AI Video Analytics in France: CNIL Guidance and the JO 2024 Precedent

France has become the European laboratory for algorithmic video surveillance, and the experiment did not end when the Olympic torch left Paris.

What happened between the spring of 2023 and the autumn of 2024 was not a one-off legal accommodation. It was the construction of a doctrine. The French legislator authorised the use of AI-augmented cameras in public space under exceptional conditions tied to the Olympic and Paralympic Games, the Commission nationale de l'informatique et des libertés set the conditions for that use, and a permitted technical and operational vocabulary entered the public administration. The framework was time-limited on paper. The vocabulary, the supplier relationships, the trained operators and the integrator know-how were not. Operators across Europe who treat the Paris episode as a French anomaly are misreading what was actually built.

This article does not relitigate the political debate. It describes, from a manufacturer's perspective, what the CNIL position currently is, how the JO 2024 regime altered the field, what has happened since, and where French practice now sets a precedent that German, Spanish and Italian operators will have to answer to. The argument extends a position developed in the book BOSWAU + KNAUER. From Building to Security Technology, namely that AI video analytics is not a feature added to a camera. It is a regulated function with its own legal weight, and the regulator who decides first sets the terms for the others.

The CNIL position before the Olympics

The CNIL did not arrive at AI video analytics in 2023. It had been describing the category, in successive opinions and recommendations, since the late 2010s. The position that consolidated by 2022 rested on a distinction the regulator considered structural. Classical video surveillance under the loi Informatique et Libertés and the General Data Protection Regulation is a recording activity. AI video analytics is a processing activity that produces, from images, new categories of personal data, including behavioural categories. The legal basis required for the second cannot be inferred from authorisation granted for the first.

This had practical consequences. A municipality that had been authorised to operate a network of street cameras under the code de la sécurité intérieure could not, on that basis alone, layer algorithmic detection of abandoned objects, crowd density estimation or unusual trajectory recognition. Each function required its own analysis under the GDPR, including a data protection impact assessment, a defined legal basis, proportionality testing and, in many cases, a specific legislative authorisation that did not yet exist in French law. The CNIL position was that the absence of a specific text did not create a vacuum to be filled by operators. It created a prohibition.

The regulator reinforced this with formal opinions on biometric processing in public space. Live facial recognition was treated as a different category again, subject to even tighter constraints, and the CNIL position aligned with what would later become the European AI Act's high-risk regime. The line between behavioural analytics and biometric identification was made explicit, and operators were warned that the line could not be crossed implicitly by deploying systems whose technical architecture allowed both. A camera capable of biometric matching was, in the regulator's view, a biometric system, regardless of how it was currently configured. Capability and use were not allowed to drift apart.

This position is important because it survived the Olympic legislation. The CNIL did not retract its general doctrine when the legislator opened a narrow exception. It enforced the exception narrowly, and it has continued to apply the pre-existing doctrine to every deployment that falls outside the exceptional window. Operators who assumed that the Olympic regime had loosened the underlying rules misread the relationship between exception and principle in French administrative law.

The JO 2024 exception and what it actually authorised

The legal instrument that authorised AI video analytics for the Olympic and Paralympic Games was the law of 19 May 2023 relating to the 2024 Olympic and Paralympic Games, in particular its article 10. The text was narrow on its face. It permitted the experimental use of algorithmic processing applied to images captured by fixed video surveillance and drones, for the sole purpose of detecting, in real time, predetermined events presumed to indicate or reveal risks to the safety of persons in places hosting these events, their surroundings, and public transport.

Several elements of that formulation deserve attention. The processing was experimental, which under French administrative law means time-limited and subject to evaluation. The events to be detected were predetermined, which meant they had to be listed in a decree and could not be expanded by the operator at runtime. The categories ultimately authorised by decree included abandoned objects, weapons presence, abnormal crowd density, crowd movement in unexpected directions, presence in prohibited or sensitive zones, fire outbreaks and falls. The list was closed. Facial recognition was explicitly excluded, as was any biometric identification. The system was permitted to flag events and to draw an operator's attention to a scene. It was not permitted to identify individuals, and the legislator wrote that exclusion into the primary text rather than leaving it to interpretation.

The CNIL was consulted on the implementing decrees and issued public opinions throughout the deployment phase. It required that the algorithms be auditable, that their training data be documented, that the false positive rate be measured and disclosed, that operator decisions remain human, and that the exceptional regime not be extended by stealth to non-Olympic uses. The Commission also required ex-post evaluation reports and conducted inspections during the Games. The reports it published after the Olympic and Paralympic period were measured. They confirmed that the eight authorised event categories had been deployed across rail stations, fan zones, transit hubs and venue perimeters, that operator workflows had been respected in most cases, and that no biometric drift had been documented. They also noted that detection performance varied significantly across categories and across sites, that abandoned object detection was more reliable than crowd density estimation, and that the systems generated a meaningful volume of false alerts that required human triage.

