AI-generated pro photo: GDPR, rights, what to know

You're considering using AI to generate your LinkedIn photo or CV portrait. Before uploading your selfie, five legal questions deserve a clear answer. Your face isn't a file like any other, and not all generators are equal in the face of GDPR.

Why your selfie isn't a banal piece of data

Image = personal data under GDPR

A photo that allows identifying a physical person is personal data. It's article 4 of GDPR that says so, and the CNIL reminds it in its doctrine on generative AI: voice and image constitute personal data as soon as they allow identification of an individual. Direct consequence: any processing of your selfie by an AI generator falls under GDPR.

This implies a legal basis under article 6 of GDPR (consent, contract, legitimate interest), clear information on the use made, and respect for the rights of the concerned person.

Selfie = potential biometric data

The nuance is important. The CNIL and the European Data Protection Board consider that a raw image, without associated identification technical processing (facial recognition, biometric encoding), doesn't in itself constitute biometric data in the strict sense of GDPR. But as soon as a system extracts characteristic points of the face to identify or re-identify the person, you switch into the sensitive data category (article 9 GDPR), with a much higher requirement level.

Practical question: do you know whether the generator you use stores a biometric encoding of your face to reconstruct later portraits? If the answer is no, it's already a bad signal.

The 5 questions to ask any AI generator

How long is my selfie kept?

The GDPR rule is simple: no retention beyond what's necessary for the processing purpose (storage limitation principle, article 5.1.e GDPR). To generate a portrait from a selfie, the necessary duration is a few seconds, the time the model produces the image.

Yet many services retain the original selfie for several days, sometimes months, to train their models or improve their service. Verify in the T&Cs and privacy policy: does the service explicitly state a retention period? Does it mention memory transit without disk writing? If the answer is vague or absent, consider your selfie stored.

Where is the data hosted?

Transfer of personal data outside the European Union is strictly regulated (chapter V GDPR). A service hosted in the United States, even with the Data Privacy Framework signed in 2023, exposes your data to different rules (Cloud Act, FISA). For professional use, particularly in regulated trades or sensitive functions (finance, consulting, legal), European hosting is a decisive criterion.

Check the mention of the hosting region in the privacy policy. "Hosted on AWS" isn't enough: AWS Europe or AWS US-East? The precision matters.

Does my face train the model?

It's the most slippery question. The CNIL recommends explicitly being able to oppose the reuse of usage data by the system's provider. Concretely: does your selfie serve to train the model for future users?

If yes, your face potentially joins a training set you no longer control. The CNIL itself acknowledges that extracting individual data from an already-trained model presents major "technical difficulties". Put another way: once your face is in the model, removing it is technically nearly impossible.

Who owns the generated photo?

The legal status of an AI-generated image remains shifting ground in French law. Three cases stand out:

• The image faithfully represents you: your image rights apply, regardless of the technology that produced the image. No one can publish this portrait without your agreement.
• The image is freely reusable by the service: some generators reserve a usage licence on produced images (marketing illustrations, example database). Check the T&Cs.
• You hold exclusive usage rights: the service grants you ownership of the generated image for your personal and commercial use. It's the most protective case.

Read the "intellectual property" or "licence" paragraph of the T&Cs. If nothing is specified, legal vagueness plays against you.

What right to withdrawal and erasure?

Article 17 of GDPR provides a right to erasure. The CNIL specifies that this right applies to training databases and models themselves, even if practice remains technically complex.

What you must verify on any generator:

• existence of a form or procedure to delete the account and associated data
• effective erasure of selfies and generated photos
• handling of requests within 30 days (GDPR deadline)
• contact for a data protection officer (DPO) if the structure is significant

What the CNIL says specifically about generative AI

The CNIL published in April 2024 a series of Q&As on the use of generative AI systems. Three points are worth remembering for individual use.

First, the CNIL recommends never sharing confidential information in public AI generative services. This applies to text prompts, but the principle logically extends to uploads of selfies whose downstream processing you ignore.

Then, it distinguishes three deployment modes:

Mode	GDPR risk	CNIL position
Public API (foreign cloud)	High	Avoid for personal data
Cloud with subcontracting contract	Moderate	Verify responsibility perimeters
On-premise / controlled hosting	Low	Preferred for sensitive data

Finally, it reminds that the European AI Regulation (AI Act, entered into force on 1 August 2024) imposes a transparency obligation: users must know they are interacting with an AI system, and artificially generated contents must be identifiable.

