This digital glossary is primarily aimed at non-experts, providing definitions for commonly used terms in the digital realm. It is not intended to be exhaustive.
When a term is italicized within a definition, it means that it is defined elsewhere in the glossary.
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
A
Accountability
Introduced by the GDPR, this notion is based on the will to make the actors concerned by the protection of Personal Data responsible. They now have the obligation to document their compliance with the GDPR, through the implementation of a personal data governance system, in particular in order to provide proof of their compliance with Data Protection rules.
Adequacy decision
Decision of the European Commission establishing that a non-EU country (known as a “third country”) offers a level of protection of personal data comparable to that guaranteed in the EU. Third countries that have been addressed by an adequacy decision include: Andorra; Argentina; Canada; Israel; Japan; New Zealand; Uruguay. Complete list (in French)
AI Act
European Regulation (EU) 2024/1689 on Artificial Intelligence (AI), adopted by the European Parliament on June 13, 2024, and entered into force on August 1, 2024. It represents the world’s first comprehensive legislation on AI. It aims to regulate the development, marketing, and use of AI Systems that may pose risks to health, safety, or fundamental rights.
AI System
machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment (…) which infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions (…) [article 3.1 of the AI Act].
AI regulatory sandbox
A controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real-world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervision [ AI Act art. 3.55]
Authentification
Process of controlling the legitimacy of a request for access to a system, aimed at protecting user data against fraud attempts. Authentication generally takes the form of a password, to which is added another means of authentication, such as a telephone number or voice recognition.
B
Big Data
Big data is the set of massive data whose volume collected, processing speed and variety of sources imply the use of Artificial Intelligence (AI). Big Data has a market value.
Biometric data
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data [AI Act art. 3.34]
Biometric identification
The automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a database [AI Act art. 3.35]
C
CCPA
CCPA is an acronym for California Consumer Privacy Act, legislation passed on June 28, 2018 by the legislature of the State of California relating to the protection of personal data of California residents, effective January 1, 2020.
CE marking
A marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing [AI Act art. 3.24]
CJUE
The Cour de Justice de l’Union européenne is the Court of Justice of the European Union.
Cloud Computing
Provision of IT services (including servers, storage, databases, network management, software, analysis tools, artificial intelligence) via the Internet. The Cloud offers faster innovation, flexible resources and economies of scale. There are several types of Cloud architecture, including Public Cloud and Private Cloud.
CNIL
CNIL (Commission Nationale Informatique et Libertés) is an independent administrative authority in France, established in 1978. It is the Regulator of personal data. The CNIL supports professionals in their compliance with data protection laws and helps individuals to manage their personal data, exercise their rights
Consent
In Personal Data law, consent is a clear, specific, unambiguous and freely given indication by a user in the form of a declaration or a positive act, by which he authorizes the processing of his personal data.
Cookie
Computer file deposited and read on a terminal, particularly when consulting a website. Cookies have several uses: they can be used to memorize a customer identifier with a commercial site or to trace the navigation of the Internet user for statistical or advertising purposes. By deliberation of July 4, 2019, the CNIL adopted guidelines on Cookies.
CPRA
California Privacy Rights Act, refers to the proposed legislation to supplement the CCPA to strengthen California residents’ control over their personal data. It was the subject of Proposition 24 in California’s recent ballot, and following its approval will enter into force on 1 January 2023.
Credential stuffing
This consists in repeated attempts to access a web site or a web service by malware using access credentials (most often username and password) which were previously obtained through a data breach.
CRM
Customer Relationship Management, the acronym refers to the set of tools and techniques designed for Customer Relationship Management (CRM). The CRM software package captures, processes and analyzes information about customers and prospects, with the aim of building customer loyalty.
D
Data Controller
Organism that determines the purposes and means of a Treatment.
Data Protection Agreement
Within the meaning of Article 28 of the GDPR, it is a contract which binds the processor and the controller and determines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller
Data Processing Limitation
The data processing limitation is a right of the data subject, which complements the other rights conferred on the data (rectification, opposition, access, etc.) In case of dispute, the data subject may ask the Data Controller to suspend the use of the data. The Data Controller shall no longer use the data but shall keep them for the time necessary to verify the objection.
Deep fake
AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful [AI Act art. 3.60]
Deployer
A natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity [AI Act art. 3.4]
Distributor
A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market [AI Act art. 3.7]
DNS
Domaine Name System. Computer service for translation of Internet domain names into IP addresses or other records.