This is the empirical record. It is more nuanced than either the proponents or the opponents of the framework anticipated.

The post-Olympic period and the question of normalisation

The legal exception was scheduled to expire on 31 March 2025. The political question, raised explicitly during parliamentary debate in late 2024 and through 2025, was whether the framework would be extended, narrowed, or allowed to lapse. As of the writing of this article, the trajectory points toward extension and integration into general law rather than expiration.

Several signals support this reading. The Ministry of the Interior published evaluation material favourable to extension. Public transport operators, particularly SNCF and RATP, communicated that the systems were useful and that discontinuation would create operational gaps. Municipalities outside the Paris region expressed interest in deploying equivalent systems for their own purposes, including event security and public space management. The CNIL itself, while maintaining its principled position on the difference between experimental and permanent regimes, indicated that it would engage constructively with any legislative proposal that preserved the substantive guarantees of the 2023 framework, namely the closed list of event categories, the exclusion of biometric identification, the requirement of human decision-making, and the auditability of algorithms.

The normalisation has therefore not happened by silent drift. It is happening through an explicit legislative process, with parliamentary debate and CNIL involvement. This is the opposite of the pattern that critics of the 2023 law feared, namely that an exceptional measure would quietly become permanent without further democratic deliberation. What is interesting from a manufacturer's standpoint is that the technical and operational ecosystem built for the Olympics, the certified suppliers, the trained operators, the integrator relationships, the standard operating procedures, the documentation templates required by the CNIL, has continued to function during the legislative pause. The infrastructure outlasted the legal regime that created it, and a new legal regime is being built to fit the infrastructure rather than the other way around.

This sequence has European implications. France will not be the only jurisdiction to authorise AI video analytics for public space safety under specific conditions. Germany, through the federal states with primary competence over policing and public space, is moving more slowly, but the Bundesländer that operate large transport networks and host major events are watching French practice closely. Spain has its own framework under the Agencia Española de Protección de Datos. Italy's Garante has issued opinions consistent with the French direction. The European AI Act, which classifies most public-space biometric and behavioural analytics as high-risk, sets a floor but does not displace national regimes that meet or exceed it. The CNIL's doctrine is, in practice, becoming the European reference point for operators who want to know what a defensible deployment looks like.

Enforcement: who actually applies the rules

The question of enforcement is more complex in France than in some other European jurisdictions because multiple authorities have overlapping competence. The CNIL is the principal data protection authority and has the lead on processing of personal data, including video images that allow identification or behavioural profiling. Its powers include inspection, formal notice, public sanction and administrative fines up to the GDPR ceiling. For the Olympic regime, the CNIL exercised these powers in cooperation with the Ministry of the Interior, which retained operational responsibility for the deployments.

Beyond the CNIL, several other bodies are relevant. The Défenseur des droits, the French ombudsperson, can intervene on questions of discrimination, including algorithmic discrimination. The Contrôleur général des lieux de privation de liberté has competence over surveillance in detention contexts. The administrative courts review the legality of prefectural authorisations for specific deployments, and the Conseil d'État has the final word on contested decrees. Operators who deploy AI video analytics in France are therefore subject to a regulatory landscape that is not unified under a single authority. The CNIL is the most active, but it is not the only enforcer.

In practice, the enforcement pattern that emerged during and after the Olympics was one of guided compliance rather than punitive sanction. The CNIL prioritised cooperation with operators, the issuance of clear guidance, and the correction of deviations before they became sanctionable. This is consistent with the regulator's general approach to new technologies, which favours doctrinal clarity over enforcement theatre. Operators should not, however, infer that the absence of large public sanctions in the Olympic period implies regulatory tolerance for non-compliance. The CNIL has been explicit that the next phase, in which AI video analytics moves from exceptional to permanent, will involve a tighter enforcement posture. Documentation, impact assessments, algorithmic audits and operator training will be examined more rigorously, and operators who treat the legislative permission as the end of their obligations rather than the beginning will face the kind of structured inspection that produces public outcomes.

For European operators looking at France, the enforcement model is worth studying for its own sake. The CNIL has shown that a regulator can engage constructively with a new technology, set substantive limits, and preserve doctrinal clarity, without retreating into either prohibition or laissez-faire. This is the model that the AI Act assumes but does not itself provide. France is, in that sense, building the implementation layer that the European framework will rely on.

What this means for operators outside France

Operators in Germany, Austria, Switzerland and the Benelux states who are evaluating AI video analytics for industrial sites, logistics hubs, event venues and critical infrastructure should treat the French framework as a working reference, not as a foreign curiosity. The substantive obligations the CNIL has crystallised, namely the closed list of detection categories, the exclusion of biometric identification, the requirement of meaningful human decision-making, the documentation of training data, the measurement of false positive rates, and the auditability of algorithms, are the obligations that the AI Act will, in practice, generalise across the Union.

