France: Artificial Intelligence Comparative Guide

1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern AI in your jurisdiction?

In France, there is no global legal framework dedicated to AI and/or that takes into account all of the complexity of new intelligent technologies (eg, AI, big data, Internet of Things). Nevertheless, algorithms and their uses are framed, directly or indirectly, by rules and obligations set forth in various acts and codes, such as the following:

• Act 78-17 dated 6 January 1978 relating to data processing, files and freedoms (‘Data Protection Act') and Implementation Decree 2019-536 dated 29 May 2019, which govern the processing of personal data necessary for the operation of algorithms;
• Act 2016-1321 dated 7 October 2016 (‘Act for a Digital Republic') and Implementation Decree 2017-330 dated 14 March 2017 relating to the rights of persons subject to individual decisions taken on the basis of algorithmic processing, which aim to combat digital discrimination that may result from the algorithms used by online platform operators;
• liability regimes set forth in:
• • the Civil Code (eg, liability for the actions of things; fault-based liability; liability for defective products);
  • specific acts (eg, the so-called ‘loi Badinter' setting out a specific regime of liability for road traffic accidents; the Public Health Code regarding liability for health defective products); and
  • the Criminal Code (eg, criminal liability due to the use of AI to commit an offence); and
• the French IP Code, which determines the rights that parties can claim on:
• • the component elements of AI (eg, rights on databases or materials (eg, photos, videos) used to train AI models); and
  • the elements generated by AI (eg, software, creations).

In addition, a constitutional bill relating to the Charter of Artificial Intelligence and Algorithms was added to the agenda of the French National Assembly on 15 January 2020.

The aim is to include in the Preamble of the French Constitution the reference to a ‘Charter of Artificial Intelligence and Algorithms'.

1.2 How is established or ‘background' law evolving to cover AI in your jurisdiction?

The legal framework for AI is evolving in France thanks to flexible instruments of soft law such as reports, charters, white papers, guidance and guidelines.

In this respect, for example, the Act for a Digital Republic entrusted the French data protection authority (CNIL) with a mission to "reflect on the ethical and societal issues raised by the evolution of digital technologies". On 15 December 2017, the CNIL published a summary report entitled How to Allow Men to Keep Control? The Ethical Issues of Algorithms and Artificial Intelligence.

The French Senate's Economic Affairs Commission likewise tasked the Parliamentary Office for the Evaluation of Scientific and Technological Choices with reporting on AI. On 29 March 2017 it issued a report entitled For a Controlled, Useful and Demystified Artificial intelligence, which recommended that AI be put "at the service of men and humanistic values".

Another example of such instruments is the government report initiated by Axelle Lemaire, former secretary of state for digital and innovation, entitled Synthesis Report for France Artificial Intelligence.

On 28 March 2018 mathematician and deputy Cédric Villani also made public his report entitled Giving Meaning to Artificial Intelligence, which was the result of a parliamentary mission entrusted to him. Following this report, in December 2019 the French National Ethics Committee established a Steering Ethical Committee on Digital Matters, whose first opinions are expected to address chatbots, autonomous vehicles and medical diagnosis in the era of AI. The steering committee is expected to publish its first annual report in the coming months.

Other non-binding initiatives are undertaken by scientific groups such as:

• the Commission for Reflection on Ethics Research in Digital Science and Technology, which has published several reports, including one entitled Research Ethics in Machine Learning; and
• the National Research Institute for Digital Science and Technology (INRIA), which published a white paper on 16 September 2016 entitled Artificial Intelligence, Current Challenges and INRIA's Actions.

All of these initiatives provide food for thought on the amendments that could be necessary to the legal and regulatory framework for AI.

1.3 Is there a general duty in your jurisdiction to take reasonable care (like the tort of negligence in the United Kingdom) when using AI?

No, there is no such general obligation in France.