Difference between European infrastructure and AI processing outside the EU

The contrast is concrete, but it has to be read layer by layer. A website can be hosted in Europe while calling an AI API operated by a US provider. In that case, data stored by the website may remain in a European region, while AI processing may involve a transfer or temporary caching outside the European Economic Area.

European infrastructure reduces part of the risk, but it is not enough if the image is then sent to an API outside the EU. What you need to verify:

• where data retained by the service is stored
• which AI provider receives the selfie
• whether a transfer outside the EU is possible
• which safeguards govern that transfer (Data Processing Addendum, Standard Contractual Clauses, Data Privacy Framework where applicable)
• whether the selfie trains the model or not

For an innocuous personal use (profile photo of a personal Instagram account), the difference is small. For professional use in a sensitive sector (lawyer, doctor, consulting, finance, public service), it's a criterion that can be a dealbreaker.

Special cases

Regulated trades

Lawyers, doctors, certified accountants, magistrates: your image is associated with a function subject to ethical obligations. Beyond GDPR, the professional order can impose specific rules on the use of your image (ban on deceptive advertising, duty of dignity). An AI-generated photo remains allowed for purely professional use (LinkedIn, CV, firm site) provided it stays faithful to your real appearance. An overly retouched or unrealistic image can fall under deceptive advertising.

Minor photos

GDPR provides reinforced protection for minors (article 8). In France, consent for personal data processing is valid from age 15. For a child under 15, consent from both parents (holders of parental authority) is required. Most general-public AI generators ban the upload of minor photos in their T&Cs. Don't circumvent this rule: it's exactly the ground where litigation explodes.

Commercial vs personal use

If you use your AI photo for a commercial site, an advertising campaign, a product, you exit the "personal use" frame covered by most T&Cs. Verify that the licence granted by the generator covers commercial use. For employed use (company directory photo), ask your employer if they have a policy on AI-generated images: some groups now explicitly forbid it in their internal charter.

The special case of commercial prospecting

A last often-forgotten point: if you give your email to the generator (to retrieve your photo, create an account), article L34-5 of the French Post and Electronic Communications Code strictly regulates the use of that email for prospecting purposes.

The service must collect your free, specific and informed consent to send you marketing emails. A pre-checked box or consent buried in illegible T&Cs is non-compliant. You must be able to withdraw your consent at any time, free of charge, in each received email.

If you receive unsolicited commercial emails after using a generator, report it on signal.conso.gouv.fr or directly to the CNIL.

Checklist before clicking "upload"

Before entrusting your selfie to a generator, check these points:

• readable privacy policy, dated, in French
• explicit mention of selfie retention duration (ideally memory transit only)
• explicit mention of the hosting region for stored data and any transfers to AI providers
• explicit mention on model training (your face doesn't train the model, or clear opt-out)
• clear ownership of the generated image (ideally: you own it)
• account and associated data deletion procedure
• marketing consent distinct from processing consent (unchecked by default)
• reachable DPO or identified GDPR contact

If three out of eight aren't checked, change service.

The SelfiePro example

To give a concrete case of how a privacy-conscious service can document its choices, here are the choices made on SelfiePro, the service I'm building:

• SelfiePro infrastructure in Europe: the app, Firestore, Storage and main Cloud Functions use Firebase/Google Cloud in a European region
• Explicit Gemini processing: the selfie is sent to the Google Gemini API to generate the portrait. This processing may involve a transfer or temporary caching outside the EEA, including the United States, governed by Google's contractual safeguards
• Selfie not stored on our servers: your selfie transits in memory inside the Cloud Function, then is not written to our storage. It may remain temporarily in your browser during the flow
• HD photo kept 90 days maximum: necessary duration to allow you to re-download if you need to, then automatic deletion by a scheduled cleanup task
• No SelfiePro fine-tuning on your face: SelfiePro does not train a model with your selfie. Google's use depends on the Gemini terms applicable to the API service used
• Ownership of the generated photo: it's yours, personal and commercial use included
• Account deletion available from your personal space, with a dedicated procedure to delete Firestore, Storage, Auth data and associated marketing traces
• Distinct marketing consent: box unchecked by default, withdrawal possible from your account, on a consent basis separate from the AI processing

The service has limits elsewhere (sometimes-smoothed skin texture, variable likeness across styles), but the legal frame must be readable: who hosts, who processes, where a transfer may happen, and how long images are retained.

Sources

• CNIL — Q&As on using a generative AI system
• CNIL — AI: respect the exercise of personal rights
• Article L34-5 of the French Post and Electronic Communications Code (Légifrance)
• Bold — Generative AI, voice and image: the legal aspects