Privacy Principles That Govern AI

GDPR, CCPA/CPRA, US state privacy laws, biometrics laws like Illinois BIPA and breach laws all reach consumer-facing AI. Seven principles do the heavy lifting.

Transparency: processing must be transparent to the individuals concerned → information easily accessible, easy to understand, in clear and plain language. Transparency duties are pervasive across the EU AI Act, AI codes and data protection law.

Choice: individuals should be able to agree or disagree with the collection and use of their personal data in AI systems.

Lawful basis: processing needs a legal basis → consent, performance of a contract, legitimate interest and others. Analyse the options to rely on the most appropriate basis.

Purpose limitation: collect and use personal data only for the specified purpose → a real challenge for model-building. CNIL guidance → the learning and production phases have distinct purposes, each must be "determined, legitimate and clear".

Data minimisation: data must be adequate (not too little or too much), relevant and limited to what is necessary → case-specific. Use techniques that process only the data needed → avoid "nice to have" data. Collection limitation is a subset restricting how much and what kind of data is gathered.

Privacy by design: apply data protection from the initial planning stage with robust internal data governance. Measures → pseudonymisation, anonymisation, encryption, minimised transmission, robust security. By default, process only the personal data necessary for each specific purpose.