However, compensation for damages caused by AI may be sought under several liability regimes, such as the following:

• Under the fault-based liability regime set forth by Article 1240 of the Civil Code, any fault – regardless of its seriousness and regardless of the source of the duty violated – engages in the same way the responsibility of its author, and obliges the latter to compensate the entire damage caused to the victim. This general principle of liability allows case law to define the norms of social conduct and the duties of conduct whose violation constitutes a fault. Recently, case law has established a new fault – ‘precautionary fault', based on the precautionary principle – which results in a high degree of vigilance in the presence of uncertain, unproven risks. This principle and the related fault may be particularly relevant in the context of AI. Finally, the French Supreme Court has identified a duty of vigilance regarding proven risks, which will also be relevant for AI.
• Under the regime on liability for actions of things set forth by Article 1242 of the Civil Code, a party is responsible for things under his or her custody (there is no need for the victim to prove fault; the fact that the damage has been caused by the thing under someone else's custody alone is sufficient). However, this liability regime raises some questions due the intangible nature of AI and the identification of the party which can be considered as the custodian.
• The regime on liability for road traffic accidents may also be relevant in the AI context (please see question 3.1(c)).
• The regime on liability due to defective products set forth by Article 1245 of the Civil Code will also apply to AI insofar as the product is understood in a very broad way. However, this liability regime raises some questions, due the intangible nature of AI and difficulties in characterising the default of the product.

1.4 For robots and other mobile AI, is the general law (eg, in the United Kingdom, the torts of nuisance and ‘escape' and (statutory) strict liability for animals) applicable by analogy in your jurisdiction?

In principle, insofar as robots and other mobile AI can be qualified as movable assets, they may be encompassed within the scope of existing laws applicable to such assets. Currently, however, there is no case law that has applied the existing liability regimes to AI.

Article 1243 of the Civil Code provides for a liability regime for animals, under which the owner or the person using the animal bears the burden of any damages caused by the animal, whether the animal is "under his care" or is "lost or escaped". Currently, this liability regime has not been applied to robots or other mobile AI by the French courts; but some authors suggest that the transposition of this regime to the AI sphere could be relevant and would make it possible to take into account the possibility of autonomous AI ‘escaping' from the control of its user.

As indicated in question 1.3, in the past, the regime on liability for actions of things set forth by Article 1242 of the Civil Code, as interpreted by the French courts, has been sufficiently broad to adapt to the liability issues presented by different types of things (eg, liquid oxygen, soft drinks, aerosol cans, electric trolleys). As such, some authors contend that this general liability regime is sufficiently broad to take into account the issues presented by AI, thanks to the broad interpretation by the French courts of the notion of ‘things' and past case law on the notion of custody. These authors suggest that it would simply be a matter of applying these by analogy to AI by adapting current concepts where necessary.

Nevertheless – and despite the French courts' broad interpretation of the different liability regimes in the past – other authors have called for the creation of a new liability regime dedicated to robots based on the current liability regime for animals.

1.5 Do any special regimes apply in specific areas?

There is no dedicated legal regime applicable to AI in France.

In terms of liability, some authors argue that the different civil liability regimes that currently exist in France (eg, fault-based liability, liability for actions of things, liability for defective products, liability of healthcare professionals, liability for road traffic accidents) can apply to AI depending on the context, and that it is just a matter of applying them by analogy to AI by adapting current concepts where necessary. Other authors have called for a new liability regime dedicated to robots.

1.6 Do any bilateral or multilateral instruments have relevance in the AI context?

The recent initiatives of the European Union in the AI context are very relevant. On 19 February 2020 the European Commission published a white paper on AI within the framework of the development of a coordinated European approach on the human and ethical implications of AI, as well as a reflection on better use of megadata to promote innovation. The European Parliament also adopted three reports on 20 October 2020 indicating how the European Union can regulate AI in order to stimulate innovation and enhance the reliability of this technology, while establishing ethical standards. These respectively covered:

• an ethical framework for AI;
• liability for damages caused by AI; and
• IP rights.

In particular, the European Parliament has stressed the importance of having an effective system to further develop AI, including patents and new creative processes. The European Commission is expected to present a legislative proposal on AI in early 2021.

Companies involved in AI are also keen to adopt ethical charters and code of conducts which are generally applicable to those companies themselves. It is expected that ethical charters and code of conducts that are applicable across whole industries and sectors, rather than just to individual companies, will be adopted in the coming years.