DPIA An evaluation, mandated by Article 35 of the GDPR, of the risks to the rights and freedoms of individuals that may arise from the processing of personal data. The DPIA helps to define appropriate corrective measures when a high risk is likely to exist for the rights and freedoms of the individuals concerned. A high risk to privacy under GDPR may involve threats to the confidentiality, availability, or integrity of personal data. Aurele IT has advanced expertise in conducting DPIAs. We carry out DPIAs in compliance with the requirements of the French Data Protection Authority (CNIL) and following the model recommended by the CNIL, EBIOS (Expression of Needs and Identification of Security Objectives, a risk management method adopted by ANSSI).
DPO
The Data Protection Officer was introduced by GDPR. He replaces the former Correspondant Informatique et Libertés (CIL) with more extensive responsibilities. The DPO is responsible for implementing compliance within the organization that appointed him, with respect to all Personal Data Processing implemented by that organization. Its designation is made mandatory by the DPO in certain cases.
E
EDPD
The European Data Protection Board is a working group set up by article 29 of the directive of October 24, 1995 and successor to the G29. The EDPD brings together the representatives of the national data protection authority of each Member State. Its mission is to contribute to the elaboration of European standards and to advise the European Commission on any project having an impact on the rights and freedoms of individuals.
Emotion recognition system
An AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data [AI Act art. 3.39]
ERP
Enterprise Ressource Planning, the acronym stands for a company’s business process management software. The ERP software package offers in particular solutions for managing orders, stocks, or e-commerce. In a logic of cost optimization, it can be complemented by a CRM software package ensuring the company’s customer satisfaction approach.
E-Reputation
Online reputation of a natural or legal person, made accessible to any Internet user via search engines. The control of the E-reputation implies the user’s increased vigilance regarding the publication of contents concerning him. The RGPD allows any person to request the deletion of data concerning him/her, however this also implies obtaining a de-referencing from search engines, which can be difficult to obtain.
Escrow
In digital law, process which consists in concluding an agreement between the editor of a software and its co-contracting party, aiming at entrusting the source codes of the software to a third party escrow agent, in order to ensure the co-contracting party the possibility of accessing them, in particular in the event of failure of the editor. In France, the best known software escrow companies are the Agence pour la Protection des Programmes (APP) and Logitas.
F
FAANGS
Acronym used in the English-speaking world to identify the big web companies : Facebook, Amazon, Apple, Netflix and Google). In the French-speaking world, they are referred to as GAFA, meaning Google, Apple, Facebook and Amazon. The main characteristic of the Web giants is their international scope in terms of users and data storage, which gives them an almost unbeatable lead in the fields of e-commerce, advertising and access to Personal Data.
G
GDPR
EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018.
General purpose AI model
An AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market [ AI Act art. 3.63]
General purpose AI system
An AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems [AI Act art. 3.66]
H
Health data
Data relating to the health of an individual. It falls into the category of special data and is specifically protected as such by the DMPR.
I
Input data
Data provided to or directly acquired by an AI system on the basis of which the system produces an output [AI Act art. 3.33]
Intended purpose
The use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation [ AI Act art. 3.8]
Interoperability
In relation to software, it refers to the ability of the software to interact with other software. Interoperability is based on an open format and differs from simple compatibility in that it allows interaction between independent software, whereas compatibility results from translating from one format to another on a case-by-case basis, especially when the formats are closed. The requirement for any software vendor to enable interoperability avoids the creation of closed systems that captivate users.
IP Adress
Identification number of a device connected to the Internet network that is permanently or temporarily assigned. The IP Address is a personal data according to the CNIL.
ISP
Internet Service Provider. The acronym refers to any organization offering an Internet connection. In France, they are mainly: Orange, SFR, Free, La Poste Mobile, Bouygues Télécom.
J
K
L
LCEN
Loi pour la Confiance dans l’Economie Numérique, law n 2004-575 of June 21, 2004 transposing directive 2000/31/CE of June 8, 2000. It sets the legal framework for the exercise of e-commerce activities, online services and Internet service providers.
LIL
French Law known as “Loi Informatique et Libertés” n° 78-17 of January 6, 1978, relating to data processing, files and freedoms. The choice was made to maintain this law in compliance with GDPR.
