AI Tracker
France

Under the GDPR and the French Data Protection Act, AI systems must respect individuals’ privacy rights. The CNIL leads on AI guidance, enforcement and ethics and will continue to publish practical guides addressing privacy, cybersecurity, and ethical risks, particularly those associated with generative AI. The CNIL is generally moving beyond high-level principles to a granular, GDPR-centric enforcement of AI systems, with a particular focus on the lawfulness of data collection and use for training models.

• Public-sector transparency: The Law for a Digital Republic (October 2016) obliges public administrations to publish algorithmic processing used in individual decision-making.
• Guiding principles and self-assessment: In March 2022 CNIL published a guide outlining AI principles and a self-assessment tool to help organisations align AI systems with GDPR and best practices.
• ChatGPT investigation: In April 2023 CNIL opened an inquiry into OpenAI’s compliance with data-subject rights, collaborating with other European DPAs.
• AI Action Plan and how-to sheets: In May 2023 CNIL issued an action plan with detailed technical sheets on pseudonymisation, data minimisation and governance throughout the AI lifecycle.
• Strategic plan 2025–2028: CNIL’s January 2025 strategy prioritises AI, protection of minors, cybersecurity and everyday digital use.
• New recommendations (February 2025): CNIL advised on model governance, urging data anonymisation, informing individuals when their data trains AI systems and enabling rights to access, rectify or delete data embedded in models.
• Joint statement on data governance: On 11 February 2025 CNIL signed a joint statement at the Paris AI Action Summit on building trustworthy data governance frameworks to encourage the development of privacy-protective AI. This statement has now been signed by 24 other DPAs in total.
• Guidance on using legitimate interest for AI system development: In June 2025, the CNIL issued guidance on legitimate interest and AI advising that legitimate interest is a possible legal basis for AI development under GDPR when strong safeguards are implemented. 
• Recommendations on AI and GDPR: In July 2025, the CNIL finalised its recommendations on AI models trained with personal data, advising that stakeholders should conduct and document an analysis to ascertain whether or not their AI model in subject to GDPR.

CNIL is also active in regulating AI-related data incidents:

• Sanction of Clearview AI: In October 2022, the CNIL fined Clearview AI €20 million and ordered it to cease collecting and using data on individuals in France. Clearview AI, a US-based facial recognition service, was found in breach of the GDPR for unlawful data processing and not respecting individuals' rights. Despite a formal notice issued in November 2021, Clearview AI failed to comply, resulting in the €20 million fine and a daily penalty of €100,000 for non-compliance. On April 13, 2023, the CNIL imposed an additional €5.2 million fine for continued non-compliance.
• Warning to the city of Valenciennes: In 2017, the city of Valenciennes deployed an illegal video surveillance system using AI-powered image analysis software provided by Huawei. The system included 240 cameras and three AI-based software tools. In May 2021, the CNIL issued a warning to Valenciennes, finding the system to be disproportionate and lacking a legal framework, installed without prior consultation or impact studies. Additionally, the use of automated license plate readers by the municipal police was unauthorized.

France is amending its Intellectual Property Code to address AI-related challenges:

• A legislative proposal released in September 2023 introduces an “AI-generated work” label requiring disclosure of AI involvement, assigns ownership of outputs to rights holders of input works in the absence of human intervention and mandates fair remuneration for creators whose works are used to train AI.
• In March 2025 French publishers and authors sued Meta in the Paris Judicial Court, alleging unauthorised use of their works to train generative AI models and seeking removal of infringing datasets and damages.

• Domestically, France has prioritized data and algorithmic transparency. The Law for a Digital Republic (October 2016), introduced provisions that extend the principle of information to algorithmic processing. Specifically, any person who is the subject of an individual administrative decision taken on the basis of an algorithm must be informed of this and may request access to the algorithm’s main operational rules, including its contribution, the data used, and other relevant details.
• In October 2024, a coalition of Non-Governmental Organizations including La Quadrature du Net and Amnesty International France filed a claim before the Conseil d'État (highest French administrative court) against the algorithmic system used by the Caisse nationale des allocations familiales (CNAF) to detect welfare fraud. The petition alleges that the algorithm discriminates against marginalized populations and violates data protection and equality principles. As of May 2025, the Conseil d'État has not yet issued its ruling.
• At the 2025 AI Action Summit in Paris, France emphasized the importance of preparing for AI's impact on employment. Discussions centred on reskilling workers and creating quality jobs within the AI economy. France endorsed the "Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet" during the Summit, emphasising the development human rights-based, ethical, safe, secure, and trustworthy AI, while also stressing the need to narrow inequalities and assist developing countries in building AI capacities.

Competition

In June 2024, the French Competition Authority (Autorité de la Concurrence) issued an opinion on the competitive dynamics of the generative AI sector. It raised concerns about market concentration, dominated by tech giants like Google, Microsoft, Amazon, Meta, and Apple, which benefit from significant advantages such as access to specialized chips, cloud computing, vast data resources, and substantial funding. The Authority recommended integrating AI into the EU Digital Markets Act to promote competition, particularly by opening cloud giants' AI model distribution services to third parties. It also called for vigilance regarding potential anti-competitive practices and intellectual property issues related to content used to train AI models.

Consumer protection

Consumer protection in France is built on the principles set out in the Consumer Code, which ensures that consumers are treated fairly, have access to clear and accurate information, and are shielded from deceptive or aggressive commercial practices. Central to this framework is the idea that consumers should be able to make informed choices and not be disadvantaged by imbalances of power or information in the marketplace. While the Code was not designed specifically for artificial intelligence, its broad provisions apply to AI-related products and services. Additionally, efforts are being made to align with the EU AI Act, which introduces a tiered risk framework and emphasizes the importance of consumer safety in AI applications.