1.7 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

To date, no specific body has competence to enforce applicable laws and regulations on and over AI. Due to the issues that AI may present, the bodies that are most likely to enforce laws and regulations on AI are the French courts and independent administrative authorities. For example, the French courts may have to rule on:

• the ownership of IP rights on the components of AI or elements generated by AI; and
• the liability issues raised by AI.

In this context, the French courts will have their usual powers (ie, for civil courts, the power to rule on IP ownership and to allow damages; for criminal courts, the power to issue sanctions such as fines and imprisonment).

The CNIL may also be competent to monitor compliance with the applicable legislation on the processing of personal data in the context of AI. It can issue formal notices to companies in order for them to cease breaches or directly issue sanctions, including fines of up to €20 million or 4% of the company's total worldwide annual turnover in the preceding financial year, whichever is the higher.

1.8 What is the general regulatory approach to AI in your jurisdiction?

To date, there is no dedicated legal framework applicable to AI in France.

As such, the general regulatory approach to AI is a flexible legal approach of soft law, comprising resolutions, reports, white papers, guidelines and the recommendations of commissions and working groups that have been tasked with analysing specific aspects of AI (please see question 1.2).

Such commissions and working groups may propose to the French legislature the drafting of specific and dedicated instruments, or may call for the amendments of existing provisions to adapt to the specificities of AI.

2 AI market

2.1 Which AI applications have become most embedded in your jurisdiction?

When it comes to AI, there is often confusion between AI technologies and applications.

We believe that a distinction should be made on the French market between three levels of what are identified as ‘AI technologies', as the markets are structured differently according to the technology concerned:

• Level 1: This comprises companies that analyse, structure and rationalise data or databases. In this case, it is more a question of ‘business intelligence' – a technology for representing and structuring information. The business intelligence market is very large, but less technologically advanced.
• Level 2: This comprises companies that conduct automated data analysis using a technique known as ‘machine learning'. By analysing data, this technology enables intuitions to be confirmed – for example, by making connections (eg, when it rains, there are more accidents). However, it can also highlight what are known as ‘weak signals' – that is, logical links in a set of data, which could not have been analysed alone, without the use of this technology. This is a rather structured market.
• Level 3: This comprises companies offering solutions that integrate ‘deep learning' technology, which is at the heart of AI. This involves ‘teaching' the machine to understand information that was not accessible to it (eg, images, sounds). This is the most innovative, but smallest AI market.

2.2 What AI-based products and services are primarily offered?

The AI-based products and services that are commercialised in France are of a very different nature (eg, chatbots, autonomous vehicles (AVs), speech-to-text applications), depending on:

• the technology concerned (see question 2.1); and
• the targeted market (ie, business to business (B2B) or business to consumer (B2C)).

As far as deep learning is concerned, AVs and facial recognition/supervision are the most developed products and applications to date.

The B2B market is the most mature and technologically advanced market. Companies offering AI-based products and services in this marked are generally structured in one of the following ways:

• Application segments which use AI to solve functional and/or sectoral problems: In this case, companies offer AI applications in a specific field to address a specific need (eg, analysis of damage in the automotive field, fraud detection). AI-based products and services offered by companies on the B2B market are in the majority and represent 80% of start-ups.
• The more upstream segments, which offer useful and specific products, services and technologies for the creation of AI-based applications: In this case, companies develop AI technology or services to make them available to their customers for specific use in their various fields of activity, regardless of the field of activity concerned. This is a smaller market to date, but some ambitious and disruptive projects are emerging.

2.3 How are AI companies generally structured?

AI companies can be of any size and consequently have very different structures (eg, large group, small and medium-sized enterprises).

However, in France, AI companies are mostly start-ups, which are very involved in innovation. Most of these start-ups are simplified joint stock companies – a form which allows for significant flexibility in the organisation and management of the company.

2.4 How are AI companies generally financed?

AI companies can have very different forms and structures.

When AI technologies are developed and commercialised by start-ups, they can use a wide variety of financing methods, including:

• bootstrapping;
• crowdfunding;
• bank loans;
• acquisition of shares by professional investors (business angels);
• fund raising through venture capital funds; and
• intervention of the public investment bank, BPIfrance, in the financing of the start-up in collaboration with the French Tech ecosystem, in the form of a donation, a contribution or a loan.

