After a months-long investigation by the Italian data protection authority DPA (Data Protection Authority) into the AI chatbot ChatGPT, the company OpenAI is accused of violating EU data protection laws. Confirmed violations in the handling of personal data can result in fines of up to 20 million euros or up to 4% of annual turnover. OpenAI has 30 days to respond to the allegations.
Italian authorities raised concerns about OpenAI’s compliance with the General Data Protection Regulation (GDPR) last year, leading to the chatbot’s temporary suspension from the European market. The Italian data protection authority DPA highlighted on March 30, in a so-called “register of measures”, the lack of an appropriate legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT, the AI tool, “hallucinations” and potential Concerns about child safety. The authorities accused OpenAI of violating Articles 5, 6, 8, 13 and 25 of the GDPR.
Data protection authorities have the power to require changes to the way data is processed to prevent breaches of the privacy of EU citizens. Thus, regulators could force OpenAI to change its approach to processing personal data or force the company to stop offering its services in the European Union.
In spring 2023, OpenAI was able to reactivate ChatGPT in Italy relatively quickly after fixing a number of violations identified by the data protection authority. However, Italian authorities continued their investigation and came to a preliminary conclusion that OpenAI’s AI tool violated EU law. The Italian authorities have not yet published a list of confirmed ChatGPT violations, but the main complaint against OpenAI will most likely be the very principle of processing personal data for training AI models.
ChatGPT was developed using a wealth of data extracted from the public internet – information that includes personal data of individuals. And the problem OpenAI faces in the EU is that it needs a valid legal basis to process EU citizens’ data. The GDPR lists six possible legal grounds, most of which are simply not relevant in this context. Last April, the Italian data protection authority gave OpenAI only two legal options for training AI models: “confirmed consent” or “legitimate interests”.
Given that OpenAI has never attempted to obtain the consent of the millions (and possibly billions) of internet users whose information it has collected and processed to build AI models, any attempt to obtain Europeans’ permission to process their personal data is illegitimate to demand is doomed to failure. OpenAI therefore only has the option of relying on the claim of “legitimate interests”. However, this framework also provides for the right of data owners to object and request that the processing of their personal data be stopped.
In theory, every EU citizen has the right to demand that OpenAI seize and destroy illegally trained models and retrain new models without using their data. But even if we assume the possibility of identifying all illegally processed data, a similar procedure would have to be carried out for every EU citizen who objects, which is hardly possible in practice.
There is also the broader question of whether the data protection authority ultimately recognizes that “legitimate interests” are even a valid legal basis in this context. Such a decision by the regulator seems unlikely. Finally, data processors must balance their own interests with the rights and freedoms of the individuals whose data are being processed, weigh up the possibility of unreasonable harm to those individuals, and also consider whether the individuals expected their data to be used in this way.
It is noteworthy that the EU Supreme Court had previously recognized “legitimate interests” as an inappropriate basis for meta in a similar situation✴ in tracking and profiling users for the purpose of targeted advertising on their social networks. Thus, there is a negative legal precedent for OpenAI to attempt to justify large-scale processing of personal data in order to build a commercial generative AI business – especially when the tools in question pose all sorts of new risks to said individuals (Disinformation , defamation, identity theft, etc.). Fraud are just a few of them). OpenAI is also being audited for GDPR compliance in Poland, where a separate investigation has been launched into the matter.
OpenAI is attempting to mitigate potential regulatory risks in the EU by setting up its own organization in Ireland to become a future provider of AI services to users in the EU. OpenAI hopes to achieve so-called “head office status” in Ireland, which will allow it to use GDPR compliance assessments only from the Irish Data Protection Commission and to operate in the EU through a single-window regulatory mechanism, allowing oversight from each EU member is avoided by the state data protection authorities.
However, OpenAI has not yet achieved this status, so ChatGPT may still face investigations by data protection authorities in other EU countries. And even obtaining “essential authority” status in Ireland will not stop the investigations and enforcement actions already underway in Italy.
The Italian Data Protection Authority says data protection authorities are trying to coordinate oversight of ChatGPT by setting up a working group under the European Data Protection Board. These efforts may ultimately lead to more consistent results across individual OpenAI investigations. However, for the time being, the data protection authorities of the individual EU member states remain independent and empowered to make decisions in their own markets.