Data protection stopping machine overlords?

Italian proceedings

Following a data breach affecting ChatGPT users' conversations (title of conversation prompts and other chat history visible to other users) and data on payments (such as billing information, credit card type, last four digits of credit card number, etc.), the Italian DPA assessed ChatGPT's GDPR compliance. It found that no information on the processing of personal data was provided to data subjects using the chatbot service. Also, the DPA claims that there was no legal basis to lawfully collect and process the large amounts of users' personal data used to train the chatbot's algorithms. In addition, it was found that ChatGPT does not always provide reliable information, resulting in the processing of inaccurate personal data. Finally, the DPA states that due to the lack of a functional age verification system, children are exposed to answers from the chatbot that are inappropriate for their age and awareness. According to ChatGPT's terms and conditions, the service is aimed at people over the age of 13 years.

The DPA orders OpenAI to notify it within 20 days of measures implemented to ensure compliance with the GDPR, otherwise a fine under the GDPR (up to EUR 20m or 4 % of the company's global annual turnover) may be imposed. In addition, the DPA demands that OpenAI disclose more about its methods (especially how the algorithm is trained) and its business model.

OpenAI (not established in the EU but having a designated representative in the EEA) has reacted by geo-blocking the ChatGPT website to IP addresses from Italy. The founder of OpenAI, Sam Altman, stated that paying Italian customers will be refunded. However, he has also expressed his conviction that the processing of data from ChatGPT is lawful.

Effects in Europe

Other European DPA's are monitoring the Italian proceedings closely. A spokeswoman of the German DPA stated that the authority is "highly interested" in the results of the Italian compliance assessment. She also said that the German DPA has already requested further information on the blocking of ChatGPT and will forward this information to the relevant national authorities. The results of these proceedings and the findings of the DPA can have far-reaching effects throughout Europe. If the Italian DPA can sufficiently demonstrate a breach of the GDPR, other European data protection authorities would also have to take action against OpenAI.

German and Austrian politicians emphasise that AI must not be banned but instead sensibly regulated. It would be important not to provide for legal regulations after the fact, but to establish the conditions for safe and transparent use of AI before it is widely available.

Update: In the meantime, the German AI Taskforce of the DSK has also addressed this issue and initiated investigations.

Recommended user action

Since OpenAI states that it uses the data entered by its users as well as other data (not actively "fed" to ChatGPT), you need to be aware of what information you share with the chatbot and to not use it at all unless you accept that it processes other (user) data as well. Take great care when feeding company data or other proprietary and/or personal data into the chatbot and best avoid doing so.

If you plan to use ChatGPT, at least opt-out from its data tracking using the provided form from OpenAI under https://lnkd.in/eSzfp8yQ.