2.5 To what extent is the state involved in the uptake and development of AI?

The French government declared, as of 2017, that the uptake and development of AI constituted a strategic priority for France. The implementation of a regulatory and financial framework favourable to the emergence of AI, through the provision of special support for research projects and start-ups in AI, is a crucial part of its development strategy.

France's unique position in the field of AI can be explained by the existence of a high-performance ecosystem which has many advantages. First, numerous quality training courses are available, including AI-specialised master's degrees; and many doctoral theses have been dedicated to AI topics.

Second, France is an attractive territory for investors, with incentives including the following:

• Young Innovative Company Status is available for any technology company that has been established for less than eight years and that conducts research and development (R&D), as long as it meets the attribution criteria. Such companies benefit from exemptions on their tax charges (eg, corporate income tax, annual flat tax) and their social charges (eg, Ursaff employer's contributions) for a period of eight years from their establishment.
• The Research Tax Credit is a generic measure that aims to support corporate R&D activities, with no sector or size restrictions. Businesses that incur expenses for fundamental research and experimental development can benefit from the RTC by deducting these expenses from their income tax under certain conditions. The rate of the RTC varies according to the amount of the investment.
• Numerous European and French innovation competitions are open to AI companies, which award funding for R&D (eg, funding by BPIfrance).
• As a public investment bank, the role of BPIfrance is to provide financial support to companies and start-ups by providing capital or guaranteeing the financial loans that companies can take out (eg, the i-Lab programme, the French Tech Scholarship).

Finally, the state encourages the establishment of research laboratories in France in order to further develop its ecosystem: about 88 laboratories and R&D research centres have been established, and more than 13,000 researchers are working on AI or related issues. In particular, France hosts the research centres of some of the world's leading AI companies, such as Google, Facebook, Microsoft, Uber, Fujitsu, IBM, Criteo and Thales.

3 Sectoral perspectives

3.1 How is AI currently treated in the following sectors from a regulatory perspective in your jurisdiction and what specific legal issues are associated with each: (a) Healthcare; (b) Security and defence; (c) Autonomous vehicles; (d) Manufacturing; (e) Agriculture; (f) Professional services; (g) Public sector; and (h) Other?

(a) Healthcare

The fields of application of AI in medicine are numerous and include:

• computer-assisted surgeries;
• remote patient monitoring;
• intelligent prostheses;
• diagnostic assistance; and
• personalised treatments.

The reports listed in question 1.2. deal with AI in the healthcare sector, among other things. Most of them highlight the importance of preserving the decisional power of doctors with regard to AI, and recommend the development of technical devices using AI in order to assist in making medical decisions, rather than imposing on doctors or patients a decision made by the algorithms. They also emphasise the importance of training healthcare professionals to understand the global operating approach, in order to identify the limits of AI and the recommendations/solutions it affords.

In November 2016 the High Authority for Health issued Good Practice Guidelines on Health Apps and Smart Devices (Mobile Health or mHealth), with the aim of guiding and promoting the use of connected applications and objects, and strengthening confidence in this regard. The guidelines set out good practices covering the reliability of health content, data protection and cybersecurity. Such guidelines are also relevant for AI software.

The French Data Protection Act also contains several provisions dedicated to the processing of health data, which may apply to the processing of health data in the context of developing or running medical software that includes AI elements (eg, computer-assisted surgery, remote patient monitoring, diagnostic assistance). However, these provisions are not specific to AI.

The Act of 26 January 2016 on the modernisation of the healthcare system led to the creation of the National Health Data System, which brings together the main public health databases and sets out the rules on the use of such data. Under certain conditions, this data may be used by companies to conduct research that could further and/or lead to the development of software incorporating AI.

The current French bill on bioethics addresses the algorithmic processing of genetic data. For example, the bill aims to ensure that:

• proper patient information is used when a medical act involves an algorithmic processing of massive data; and
• a healthcare professional intervenes in the adaptation of the settings of the processing, and as such, the principle of a human guarantee when using AI is respected.

