On 22 July 2025, France’s Data Protection Authority, the CNIL, published three new fiches pratiques (practical guidance) on artificial intelligence (AI) and data protection.

Covering annotation of training data(1), security during the development of an Artificial Intelligence System (AIS)(2), and the GDPR status of AI models(3), these new documents complete a body of CNIL guidance aimed at clarifying how privacy law applies in practice to AI. These documents are part of a broader CNIL strategy.

Since 2023, the CNIL has published several documents on AI. While each guidance focuses on a specific issue(4), their combined value lies in showing how the CNIL applies GDPR to AI in practice — translating general principles into concrete compliance obligations for organisations. Data minimisation (Article 5(1)(c)) and security (Article 32) clearly stand out as the essential requirements, but the CNIL also recalls the importance of other GDPR principles such as privacy by design, accountability, and the protection of individual rights and provides for specific analysis, risk assessment, tools and recommendations focused on AI.