ChatGPT Under Scrutiny in Europe Over Potential GDPR Violations
ChatGPT has become an Internet sensation and millions of consumers are now using the artificial intelligence-based chatbot to generate human-like content, including writing love letters, wedding speeches, blog posts, computer code, and cheating on school tests and homework. While the tool is incredibly popular and has many legitimate uses there are mounting concerns about many aspects of the technology. In Europe, there is a growing concern that the developer of the tool, OpenAI, has been flouting the EU’s General Data Protection Regulation (GDPR). Such is the level of concern that the data protection authority in Italy has introduced a temporary ban on ChatGPT in the country and has ordered OpenAI to stop all local data processing until it is established that the company is compliant with the GDPR.
Several allegations have been made about the processing of the data of EU citizens by OpenAI, including the way data are processed, the controls that are in place to protect minors, the dissemination of misinformation by ChatGPT, and the use of the tool for fraud and cybercriminal activities. Further, while OpenAI is processing the data of EU citizens, the company has not established a base in an EU country. There is also a cloud of secrecy around the dataset that was used to train its algorithm, and allegations have been made that there may not have been a legal basis for processing that data. Further, in March, there was a ChatGPT data breach which resulted in the exposure of some of the conversations between users and the chatbot, and the payment information of those users.
While Italy is the first EU country to announce a ban, other EU countries are mulling over bans and the best approach to take regarding investigations over potential GDPR violations. Without a base in an EU country, there is no single data protection authority to take charge of any investigation, which means any and all of the 27 EU states could initiate investigations. Investigations will certainly be launched as multiple complaints have been submitted to data protection authorities across the EU that allege violations of the GDPR by OpenAI. The Belgian data protection authority has called for an investigation into GDPR compliance at the European level. OpenAI chief executive officer, Sam Altman, responded to the ban by the Italian data protection authority by stating the company has not violated any EU laws and will await further correspondence from the Italian DPA with respect to the ban and any GDPR investigation.
OpenAI is facing intense scrutiny and potentially significant financial penalties but the legality of data processing by other AI-based technologies is also being questioned, such as whether any machine learning algorithm is compliant with the GDPR. The huge volumes of data required to train these algorithms make it almost a certainty that they are processing at least some personal data covered by privacy regulations such as the GDPR and other privacy regulations and there may not be a legal basis for processing that data.