The specific legal issues that are not yet addressed yet by the current regulatory framework include the following:

• Medical liability regime: Is the current medical liability regime sufficient to adapt to specific issues that might be raised due to AI or is a dedicated liability regime necessary?
• Eugenics: Is the current legal framework (Article 214-1 of the French Criminal Code) sufficient to address the issues that might be raised by AI (transhumanism and augmented humans) or are amendments necessary?

(b) Security and defence

In France, the number of AI military applications is increasing; they include computer vision, intelligent robotics, distributed intelligence, automatic language processing, semantic analysis and data crossing. On 13 September 2019 the Ministry of the Armed Forces issued a report outlining a roadmap for the deployment of AI on battlefields, with concrete examples, raising ethical issues related to its use (AI at the Service of Defence). The authors of the report identified several "priority areas of effort", including decision support, robotics, cyber defence, intelligence, logistics and support, as well as maintenance in operational condition and "collaborative combat". To this end, a new organisation within the ministry specifically dedicated to AI was created on 1 September 2018 by Florence Parly, minister of the armed forces. The purpose of the Defence Innovation Agency is to coordinate the ministry's innovation initiatives by ensuring the coordination and consistency of all innovation initiatives.

Examples of specific AI military applications include the following:

• in the field of communications, use of a system that can adapt in real time, based on data from monitoring satellites, to avoid failures and automatically re-plan operations during a mission if necessary; and
• AI-based tools and weapons to supporting on-site missions – drones that will adapt in real time to the situation on-site, fighter planes equipped with virtual voice assistants and battle tanks that can be accompanied by semi-autonomous robots with the ability to operate in complex environments. As far as autonomous lethal weapons are concerned, France has no plans to develop fully autonomous systems that are totally beyond human control in the definition and execution of their mission.

The Ministry of Defence has called for "trusted AI" and the establishment of international standards. In its report, the ministry highlighted the need for France to strike the right balance between benefiting from what large private and often foreign digital groups can offer in terms of AI without becoming dependent on it and developing its own military applications.

The use of AI in the field of security and defence presents specific difficulties and challenges. Beyond the issues of national sovereignty, the regulations applicable to classified information can be a constraint on the use of AI. Indeed, Articles R 2311-1 and 2 of the Defence Code classify information considered as defence and national security secrets as follows:

• Top secret defence: Reserved for information and materials that concern government priorities in defence and national security, and whose disclosure is likely to seriously harm national defence;
• Defence secret: Reserved for information and materials whose disclosure is likely to cause serious harm to national defence; and
• Defence confidential: Reserved for information and materials whose disclosure is likely to harm national defence or could lead to the discovery of a secret classified at top secret or defence secret level.

Classified information can be accessed only with a security clearance, which differs according to the classification levels of the information. It is well known that AI-based systems can become intelligent only if they have enough relevant data to learn from: without data, an algorithm is necessarily blind, and without an algorithm, a data is definitely mute. Although nothing prevents such data from being injected into a deep learning process, the restricted nature of access to such data may limit the players that are seeking to develop AI-based technologies in the defence sector.

(c) Autonomous vehicles

The rules on the traffic conditions of autonomous vehicles (AVs) for experimental purposes can be found in several instruments:

• the Act on the Energy Transition for Green Growth, dated 17 August 2015;
• the Order Relating to the Experimentation of Delegated Driving Vehicles on Public Roads dated 3 August 2016;
• the Decree Relating to the Experimentation of Delegated Driving Vehicles on Public Roads dated 28 March 2018;
• the Order Relating to the Experimentation of Delegated Driving Vehicles on Public Roads dated 17 April 2018; and
• the so-called Loi Pacte, dated 22 May 2019.

These texts authorise the circulation on public roads of vehicles with total or partial delegation of driving authority, for experimental purposes (ie, in order to carry out technical tests or to evaluate the performance of these vehicles). Experimentation is subject to prior authorisation. The issue of authorisation is subject to the condition that the system of delegated driving may be neutralised or deactivated by the driver at any time. In the absence of a driver on board, it is necessary to provide evidence that a driver located outside the vehicle, responsible for supervising the vehicle and its driving environment during the experiment, will be ready to take control of the vehicle at any time, in order to take the necessary steps to ensure the safety of the vehicle, its occupants and road users.

