ChatGPT violates Europe’s privacy: Italian DPA informs OpenAI

Europe’s privacy rules violation: After several months of investigating OpenAI’s AI chatbot, ChatGPT, the data protection authority in Italy alerted the business that it may have broken Europe’s privacy regulations.

The proposed findings of the Italian authority were not made public. However, the Garante announced today that OpenAI has been notified and given 30 days to refute the claims.

Verified infractions of the pan-EU framework might result in fines of up to €20 million, or 4% of global annual revenue. Even more problematic for a large AI company like OpenAI, data protection authorities (DPAs) have the right to issue orders demanding changes to data processing to prevent verified infringement. As a result, it may be forced to modify its techniques. 

AI model training lawfulness in the frame

When it issued an order last year temporarily preventing ChatGPT from processing local data, the Italian regulator raised concerns about OpenAI’s compliance with Europe’s privacy [General Data Protection Regulation (GDPR)]. This resulted in the temporary removal of the AI chatbot from the market.

The Garante’s March 30 provision to OpenAI, also known as a “register of measures,” listed among its concerns the AI tool’s tendency to “hallucinate” (i.e., produce inaccurate information about individuals) and the lack of a suitable legal basis for the collection and processing of personal data for training ChatGPT’s algorithms. It also prompted worries regarding child safety.

The authorities stated that it believed ChatGPT violated Articles 5, 6, 8, 13, and 25 of the GDPR overall.

Europe’s privacy rules violation

Even with this extensive list of alleged infractions, OpenAI was able to promptly restore ChatGPT’s functionality in Italy last year, provided that some concerns brought out by the DPA were addressed. The Italian government did, however, declare that it would keep looking into the alleged infractions. Thus far, preliminary findings have indicated that the technology violates EU law.

Although the Italian authorities have not yet disclosed which of the previously reported ChatGPT breaches it has verified, it appears that a significant legal dispute surrounds OpenAI’s assertion that it has the right to access personal data to train its AI models.

This is so because ChatGPT was created using a tonne of information that was scraped from the open Internet, including private user information. Furthermore, collecting data belonging to EU citizens necessitates a legitimate legal foundation, which presents a challenge for OpenAI in the EU (Europe’s privacy rules).

Six potential legal bases are listed in the GDPR, the majority of them are simply irrelevant in this circumstance. The Garante instructed OpenAI to eliminate any mention of “performance of a contract” for ChatGPT model training in April of last year, leaving it with only two options: consent or legitimate interests.

Any attempt to claim the AI behemoth had Europeans’ consent for the processing would appear doomed to fail, given that it has never sought the cooperation of the numerous millions (or possibly billions) of web users whose information it has consumed and processed for AI model construction.

Furthermore, OpenAI seemed to be attempting to rely on a claim of legitimate interest when it updated its documentation following Garante’s involvement last year.

Nonetheless, this legal foundation mandates that a data processor allow data subjects to object and request that their information no longer be processed.

It’s unclear how OpenAI might accomplish this given the context of its AI chatbot. (In theory, it might be forced to remove and destroy improperly trained models and retrain new models without the individual’s data in the training pool. However, if it could even identify every instance of improper processing of data on a per-individual basis, it would have to do so for every single objecting EU person who requested that it cease. it sounds kind of pricey.)

Beyond that difficult matter, there is the more general query of whether the Garante will ultimately determine that legitimate interests constitute a legitimate legal basis in this particular situation.

To be honest, that seems improbable. Since LI is not an open-ended situation. Data processors must weigh their interests against the freedoms and rights of the people whose data they are processing.

They must also take into account factors including whether the people involved would have expected this use of their data and the possibility that it may cause them unjustified harm. (LI will not, be deemed to have a legitimate legal basis if they would not have anticipated it and there are chances of such harm.)

Additionally, there must be no other, less invasive way for the data processor to accomplish their goals than to process the data.

Notably, the top court of the EU has previously determined that Meta’s use of legitimate interests as a justification for tracking and profiling people to operate its behavioral advertising business on its social networks is inappropriate. 

Thus, there is serious doubt about the idea that another kind of AI behemoth would try to defend the massive processing of people’s data to establish a profitable generative AI company. This is especially true given that the tools in question put named individuals at risk for a variety of novel dangers, including fraud, identity theft, and defamation.

A Garante representative affirmed that ChatGPT is still accused of breaking the law when it comes to processing people’s data for model training. However, at this time, they have not confirmed which specific article—or articles—OpenAI is suspected of violating.

The authority will likewise wait to conclude after receiving OpenAI’s response, so its declaration today is not final either.

The following is the Garantie’s statement (which our AI system translated from Italian):

The business that operates the ChatGPT artificial intelligence platform, OpenAI, has been informed by the [Italian Data Protection Authority] of its notice of objection for a violation of data protection laws.

The Authority concluded that the elements acquired might represent one or more unlawful acts about the provisions of the EU Regulation after the Guarantee adopted a provisional restriction of processing order against the company on March 30 and after reviewing the results of the preliminary investigation.

OpenAI will be given 30 days to provide its defense documents about the alleged infractions.

The Garante will consider the current work of the special task force established by the Board, which unites the EU Data Protection Authorities (EDPB) when outlining the proceedings.

Following a complaint last summer concerning an occasion in which the tool produced false information about a person and OpenAI’s response to that complainant, OpenAI is also being scrutinized over ChatGPT’s GDPR compliance in Poland. The investigation into GDPR is still ongoing.

OpenAI, meanwhile, has responded to rising regulatory risk across the EU by seeking to establish a physical base in Ireland; and announcing, in January, that this Irish entity would be the service provider for EU users’ data going forward.

Its hopes with these moves will be to gain so-called “main establishment” status in Ireland and switch to having an assessment of its GDPR compliance led by Ireland’s Data Protection Commission, via the regulation’s one-stop-shop mechanism — rather than (as now) its business being potentially subject to DPA oversight from anywhere in the Union that its tools have local users.

However, OpenAI has yet to gain this designation, therefore ChatGPT may face additional investigations by DPAs elsewhere in the EU. Even if it receives the status, the Italian investigation and enforcement will continue because the data in question predates the change in processing structure.

As noted in the Garante statement, the bloc’s data protection authorities have attempted to coordinate their oversight of ChatGPT by establishing a task force to assess how the GDPR applies to the chatbot through the European Data Protection Board. That (ongoing) endeavor may result in more consistent findings across discreet ChatGPT GDPR probes, such as those in Italy and Poland.

However, authorities retain the independence and competence to make judgments in their markets. Similarly, there is no certainty that any of the ongoing ChatGPT probes will reach the same conclusion.

Get motivation to start your business.