Desafíos actuales de la Inteligencia Artificial

Enforcing AI regulation in France: a legal framework beyond the AI act 63 For some years now – and before the hype around generative AI –, the CNIL has re- flected on AI development and regulation. 37 In this context, the CNIL has long addressed AI issues through case studies, such as the use of smart cameras in public spaces, voice assistants, and facial recognition. 38 At a CNIL event on AI and free will held in November 2024, its president Marie-Laure Denis explained that one could not wait for the AI Act to regulate AI systems and that the GDPR was sufficiently flexible to ensure positive AI development. As developed below, the CNIL indeed has a proven track record of active GDPR enforcement in different AI fields (Section 4.1) and has already started working on its application to generative AI, along with its European peers (Section 4.2). 4.1.Early GDPR Enforcement The CNIL has been one of the most active GDPR enforcers in Europe, also in the AI field. In fact, the GDPR did mark a breaking point in terms of sanctioning the mishandling of personal data (see Figure 2 below). Pre-GDPR, the French regulator was imposing modest fines. 39 Post-GDPR, that is after the regulation became applicable in May 2018, the regula- tor’s fines reached record-high levels, with individual sanctions in the millions, even reaching €150 million for a fine imposed on Google in 2021. 37 Already in 2017, it published a report following a public debate on the ethical challenges of AI (CNIL, “Con- certation citoyenne sur les enjeux éthiques liés à la place des algorithmes dans notre vie quotidienne: synthèse de la journée”, 17 October 2017, https://www.cnil.fr/sites/cnil/files/atoms/files/cr_concertation_citoyenne_al- gorithmes.pdf) . In its 2018 annual report – the year the GDPR began applying –, the CNIL dedicated a section to AI, mainly focusing on its ethical and societal implications (CNIL, “Rapport d’activité 2018”, 15 April 2019, https://www.cnil.fr/sites/cnil/files/atoms/files/cnil-39e_rapport_annuel_2018.pdf) . It emphasised the impor- tance of educating the public about AI’s potential and fostering a sustainable AI model at the national, Euro- pean, and international levels. Moreover, it underscored the need for ethical considerations in AI, addressing issues like human autonomy, algorithmic discrimination, and the impact of hyper-personalisation on societal structures. Given the importance of personal data for training and operating AI systems, it also highlighted the regulatory role of the GDPR in creating a trustworthy framework for data use in AI, ensuring transparency and individual rights. 38 It has also reviewed government projects like the AI tools for tax fraud detection. Since 2022, the CNIL has published resources clarifying AI-related challenges and GDPR compliance, offering an AI self-assessment guide for the public and professionals. 39 In 2016, the CNIL imposed fines for a total amount of €160,000, and more than doubled them in 2017 (€371,000).