OpenAI Faces New GDPR Compliance Challenge Amid Polish Complaint
Questions regarding OpenAI's adherence to European privacy regulations have resurfaced following a detailed complaint lodged with the Polish data protection authority yesterday. The complaint, accuses the U.S.-based AI company of violating the General Data Protection Regulation (GDPR) on multiple fronts: lawful basis for data processing, transparency, fairness, access rights, and privacy by design. Specifically, it points to alleged infringements of Articles 5(1)(a), 12, 15, 16, and 25(1) of the GDPR.
The complaint positions OpenAI's generative AI technology and its methodology in developing the highly popular ChatGPT as a systematic violation of EU privacy regulations. It also suggests that OpenAI neglected the GDPR's requirement for prior consultation with regulators (Article 36). Had OpenAI conducted a proactive risk assessment, it might have identified significant risks to individuals' rights, prompting them to reconsider their launch strategy in Europe.
This is not the first time GDPR concerns have been raised regarding ChatGPT. Earlier this year, Italy's privacy watchdog, the Garante, captured headlines when it directed OpenAI to cease data processing within the country, flagging several compliance issues around lawful basis, information disclosures, user controls, and child safety. OpenAI swiftly adapted its service presentation and was soon able to resume operations in Italy. However, the Garante's ongoing investigation may yield further compliance outcomes.
In April, a coalition of EU data protection authorities formed a task force through the European Data Protection Board (EDPB) to collectively evaluate how to regulate rapidly evolving AI technologies like ChatGPT. While this initiative is ongoing, it remains uncertain whether a unified oversight approach will emerge. Regardless, the GDPR is still in effect, empowering EU residents to raise concerns over potential data violations by AI companies, impacting their rights.
OpenAI currently lacks a main establishment in any EU Member State for GDPR compliance, increasing its regulatory exposure across the bloc. As such, it may face investigations from data protection authorities stemming from individual complaints.
Confirmed breaches of the GDPR can incur fines of up to 4% of global annual turnover, and corrective measures mandated by data protection authorities may necessitate fundamental changes in how technologies operate within the bloc.
The Origin of the Complaint: User Experience and Data Rights
The 17-page complaint filed with the Polish authority is attributed to Lukasz Olejnik, a privacy and security researcher, represented by Warsaw-based law firm GP Partners. Olejnik raised concerns after using ChatGPT to generate an erroneous biography, leading him to contact OpenAI at the end of March for corrections and to request information allowed under GDPR regarding his processed data.
Olejnik exchanged multiple emails with OpenAI between March and June. While OpenAI did provide some information in response to his Subject Access Request (SAR), Olejnik contends that the company failed to disclose all requisite details, particularly concerning the use of personal data in training AI models.
For personal data processing to be lawful under the GDPR, the data controller must have a valid legal basis communicated transparently. The complaint asserts that OpenAI is violating Article 5(1)(a) of the GDPR by processing personal data in an "unlawful, unfair, and non-transparent manner." It argues that OpenAI’s systemic disregard for GDPR provisions, particularly in informing individuals about their data processing activities, undermines the regulation.
Olejnik further alleges that OpenAI acted in a “trustworthy, honest, and conscientious manner” fails to provide adequate details on how it processes individuals' data. Despite acknowledging the inclusion of personal data in its training datasets, OpenAI has not clarified the specific processing operations nor adhered to obligations under Article 15 of the GDPR. The complaint raises concerns that OpenAI intentionally obscures the extent of personal data utilization in its training processes.
While OpenAI asserts it does not use training data to identify individuals, the complaint argues that such assertions do not negate the processing of personal data, which is still subject to GDPR regulations.
Key Issues Highlighted in the Complaint
Right to Data Correction Ignored
Olejnik specifically criticized OpenAI's inability to amend inaccuracies generated by ChatGPT regarding his biography, stating that instead of correcting the errors, OpenAI limited references to him in ChatGPT. He argues that this reflects a broader failure of OpenAI to uphold the GDPR provision granting individuals the right to rectify their personal data.
The complaint notes that OpenAI’s response indicated an inability to correct processed data, suggesting that such systemic failures may be embedded in ChatGPT's operational framework. Olejnik posits that this complicity in inaccuracies risks broader compliance violations with data protection regulations.
The complaint recommends that OpenAI develop a mechanism to rectify errors identified by users. It also suggests that if OpenAI believes such a system is unfeasible, it should consult relevant supervisory authorities to address these concerns.
Design Flaws in Data Protection Compliance
The complaint emphasizes what it views as a fundamental violation of the GDPR's data protection principles by design and default. It asserts that the design of ChatGPT reflects a disregard for compliance requirements, particularly in failing to implement mechanisms for data rectification and not transparently reporting processing operations related to training GPT models.
OpenAI appears to accept that its current model misaligns with GDPR standards, evidently ignoring the principles designed to safeguard personal data processing.
Regulatory Oversight and Future Considerations
OpenAI has been asked to respond to the allegations outlined in the complaint, including whether it conducted a data protection impact assessment prior to launching ChatGPT and why it did not engage in prior consultation with EU regulators to mitigate GDPR risks.
The Polish data protection authority has confirmed receipt of the complaint and is currently analyzing the claims. This incident marks the first official grievance related to ChatGPT submitted to UODO.
Officials from the UODO expressed their commitment to understanding how generative AI tools can operate transparently and compliantly under the GDPR while emphasizing the necessity of conducting data protection impact assessments to manage risks effectively.
Olejnik's lawyer, Maciej Gawronski, believes the investigation by UODO could take six months to two years. Should violations be confirmed, it is anticipated that UODO will insist OpenAI uphold Olejnik's rights and ensure broader accountability for any systemic issues uncovered during the investigation.
Olejnik's motivation in filing the complaint centers on exercising his GDPR rights, allowing him to seek redress effectively. He expressed optimism in the effectiveness of the GDPR process for individuals facing similar challenges in the current data landscape.
This report will be updated if OpenAI responds to the allegations or if additional information from the Polish data protection authority emerges.
Ranking
