very powerful tools, with a vocation to improve, but which can have side effects that will have to be monitored. This raises questions of data protection for access to reliable and sourced information and the exercise of the rights of the persons concerned which moreover exceed the regulation of the Cnil, with ethical issues, in particular on the possible dissemination of false information or malicious actions and economic stakes with regard to employment and respect for copyright.
The Cnil has drawn up a whole series of sanctions around consent to the deposit of cookies. Will there be a second wave of control?
We have implemented systemic regulation from 2021 by asking all websites in France to modify their interface so that users can refuse cookies as easily as they were offered to accept them. This led us to strongly sanction the biggest digital players such as Google, but also Facebook, Amazon and Microsoft. They have changed their practices, and Google has even extended its new interface to the whole of Europe.
The role of the CNIL is to verify that the solutions used by pornographic sites comply with the GDPR
Marie-Laure Denis
This regulation, which affects the digital daily life of the French, is a success. We will now look at mobile applications. Too often, they ask you for access to your address book, your photos or your geolocation, without explaining to you in a transparent way the purpose of this data capture. However, there is a real privacy issue. Menstrual or pregnancy tracking apps, for example, collect extremely personal information. The Cnil wants to give control back to Internet users. We have started a consultation with the players in the sector, then we will clarify the legal framework and finally carry out a campaign of controls.
What is your assessment of GDPR compliance monitoring?
For nearly five years, the number of complaints received by the CNIL has practically doubled, to 14,000 per year. In 94% of cases, they are the subject of a dialogue with the organization which leads to its compliance. In other cases, we take corrective action. Thus, the formal notices, about one hundred and fifty per year, have tripled. And the Cnil imposed a cumulative half-billion euros in fines, while the highest fine, before the GDPR, was only 30,000 euros. All the repressive activity of the Cnil has been disrupted.
And what about European cooperation? The Irish Cnil, which manages the files of the tech giants, is often criticized…
There are very positive things and others that deserve to be improved. We had to learn to work at twenty-seven with a new legal framework. It took a little time but the machine is now launched. The European CNILs have imposed a fine of 3 billion euros in four years on behalf of the GDPR. But, at a meeting of the European Data Protection Board last year in Vienna, many of us alerted the European Commission to the fact that it was absolutely necessary to settle the subject of the disparity of law enforcement procedures national
Read alsoChatGPT: are artificial intelligences (really) better than us at spelling?
That’s to say?
The Irish Cnil invokes this point as a difficulty in dealing with high-stakes cases which concern the Gafam in particular. The procedures according to the country are different on the contradictory instruction, the analysis of the admissibility of the complaints or the amicable settlements. This call has been heard. A draft regulation has just been announced by the Commission in order to harmonize these procedures and speed up the processing times for complaints.
The Irish CNIL is investigating TikTok. When will she make her decisions?
We sent complaints about TikTok to Dublin last year, and two procedures are underway. As for what is public in these procedures, I can tell you that one deals with the issue of data transfer to China and the other with the processing of minors’ data. We are very active to make it move quickly! TikTok is one of the most popular services for young people, and this poses considerable data protection challenges. It is therefore normal that regulators pay attention to this. The decision on the file concerning the minors should be pronounced by the summer. That on the transfer of data to China should take place shortly after.
Control of the age of minors by pornographic sites comes up against the question of the legality of technical solutions. What do you recommend?
The role of the CNIL in this case is to verify that the solutions used by pornographic sites comply with the GDPR. We published our position in July 2022. To reconcile the imperatives of protection of minors but also of protection of privacy – we do not wish to create a file of people consulting pornographic sites -, we plead for the system known as of “double anonymity”.
Read alsoPorn sites: test in March of a “double anonymity” age verification system
A trusted third party will certify your age, and you can show that proof of age to the porn site. The site therefore does not know who you are but knows your age, and the third party that certifies your age knows who you are but does not know which sites you visit. This will be a type of permanent solution in the medium term. While waiting for this system to be developed and proposed by players – an experiment has been announced by the government -, the Cnil is not opposed to the use of bank cards, with a zero euro transaction, or to estimation solutions of age through the analysis of facial features. They are not perfect systems, but they can be used right now. Do not deprive us of these short-term solutions!
The Cnil therefore accepts the analysis of the face?
The CNIL is pragmatic; she doesn’t want kids to go to porn sites. These solutions will certainly have difficulty distinguishing a 17 year old from a 19 year old, but they can distinguish a 13 year old child from a 20 year old adult. And it is not, in any case, facial recognition aimed at identifying a person.
You have one year left in your term of office as president of the CNIL. What are your priorities?
After having pivoted the repressive policy of the Cnil over the past four years, we need to provide even more support to companies with high potential for economic and digital development. We have therefore just launched a call for applications to enable them to benefit, more and upstream, from our legal and technical support. Data protection will increasingly be a competitive determinant, alongside price and quality of service.
My second priority is to continue to invest in the field of artificial intelligence to ensure protective regulation as close as possible to uses, by reconciling the protection of privacy with other issues, public security or medical research, for example. , without limiting the purposes of these innovative systems that can hold promise. Finally, I would like to convince administrations and businesses of the need to host, more and as quickly as possible, their most sensitive data on servers that are immune to the risk of interference from foreign authorities. This is a major challenge for our digital sovereignty.