OpenAI is currently facing a significant privacy complaint in the European Union, instigated by the privacy rights nonprofit noyb on behalf of an individual. This complaint highlights ChatGPT's inability to correct misinformation it generates about users, which raises concerns regarding compliance with the General Data Protection Regulation (GDPR) — the EU's robust framework for personal data protection.
The tendency of generative AI tools to produce inaccurate information is well-documented, and this issue directly conflicts with GDPR requirements governing how personal data of EU citizens is processed.
Penalties for non-compliance with GDPR can soar to 4% of a company's global annual revenue. More crucially for a major player like OpenAI, data protection authorities can mandate operational changes, potentially reshaping how generative AI tools function within the EU.
Following an early intervention from Italy’s data protection authority in 2023, which temporarily halted ChatGPT’s operations, OpenAI was compelled to instigate several adjustments. The latest complaint has now been filed by noyb with the Austrian data protection authority on behalf of an unnamed public figure who reported that ChatGPT provided an incorrect birth date.
Under GDPR, individuals in the EU possess specific rights regarding their personal data, including the right to correct factual inaccuracies. According to noyb, OpenAI has not fulfilled this obligation with its chatbot. After the complainant requested a correction for the erroneous birth date, OpenAI claimed it was technically impossible to correct the misinformation, only offering to filter or block certain prompts containing the complainant's name.
OpenAI’s privacy policy states that users who identify “factually inaccurate information” generated about them can submit a correction request through privacy.openai.com or by contacting [email protected]. However, it cautions that due to the complexity of its AI models, it may not be able to rectify inaccuracies in every instance. OpenAI also advises users to request the removal of their personal details from the chatbot’s data altogether by filling out an online form.
The challenge for OpenAI is that GDPR rights are not optional. Individuals in Europe have firm rights to request both correction and deletion of their data, and, as noyb indicates, OpenAI does not have the authority to selectively grant these rights.
The complaint further highlights transparency issues, asserting that OpenAI cannot adequately disclose the sources of the data it generates or the storage details regarding user information. This is significant because the GDPR grants individuals the right to request such information through a subject access request (SAR). noyb argues that OpenAI has not sufficiently addressed the complainant’s SAR and has failed to reveal critical data about processing, sources, and recipients.
Maartje de Graaf, a data protection lawyer at noyb, commented on the gravity of the situation: “Generating false information is inherently problematic. When it concerns individuals, the consequences can be severe. It’s evident that companies cannot manage chatbots like ChatGPT to comply with EU law regarding personal data. If a system cannot produce accurate and transparent results, it is unfit for generating data about individuals. Legal compliance must guide technology, not the reverse.”
Noyb is urging the Austrian data protection authority to examine OpenAI’s data processing practices and push for penalties to ensure future compliance. The complaint has the potential to be addressed through EU cooperative efforts.
OpenAI is already under scrutiny in Poland, where the local data protection authority launched an investigation last September triggered by a similar complaint from a privacy researcher who faced challenges correcting misinformation generated about him by OpenAI. This prior complaint also highlights OpenAI's alleged failure to meet transparency regulations.
Additionally, the Italian data protection authority continues its investigation of ChatGPT and, in January, indicated that OpenAI may have breached multiple aspects of the GDPR, particularly concerning the chatbot's propensity to produce false information about individuals. Their findings also involve other critical compliance issues. OpenAI was given a month to respond to these preliminary findings, and a final verdict remains pending.
With yet another GDPR complaint issued against it, OpenAI's risk of encountering a series of enforcement actions across various EU Member States has intensified.
In an effort to mitigate regulatory challenges, last fall, OpenAI established a regional office in Dublin, a strategic move likely meant to centralize privacy complaints through Ireland's Data Protection Commission—an arrangement designed to streamline oversight for transnational issues as stipulated by the GDPR.