In light of the development of AI tools, AI System providers must also consider data protection. But how are they legally qualified? As a controller, joint controller or processor?The French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) published a guide about the legal qualification of AI System providers.
Key points to determine the qualification :
· The qualification is on a case by case basis, but some principles can be applied.
· If a Provider decides both the purpose and the means of processing personal data, they are a controller. This may happen if the Provider takes the initiative to develop the AI System and constructs its training dataset by independently selecting data.
· Providers can also be joint controllers. This happens when controllers jointly determine the purpose and means of processing. As an example, in the case of AI Systems, joint controllers feed the training dataset together for a joint purpose.
· A processor processes personal data on behalf of a controller; they act as a service provider. The controller is the one giving instructions about the processing, and the processor carries them out. For example, an AISystem Provider who develops the system as a service provided to one of its customers, following their instructions, is a processor.
· In practice, two or more academic hospitals, who jointly develop an AI System, pursue a common purpose and decided together on the means of processing, are joint controllers. For example, if they jointly decided to develop a system for the analysis of medical imaging training and chose together the protocol to be followed and the data to exploit, they would be joint controllers.
Link to the Guide :
https://www.cnil.fr/en/determining-legal-qualification-ai-system-providers
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials
ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.
Comprehensive Cyber Insurance for the Life Sciences Industry
Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.
UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack
The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.
