European Union data protection enforcers are still undecided on how OpenAI’s chatbot, ChatGPT, complies with the EU’s data protection laws. This is significant because violations of these laws can result in penalties of up to 4% of global annual turnover. OpenAI could also be ordered to stop non-compliant processing. However, without clarity from EU regulators, OpenAI is likely to continue operating as usual. There have been numerous complaints that ChatGPT violates the General Data Protection Regulation (GDPR), including a case in Poland and Austria.
Under the GDPR, any entity processing personal data must have a legal basis for doing so. OpenAI claims to rely on legitimate interests (LI) for processing personal data used for model training. However, the Italian Data Protection Authority has found that OpenAI violated the GDPR, and a final decision on the complaint is pending. The taskforce report suggests that OpenAI can improve its compliance by implementing safeguards such as technical measures and precise collection criteria to limit the data it collects.
The taskforce also emphasizes the importance of fairness and transparency in ChatGPT’s operation. It states that privacy risks should not be transferred to users, and OpenAI should not argue that certain personal data was prohibited in the first place. The report also addresses the issue of ChatGPT “hallucinating” or making up information, emphasizing the need for OpenAI to provide proper information on the chatbot’s reliability and biases.
When it comes to data subject rights, the report highlights the imperative of allowing users to exercise their rights easily. However, it does not provide clear guidance on how OpenAI can improve its current approach. The taskforce’s existence may already be influencing GDPR enforcements on ChatGPT by delaying decisions and investigations.
Despite some uncertainty among data protection authorities about how to respond to nascent technologies like ChatGPT, OpenAI’s establishment in Ireland has potentially mitigated regulatory risk. OpenAI’s Irish entity has become the regional provider of services, allowing it to apply for Ireland’s Data Protection Commission to become its lead supervisor for GDPR oversight. This means that future cross-border complaints will be funneled through the Irish DPC, which has a reputation for taking a business-friendly approach to enforcing the GDPR on Big Tech.
Overall, while the taskforce’s report provides some insights and suggestions for OpenAI to improve its compliance with EU data protection laws, there is still uncertainty about how regulators will ultimately enforce these laws on ChatGPT. OpenAI’s establishment in Ireland may provide some protection from decentralized enforcement, but the final decisions on complaints remain to be seen.