Desafíos actuales de la Inteligencia Artificial

68 Desafíos actuales de la Inteligencia Artificial prohibit AI systems that create or expand facial recognition databases through the untargeted scrap- ing of facial images from the internet or CCTV footage, 55 such as those offered by Clearview AI. 4.2.Application of Data Protection Rules to Generative AI Systems Since the release of advanced generative AI applications as of late 2022, the CNIL has started working on applying the GDPR to these new systems. So far, it has mainly focused on policy work, as no sanctions have yet been imposed on generative AI companies. For instance, the authority unveiled an AI action plan in 2023, extending its policy and regulatory work to generative AI and large language models. 56 Overall, its action plan reflects a comprehensive approach to balance innovation with privacy and ethical considerations. However, France is not the only Member State where data protection authorities have initi- ated discussions and enforcement actions regarding generative AI applications under the GDPR. Important concerns relate to the very development of generative AI models. In May 2024, the Dutch data protection authority (AP) has issued guidelines related to web scraping, i.e. the auto- matic collection and storage of online information. 57 The authority determined that this practice is almost always illegal due to privacy risks and GDPR violations. This is particularly relevant for generative AI applications that rely on large datasets, as they often involve the collection of person- al data without consent. The AP emphasised that publicly accessible information does not imply permission for scraping, and exceptions are rare, typically limited to non-commercial, personal projects or highly targeted corporate uses. These findings raise doubts as to the compatibility of web scraping involving personal data with the GDPR, but the issue is not settled yet. In fact, the Italian data protection authority is still conducting investigations against Ope- nAI for alleged GDPR breaches, 58 following a temporary ban of its ChatGPT chatbot in data collection in France and delete existing data, facing additional daily penalties for non-compliance, totalling €5,2 million in 2023 (CNIL, délibération SAN-2023-005 du 17 avril 2023). 55 Article 5(1)(e) AI Act. 56 CNIL, “Intelligence artificielle: le plan d’action de la CNIL”, 16 May 2023, https://www.cnil.fr/fr/intelligence-ar- tificielle-le-plan-daction-de-la-cnil. In its plan, the CNIL recognises the importance of personal data in this space, focusing on transparency, data security, bias prevention, and the ethical use of AI technologies. Building on years of prior work in the AI field, the CNIL’s agenda expands to include generative AI, chatbots, and other derivative applications. The plan is structured around four key objectives: (i) understanding AI systems and their impacts; (ii) ensuring privacy-respecting AI development; (iii) fostering innovation within the AI ecosystem in France and Europe; and (iv) and auditing and regulating AI systems to protect individuals. The plan includes publishing guidelines (many of which have been subject to public consultation), engaging with AI developers, and conducting audits. 57 AUTORITEIT PERSOONSGEGEVENS, “AP: scraping bijna altijd illegaal”, 1 May 2024, https://autoritei- tpersoonsgegevens.nl/actueel/ap-scraping-bijna-altijd-illegaal. 58 Garante per la protezione dei dati personali, “ChatGPT: Garante privacy, notificato a OpenAI l’atto di con- testazione per le violazioni alla normativa privacy”, 29 January 2024, https://www.garanteprivacy.it/home/ docweb/-/docweb-display/docweb/9978020.