The Loi Pacte further clarifies the criminal liability regime applicable in the event of accidents that occur during experiments on AVs. This act exempts the driver from criminal liability during periods when the system of driving delegation is activated if the following cumulative conditions are met:

• The driver must have activated the driving delegation system in accordance with its conditions of use; and
• The driving delegation system must be in operation and must inform the driver, in real time, that it is in a position to observe traffic conditions and carry out any manoeuvre independently without delay (instead of the driver).

According to these provisions, instead of the vehicle driver, criminal liability will be borne by the holder of the prior authorisation for experimentation, which will have to pay any fines imposed and any damages awarded in case of accidents.

Currently, this liability regime is limited to the situations of experimentation outlined above. French commentators have thus questioned whether the current French liability regime for traffic road accidents (the so-called loi Badinter, dated 5 July 1985) is sufficient to address issues raised by AVs (with slight adaptations where necessary – for example, on the notion of ‘driver'); or whether a dedicated liability regime would be necessary, under which the liability of different stakeholders (eg, driver, car manufacturer, AI provider) might be triggered.

(d) Manufacturing

There is no dedicated regulation in this sector as yet.

(e) Agriculture

There is no dedicated regulation in this sector as yet.

(f) Professional services

There is no dedicated regulation in this sector yet.

(g) Public sector

The French Act for a Digital Republic (Act 2016-1321 dated 7 October 2016) introduced the principle of transparency of public algorithms used as a basis for individual administrative decisions. Its provisions have been transposed in the French Code of Relationships between the Public and the Administration. According to these provisions, whenever an individual decision is taken on the basis (even partially) of an algorithm, the administration must:

• include an "explicit statement" on the relevant documents (eg, notices, opinions) informing the user that the decision concerning him or her has been taken on the basis of an algorithm. This statement must outline:
• • the purposes of the processing;
  • the user's right to know about the "main features" of this processing; and
  • how this right can be exercised (Articles L311-3-1 and R311-3-1-1); and
• explain, at the request of the individual, how the relevant algorithm works (Articles L311-3-1-2 and R311-3-1-2), by providing the following information:
• • the degree and mode of contribution of the algorithm to the decision making;
  • the data processed and its sources;
  • the processing settings and their weighting applied to the situation of the data subject; and
  • the operations carried out by the processing.

For administrations with at least 50 agents or employees, the administration must provide general information (Article L312-1-1-3), which involves publishing online the "rules defining the main algorithmic processing used in the accomplishment of their missions" – provided, once again, that these form the basis of individual decisions.

These provisions are complemented by Article 47 of the Data Protection Act, which provides that the data controller must ensure that it remains in control of the algorithmic processing and its development, so that it can explain to the data subject, in detail and in an intelligible form, the manner in which the processing has been carried out on him or her.

To assist administrations in complying with such obligations, in March 2019 Etalab (a French public body) published a guide for the attention of administrations, together with a practical factsheet on the explicit statement that must be provided to the user.

(h) Other

Numerous AI applications have emerged in the legal sphere. Many legal tech firms are using machine learning processes to develop software and applications for tasks such as:

• analysing case law;
• identifying the chance of success;
• anticipating the result of litigation; and
• assisting with due diligence.

The development of such software is facilitated by the implementation of open data policies due to the obligations set forth in the Act for a Digital Republic.

The introduction of AI software in the judicial system is also being explored. For example, for three months the judges of the Courts of Appeal of Douai and Rennes have tested software that aims to predict judicial decisions.

Some provisions have been inserted in the General Data Protection Regulation and the Data Protection Act in order to protect data subjects from the adverse consequences that the sole utilisation of algorithms may have on judicial decisions concerning them. In this respect, Article 47 of the Data Protection Act provides that: "No judicial decision involving an assessment of a person's conduct may be based on the automatic processing of personal data intended to evaluate certain aspects of that person's personality."

4 Data protection and cybersecurity

4.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for AI companies and applications?