A site operator in Bavaria who deploys AI video analytics today on a logistics yard is not subject to the JO 2024 regime. The operator is subject to the GDPR, to the relevant Landesdatenschutzgesetz, to works council co-determination rights, and to the AI Act's high-risk provisions where applicable. But the documentation architecture that the CNIL required, the impact assessment, the algorithmic description, the operator training records, the false positive log, will be the documentation architecture that German supervisory authorities request when they begin to inspect comparable deployments. Operators who build that documentation now, on French lines, are building for the European norm that is coming. Operators who wait for German guidance to crystallise before documenting their systems will find themselves reconstructing records retrospectively, under time pressure, with degraded evidentiary value.

The same logic applies to procurement. Suppliers who can demonstrate compliance with the CNIL framework, who have been deployed under the JO 2024 regime, who can produce audit reports and training documentation acceptable to a French data protection authority, are suppliers whose offering is defensible across the European market. Suppliers who cannot meet that bar may still be technically capable but carry compliance risk that the operator inherits at the moment of integration. The procurement decision is, increasingly, a regulatory decision.

The framework standards that converge here are familiar to operators of critical infrastructure. NIST CSF 2.0 and NIST 800-53 cover the cybersecurity dimension of the deployment, including the protection of training data and the integrity of model inference. IEC 62443 governs the industrial control system layer when video analytics is integrated with operational technology. ISO 27001 covers the information security management system. ASIS International publishes guidance on physical security operations that interacts with the analytics layer. BSI guidance in Germany and CISA guidance in the United States offer additional reference points. None of these frameworks alone covers AI video analytics in public-facing deployments, which is precisely why the CNIL's substantive doctrine matters: it fills the operational gap between the technical standards and the legal requirement.

What holds

France did not improvise the JO 2024 framework, and the framework did not expire when the Games ended. What was built was a working answer to the question of how AI video analytics can be deployed in public-facing environments under European data protection law, with explicit limits, documented obligations and a regulator capable of enforcing them. The answer is not perfect. The detection performance was uneven, the false positive rates were higher than proponents had hoped, and the legislative process for the post-Olympic phase has been slower than the operational continuity would have justified. But the answer exists, in writing, with case material behind it, and it is the only such answer at this level of operational detail in Europe today.

For operators across the continent, the practical consequence is that the CNIL doctrine is now the reference. Documentation built to French standards will pass German, Spanish and Italian inspection. Suppliers certified under the JO 2024 regime will be defensible in any European procurement. The cost of building these capabilities now, before the AI Act's high-risk provisions are fully enforced, is lower than the cost of retrofitting them under regulatory pressure in 2026 or 2027. This is a window, and it is narrowing.

Operators who want to understand where their own deployment stands relative to this emerging norm can take one of three paths. A confidential conversation of sixty minutes will produce a first reading of the gap between current practice and the French reference. A structured audit of three to five days will produce a documented assessment with prioritised recommendations. A pilot of ninety days, on a defined site with a defined success metric, will produce data on which a scaling decision can be taken. None of these paths requires a commitment to the next. Each stands on its own.

Frequently asked questions

What does CNIL say about AI cameras?

The CNIL distinguishes structurally between classical video surveillance, which is a recording activity, and AI video analytics, which is a processing activity producing new categories of personal data. Authorisation for the first does not extend to the second. Each algorithmic function requires its own legal basis, impact assessment, proportionality analysis and, where public space is involved, specific legislative authorisation. The Commission excludes biometric identification in public space from the permitted scope and requires that systems remain auditable, that human decision-making be preserved, and that capability not drift beyond authorised use.

What was the JO 2024 exception?

The law of 19 May 2023 authorised, on an experimental basis, AI video analytics applied to fixed cameras and drones for the detection of eight predetermined event categories during the Olympic and Paralympic period. The categories included abandoned objects, weapons presence, abnormal crowd density and falls. Facial recognition and biometric identification were explicitly excluded from the regime. The CNIL was consulted on the implementing decrees, conducted inspections during the Games, and published post-event evaluation material that confirmed compliance with the substantive limits while documenting uneven detection performance across categories.

Has it normalised?

The legal regime was scheduled to expire on 31 March 2025, but the trajectory points toward extension and integration into general law rather than lapse. The technical and operational ecosystem built for the Olympics, certified suppliers, trained operators, documentation templates, has continued to function during the legislative pause. Normalisation is occurring through explicit parliamentary process with CNIL involvement, not by silent drift. The substantive guarantees of the 2023 framework, closed event categories, exclusion of biometric identification, human decision-making, algorithmic auditability, are expected to carry into the permanent regime.

Who enforces?

The CNIL is the principal enforcer, with powers of inspection, formal notice, public sanction and administrative fines under the GDPR. Other authorities have overlapping competence, including the Défenseur des droits on discrimination questions and the administrative courts on the legality of prefectural authorisations. In practice during the Olympic period, the CNIL favoured guided compliance over punitive sanction. The Commission has signalled a tighter enforcement posture for the permanent regime, with structured inspection of documentation, impact assessments, algorithmic audits and operator training records.