OpenAI, the artificial intelligence company, is facing another privacy complaint in the European Union. The complaint, filed by privacy rights nonprofit noyb on behalf of an individual complainant, focuses on OpenAI’s AI chatbot, ChatGPT, and its inability to correct misinformation it generates about individuals.
This issue highlights the problem of AI tools like ChatGPT producing inaccurate information, which has been well-documented. However, it also raises concerns about OpenAI’s compliance with the General Data Protection Regulation (GDPR), which governs how personal data of EU users can be processed. Non-compliance with GDPR can lead to penalties of up to 4% of global annual turnover.
The GDPR also empowers data protection regulators to order changes in how information is processed, potentially reshaping the operations of generative AI tools in the EU. OpenAI was already forced to make changes after Italy’s data protection authority intervened in 2023, temporarily shutting down ChatGPT.
Now, noyb is filing a GDPR complaint against ChatGPT with the Austrian data protection authority on behalf of an unnamed complainant. The complainant, described as a “public figure,” found that the AI chatbot produced an incorrect birth date for them. According to the GDPR, individuals in the EU have the right to have erroneous data corrected. noyb argues that OpenAI is failing to comply with this obligation by refusing to rectify the incorrect birth date.
OpenAI’s privacy policy states that users can submit a correction request if they notice factually inaccurate information generated by the AI chatbot. However, due to the technical complexity of the models, OpenAI may not be able to correct inaccuracies in every instance. In such cases, users can request the removal of their personal information from ChatGPT’s output.
The issue for OpenAI is that GDPR rights are not optional. Individuals in Europe have the right to request rectification and deletion of their data, and it is not for OpenAI to choose which rights are available. noyb’s complaint also points out transparency concerns, as OpenAI cannot disclose the sources or recipients of the data it generates on individuals.
Commenting on the complaint, Maartje de Graaf, a data protection lawyer at noyb, emphasized the importance of accurate and transparent results when processing data about individuals. She stated that if a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology must follow legal requirements, not the other way around.
OpenAI is already facing similar complaints in Poland and Italy. Last year, the Polish data protection authority opened an investigation into ChatGPT following a complaint by a privacy and security researcher who was unable to correct incorrect information about him generated by OpenAI. The Italian data protection authority also has an ongoing investigation into ChatGPT.
The risk of OpenAI facing multiple GDPR enforcements across different EU Member States has increased with the filing of another complaint. To mitigate regulatory risks, OpenAI opened a regional office in Dublin last year, allowing privacy complaints to be funneled through Ireland’s Data Protection Commission.
In conclusion, OpenAI’s AI chatbot ChatGPT is under scrutiny for its inability to correct misinformation it generates about individuals. This raises concerns about OpenAI’s compliance with GDPR, as well as transparency issues regarding the sources and recipients of the generated data. Multiple GDPR complaints against OpenAI indicate the potential for enforcement actions across different EU Member States.