The applicable data protection regime is as follows:

• the EU General Data Protection Regulation (2016/679) (GDPR);
• the Police-Justice Directive (2016/680);
• the Privacy and Electronic Communications Directive (2002/58/EC);
• EU Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union;
• the Data Protection Act, updated to ensure compliance of national laws with the GDPR and the Police-Justice Directive;
• Decree 2019-536 of 29 May 2019, adopted for the application of the Data Protection Act;
• the Electronic Communication Code – in particular, Articles L32-3 and following (use of electronic communications data for statistical purposes, to improve the services or for direct marketing) and Article L34-5 (use of data for direct marketing purposes); and
• the guidelines of the European Data Protection Board and the French data protection authority (CNIL).

In addition, the recent proposal for a regulation of the European Parliament and of the Council on European data governance will apply.

The primary implications of these regulations are as follows. First, it is necessary to determine whether the data injected into AI processes (whether to train models or to use applications that incorporate AI) constitutes personal data, in order to identify the applicable regulations and obligations.

Where AI processes involve the processing of personal data, the issues and implications will differ depending on the stage:

• At the stage of AI development (ie, where databases are used to train models), the issues and available solutions will differ depending on whether the company has created a specific database to train AI models or wants to use existing databases (created for other purposes) to train AI models. In any case, the company will need to:
• • ensure that it has appropriate legal grounds to process the personal data, and/or that the purpose related to training AI models is compatible with the initial purposes of processing (the CNIL has a very strict doctrine on web scraping techniques that involve the collection of publicly available data to use it for different purposes);
  • inform data subjects appropriately regarding the use of their data; and
  • ensure that data subjects can exercise their rights (which in practice is not always simple, depending on the data used to train models).
• The use of applications that incorporate AI will raise specific issues only if the application makes automated decisions based on AI. Companies will then have to determine whether the application falls within the scope of Article 22 of the GDPR and Article 47 of the Data Protection Act and, if so, ensure compliance with such articles – for example, by:
• • obtaining the explicit consent of the data subject;
  • relying on the need to process the data for the performance of a contract between the data controller and the data subject; or
  • being authorised to process the data by national or EU law.

The development and use of AI also raise the question of the qualifications and roles of the parties – that is, the company developing the application incorporating AI, and the company using the AI and sometimes providing data to be used to train and develop tailored models and applications) – with respect to the GDPR. Are these parties acting as joint controllers? As separate data controllers? Or in the context of a data controller/data processor relationship?

4.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for AI companies and applications?

The applicable cybersecurity regime is set out in:

• the GDPR;
• the Data Protection Act, which includes cybersecurity requirements and provides for sanctions when personal data is involved;
• Act 88-19 dated 5 January 1988 on computer fraud, which establishes the offences relating to any automated data processing system. This has been enacted in the Criminal Code (Articles 323-1 to 323-8);
• the Military Programming Act 2013-1168 dated 18 December 2013 (for 2014 to 2019) and the Military Programming Act 2018-607 dated 13 July 2018 (for 2019 to 2025), which provide requirements for operators of vital importance;
• the Network and Information Systems (NIS) Directive (2016/1148) and Law 2018-133 dated 26 February 2018 (and its implementation Decree 2018-384), which provide specific NIS requirements for operators of essential services and digital service providers;
• Regulation 2019/881 of 17 April 2019, which lays down the main requirements for European cybersecurity certification schemes with respect to information and communications technology products, services and processes;
• the Second Payment Services Directive (2015/2366), transposed in the French Monetary and Financial Code, which sets out provisions for payment service providers' information systems;
• Regulation 2017/745, which applies to medical devices that include software components;
• the Decree of 22 November 2019, which sets out several cybersecurity requirements for digital assets services providers information systems; and
• the Public Health Code, which sets out specific security requirements applicable to health data hosting service providers.

AI is primarily relevant in the cybersecurity context in two ways:

• It is used to improve cybersecurity, by embedding AI technology into cybersecurity equipment and applications (eg, firewalls, endpoint detection and response solutions), and/or it is used to detect or to investigate and respond to abnormal behaviours detected in a security operations centre.
• Cybersecurity assumes even more crucial importance in the case of AI applications, due to the potential adverse impacts that could result from a cyber-attack (eg, on autonomous vehicles, computer-assisted surgery or remote patient monitoring) or from unauthorised access to the data processed by the application (eg, there is a high risk for individuals in case of unauthorised access to an application that stores databases of photos/patterns for facial recognition or biometric data for biometric access). Companies should thus take care: