France — CNIL AI Action Plan & GDPR-AI Recommendations
Summary
Section titled “Summary”CNIL (Commission Nationale de l’Informatique et des Libertés / French National Commission on Information Technology and Civil Liberties) is France’s independent data-protection regulator. Since publishing its AI Action Plan in 2023-05, it has systematically produced compliance guidance on the AI × GDPR interface and is among the EU’s most active AI data-protection regulators.
The four work pillars (2023 Action Plan)
Section titled “The four work pillars (2023 Action Plan)”- Understand how AI systems work and their effects on individuals.
- Promote and steer privacy-respecting AI development.
- Federate and support innovators in the French and European AI ecosystem.
- Audit and supervise AI systems + handle complaints under the GDPR.
Main guidance series (2023-2025)
Section titled “Main guidance series (2023-2025)”From 2023-10: 12 practical guides
Section titled “From 2023-10: 12 practical guides”Covering:
- Legal bases for AI-system development (contract, legitimate interest, consent).
- GDPR compliance for training data (including web scraping / legitimate-interest assessment (LIA)).
- Allocation of roles between developer / provider / deployer (AI Act × GDPR mapping).
- DPIA (data-protection impact assessment) templates.
- The realization of data-subject rights in AI contexts (Articles 13-22).
2025-02-07: two core recommendations
Section titled “2025-02-07: two core recommendations”- “AI: Informing Data Subjects”.
- “AI: Complying and Facilitating Individuals’ Rights”.
Significance: they make explicit that the GDPR applies across the full lifecycle of AI-system development and deployment, and does not cede ground to the AI Act.
2025-2028 Strategic Plan
Section titled “2025-2028 Strategic Plan”Ongoing priorities:
- Sector-specific guidance (healthcare, finance, employment, education, etc.).
- Compliance-assessment tools.
- AI regulatory sandbox (on the AESIA + UK ICO model).
Specific enforcement / investigations
Section titled “Specific enforcement / investigations”OpenAI / ChatGPT
Section titled “OpenAI / ChatGPT”The CNIL has received several complaints and opened investigations (ongoing from 2023 to 2026).
Because OpenAI’s main establishment is in Ireland, primary GDPR enforcement lies with the Irish DPC (Data Protection Commission). The CNIL can still participate in investigations under Article 60 GDPR (one-stop-shop mechanism), or directly enforce against specific infringements within France (Article 55(2)).
Mistral / LightOn (French companies)
Section titled “Mistral / LightOn (French companies)”The CNIL has full jurisdiction over GPAI providers whose main establishment is in France. Its compliance pathway for Mistral is a de facto industry standard.
Clearview AI
Section titled “Clearview AI”In 2022 the CNIL fined Clearview AI €20M (over GDPR compliance on face-training data). Its stance on face-training data is among the strictest in the EU.
Division of labour with the AI Act
Section titled “Division of labour with the AI Act”The CNIL and France’s AI Act competent authorities (expected to be jointly designated with DINUM — the French Directorate-General for Digital Affairs — and ANSSI — the National Agency for the Security of Information Systems) form a parallel system:
| Scenario | Competent authority |
|---|---|
| Data-processing compliance of the AI system | CNIL (GDPR) |
| Product compliance of the AI system (high-risk) | France’s AI Act MSA (not yet formally designated) |
| Both overlapping | Cooperation mechanism to be built |
By the 2025-07-10 deadline, France has not yet completed the designation of its AI Act national competent authority (together with Germany, Italy, Spain and Austria).
Impact on EU GPAI compliance
Section titled “Impact on EU GPAI compliance”- Legitimate interest as a legal basis for training data: the CNIL has expressly accepted this across several pieces of guidance, while requiring rigorous LIAs.
- Purpose limitation: the CNIL takes a relatively flexible stance, accepting that a training purpose can encompass a fairly broad notion of “AI-system development”.
- Data-subject rights (erasure, access): these must be considered at the design stage of the AI system (privacy by design).
Comparison with the Italian Garante: the CNIL is more constructive (guiding compliance), whereas the Garante is more adversarial (rapid bans).
Comparison with the United States / China
Section titled “Comparison with the United States / China”- United States: no federal data-protection statute; a patchwork at state level; AI-data compliance relies on civil litigation.
- China: PIPL + CAC filings + TC260-003, a market-entry control model.
- France / CNIL: compliance guidance + robust enforcement; the GDPR is the baseline, with the AI Act supplementary.
Primary text and links
Section titled “Primary text and links”| Source | Link |
|---|---|
| CNIL AI Action Plan (2023) | cnil.fr/en/artificial-intelligence-action-plan-cnil |
| Two core recommendations (2025-02) | cnil.fr/en/ai-cnil-finalises-its-recommendations |
| First AI Act Q&A (CNIL) | cnil.fr/en/entry-force-european-ai-regulation-first-questions |
| New AI × GDPR recommendations | cnil.fr/en/ai-and-gdpr-cnil-publishes-new-recommendations |
| Hunton Andrews Kurth commentary | hunton.com/…/cnil-publishes-recommendations-on-ai |
| Bird & Bird France AI Tracker | twobirds.com/…/france-ai |
Revision history
Section titled “Revision history”| Date | Event |
|---|---|
| 2023-05-16 | CNIL publishes AI Action Plan |
| From 2023-10 | 12 practical guides published in waves |
| 2024-08-01 | EU AI Act enters into force; CNIL publishes first Q&A |
| 2025-02-07 | Two core recommendations (Informing + Complying) |
| 2025-2028 | Five-year strategic plan |