M
N
O
Operator
A provider, product manufacturer, deployer, authorised representative, importer or distributor [AI Act art. 3.8]
P
Personal Data
Notion defined in the French Data Protection Act (loi informatique et liberté) and in GDPR designating any information relating to an identified or identifiable natural person. Identification may result from a single piece of data or from the cross-referencing of a set of data. The control of their Personal Data by users implies the granting of certain rights such as the right to access, modify, delete their data.
Personal Data Violation
Security breach causing the destruction, loss of alteration of personal data.
Phishing
A technique used by fraudsters to extract a user’s personal information. It often takes the form of an e-mail from a sender posing as an official or familiar organization (bank, tax authorities, etc.).
Privacy by default
Principle requiring organizations to adopt measures for the protection of personal data downstream of the design of any project involving Data Processing.
Privacy by design
Principle requiring organizations to integrate GDPR requirements from the design stage of any project involving Data Processing.
Privacy Shield
A self-certification mechanism for companies established in the United States that was recognized by the European Commission in August 2016 as providing an adequate level of protection for personal data transferred by a European entity to companies established in the United States. It has been invalidated by the CJEU’s decision of July 16, 2020.
Private Cloud
A set of Cloud computing resources used exclusively by an organization. The private Cloud can be physically located in the company’s local data center. Some companies also use service providers to host their Private Cloud.
Processing of Personal Data
An operation or set of operations, involving Personal Data and pursuing one or more specified purposes. Both automated and manual processing are subject to data protection legislation.
Processor
Enitity that carries out the Processing of Personal Data on behalf of a Data Controller. Since the entry into force of the GDPR, the Processor assumes new responsibilities.
Profiling
Process of Automated processing of the data of a natural person allowing the statistical evaluation of certain aspects such as work performance, economic situation, centers of interest.
Provider
A natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge [AI Act art. 3.3]
Pseudonymization
Changing the identification keys of an individual. Pseudonymization should not be confused with “anonymization”, which makes any process of re-identification of a person impossible. GDPR applies fully to pseudonymized data because it remains traceable to a natural person.
Public Cloud
Owned and operated by a third-party service provider, it provides computing resources, such as servers and storage, via the Internet. In a public cloud, all hardware, software and infrastructure is owned by the cloud provider.
Q
R
Real-time remote biometric identification system
A remote biometric identification system, whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention [AI Act art. 3.42]
Reasonably foreseeable misuse
The use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems [AI Act art. 3.13]
Remote biometric identification system
An AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database [AI Act art. 3.41]
RGPD
Acronym for Règlement Général sur la Protection des Données : French equivalent of GDPR.
Right of access
The data subject’s right under GDPR to request from a controller access to their personal data processed by such controller.
Right of rectification
The data subject’s right under GDPR to request from a controller to correct or complete their personal data pertaining to the purpose of the processing.
S
Safe Harbour
Set of principles for the protection of personal data negotiated between the US authorities and the European Commission in 2000. This self-certification mechanism allowed companies established in the United States that voluntarily adhere to it to receive personal data from the EU. The Safe Harbor program was invalidated by the European Court of Justice (ECJ) on October 6, 2015. It was replaced in 2016 by the Privacy Shield.
Sensitive Data
Sensitive Data is referred to by GDPR as “Special Categories of Personal Data”. This includes Personal Data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic identity, biometric characteristics, health, life or sexual orientation of an individual. Their Processing is in principle prohibited.
Sensitive operational data
Operational data related to activities of prevention, detection, investigation or prosecution of criminal offences, the disclosure of which could jeopardise the integrity of criminal proceedings [AI Act art. 3.38]
T
Testing data
Data used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service [AI Act art. 3.32]
Training data
Data used for training an AI system through fitting its learnable parameters [AI Act art. 3.29]
Transparency
Transparency, a central concept of data protection, requires organizations that process Personal Data to provide concise, transparent, comprehensible and easily accessible information to the persons concerned.
U
V
Validation data
Data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process in order, inter alia, to prevent underfitting or overfitting [AI Act art. 3.30]
W
X
Y
Z
Florence Ivanier Aurele IT Avocats – January 2021
Copyright Aurele IT 2021 – Reproduction prohibited without prior permission. Definitions from the lexicon can occasionally be used provided that you cite the source as follows: Digital Lexicon by Aurele IT Avocats https://aurele-it.fr/lexique