Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

French guide provides path for processors to re-use others’ data

01 Feb 2022, 3:30 pm

New guidance issued by the data protection authority in France will clear the way for more companies behind artificial intelligence (AI) systems to use personal data other businesses have shared with them to process, to train their algorithms, experts in information law have said.

Andre Walter and Wouter Seinen of Pinsent Masons said the recent guidance issued by the Commission Nationale de l’information et des Liberties (CNIL) helps to clarify how data processors can secure rights to re-use data shared with them by data controllers in a way that complies with EU data protection law – without having to obtain the consent of data subjects to further processing.

CNIL’s guide addresses specifically how compatibility assessments, provided for under the EU General Data Protection Regulation (GDPR), can be applied in practice to authorise planned re-use of data by processors. CNIL is one of the leading data protection authorities in Europe and guidance it issues often helps direct compliance efforts across the rest of Europe.

Walter said: “The relationship between controllers and processors is tightly regulated, with the law requiring that processors only process personal data shared with them by controllers for purposes specified in the terms of a written agreement put in place between them. Strict conditions are also outlined in law around the further processing of personal data under the GDPR. The provisions constrain the activities of data processors, and they can present a barrier to their re-use of customer data – even for worthwhile and low-risk purposes.”

“In our daily practice, many AI processors approach us for a solution, so they can not only process the data on behalf of their customers, but also use this data on their own behalf, for example to train their algorithms. We have developed hybrid data processing and sharing agreements, where the ‘sharing’ part creates a relationship that enables data processing for product improvement purposes, including algorithm training of AI processors,” he said.

“With its new guidance, CNIL has explained how businesses can assess the legitimacy of further processing of personal data by, for example, cloud or AI processors, for their own purposes. It has signalled that a, so called, compatibility assessment can be carried out to ensure the further processing envisaged by the processor is compatible with the original purposes for which the data was collected. This procedure negates the need to obtain consent from data subjects to the further processing for very obvious and well accepted purposes and is therefore a very useful tool for businesses to avoid adding to the existing ‘consent fatigue’ among consumers,” he said.

Seinen said: “We have seen many respectable companies with well-intentioned innovations get stuck over GDPR concerns and have always believed that the ‘further use’ provisions in the GDPR can provide outcomes. It is a positive sign that the French regulator is providing practical guidance on a topic that can be applied to something as impactful as AI.”

In its guidance, CNIL said, in the absence of consent, parties must determine whether the processor’s planned re-use of data is “compatible with the purpose for which the data were originally collected”.

CNIL listed factors that must be taken into account when conducting its compatibility assessment. It said the following aspects should be considered:

  • the link between the purposes for which the personal data were collected and the purposes of further processing envisaged;
  • the context in which the personal data were collected, in particular if there is a power imbalance in the relationship between the data subjects and the processor;
  • the nature and sensitivity of the personal data involved;
  • the possible consequences of the envisaged further processing for the data subjects;
  • the existence of appropriate data security safeguards.

In an example it provided, CNIL said that if a cloud provider plans to re-use a controller’s data to improve its cloud services then this “could be considered compatible with the original processing, subject to appropriate safeguards”. Re-use of personal data for “commercial prospecting purposes” would most likely fail the compatibility test, it said.

CNIL noted that controllers cannot provide processors with a prior, general authorisation to further processing, and that a controller’s authorisation based on the compatibility assessment must be outlined in writing. Andre Walter said: “Such a written authorisation of the compatibility of further use will be a very valuable addition to existing and future data processing agreements with AI solutions providers.”

Contact an adviser

Walter Andre

Andre Walter

Legal Director

+31 20 7977 712
View Profile
Wouter Seinen

Wouter Seinen

Partner, Head of Office, Amsterdam

+31 20 7977 710
View Profile

Latest News

Improving EDI essential to well-run pension schemes, warns UK’s regulator

Ground rents cap represents compromise, says expert

Anti-suit injunction issued by English court to halt Russian proceedings

Notice provisions in construction contracts

Hong Kong construction dawn raids should prompt tender process reviews

You might also like

Out-Law Guide

Notice provisions in construction contracts

All construction contracts require parties to notify each other in certain circumstances in order to trigger particular entitlements.

Construction Contracts

Out-Law Guide

A guide to high-risk AI systems under the EU AI Act

Providers and deployers of so-called ‘high-risk’ AI systems will be subject to significant regulatory obligations when the EU AI Act takes effect, with enhanced thresholds of diligence, initial risk assessment, and transparency, for example, compared to AI systems not falling into this category.

Artificial Intelligence

Out-Law Guide

The impact of the new EU mass actions directive across Europe

Mass actions, sometimes described as collective, class or group actions, are actions brought by multiple claimants against the same defendant or group of defendants, generally in relation to harm said to have been caused to the claimants in the same or a similar way.

Class actions

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law Analysis

A global view of the law applicable to an arbitration agreement

Show me more

Out-Law News

Action on alcohol to form part of UK's 'modern crime prevention strategy'

Show me more

Out-Law News

Advocate general: German credit agency scoring breaches GDPR

Show me more

Out-Law Analysis

Algorithmic pricing raises concerns for EU competition law enforcement

Show me more
Alison Rankine

Senior Associate

View Profile

Out-Law Analysis

As EU Council decides fate of trade talks, what exactly has been agreed so far?

Show me more

Out-Law Analysis

BREXIT: Post-Brexit pensions regulation would require balancing of business burdens and consumer protections, says expert

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.