While much of Europe was still indulging in holiday chocolates late last month, OpenAI, the creator of ChatGPT, was busy sending an email detailing an upcoming update to its terms, designed to mitigate its regulatory risks in the European Union. The AI leader has faced scrutiny over the implications of ChatGPT on user privacy, leading to several ongoing investigations concerning data protection. Regulatory bodies in Italy and Poland are examining how the chatbot processes user information and generates data about individuals. Notably, Italy's actions led to a temporary suspension of ChatGPT until OpenAI enhanced its user information and control mechanisms.
In an email sent to users on December 28, OpenAI announced, “We have changed the OpenAI entity that provides services such as ChatGPT to EEA and Swiss residents to our Irish entity, OpenAI Ireland Limited.” The updated Privacy Policy for Europe reinforces this, stating:
"If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, located at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, is the data controller responsible for processing your personal data as described in this Privacy Policy."
These new terms, which designate the newly established Dublin-based subsidiary as the data controller for users in the EEA and Switzerland—regions governed by the General Data Protection Regulation (GDPR)—will take effect on February 15, 2024. Users are advised that if they disagree with the new terms, they can delete their accounts.
The GDPR's one-stop-shop (OSS) mechanism allows companies processing data of EU residents to streamline privacy oversight under a designated lead data supervisory authority in an EU Member State where the company is “main established.” This status significantly limits the ability of privacy regulators from other EU countries to take independent action, as they typically refer concerns back to the lead authority for review. Although other GDPR regulators retain the power to act locally in urgent situations, these interventions are usually temporary and exceptional, making the status highly attractive to major tech firms eager to simplify privacy management for their cross-border data operations.
When inquired about OpenAI's engagement with Ireland’s privacy watchdog to secure main establishment status for its Dublin entity under the GDPR’s OSS, a representative from the Irish Data Protection Commission (DPC) confirmed, “I can confirm that OpenAI has been engaged with the DPC and other EU DPAs [data protection authorities] on this matter.” OpenAI was also invited to provide comment.
Having established a Dublin office in September, OpenAI began by hiring for several positions in policy, legal, and privacy roles, alongside some administrative positions. As of now, five Dublin-based opportunities remain open among the 100 roles listed on its careers page, indicating that local hiring is still in its infancy. Notably, a role for a privacy software engineer is among the Dublin listings, while other positions include account director, international payroll specialist, media relations lead for Europe, and sales engineer.
The number and caliber of hires OpenAI makes in Dublin will be pivotal for its pursuit of main establishment status under the GDPR. Achieving compliance isn’t just a matter of legal paperwork; OpenAI must convince European privacy regulators that its Ireland-based entity genuinely influences decisions regarding data handling. This requires the establishment of the appropriate expertise and legal framework to ensure meaningful oversight of its U.S. parent company.
In contrast, OpenAI may be watching the recent developments of X (formerly Twitter), which, since Elon Musk's acquisition in fall 2022, has faced various challenges yet managed to maintain its OSS status in the EU despite significant layoffs that impacted relevant expertise.
If OpenAI successfully secures GDPR main establishment status in Ireland, it would join tech giants like Apple, Google, Meta, TikTok, and X, who have chosen Dublin as their EU base. However, the DPC has faced criticism over the speed and efficacy of its GDPR oversight of local tech entities. While recent years have seen some significant penalties imposed on Big Tech, critics argue that the DPC frequently advocates for substantially lighter penalties compared to its peers. Concerns about the slow pace of investigations, as well as instances where the DPC has refrained from investigating or has altered the framing of complaints, have also been raised.
Existing GDPR inquiries involving ChatGPT, led by regulators in Italy and Poland, will remain relevant in shaping the regulatory environment for OpenAI’s AI chatbot. These probes, concerning data processing that predates any future main establishment status OpenAI might achieve, are likely to unfold fully. Italy’s regulatory body has been investigating various issues regarding the legal basis OpenAI uses to process user data for training its AIs. In Poland, an investigation was initiated following a detailed complaint that included concerns about the AI's tendency to fabricate personal data.
OpenAI’s updated European privacy policy includes more comprehensive details regarding its legal bases for processing user data, now articulating its reliance on the "legitimate interests" legal basis by indicating it is “necessary for our legitimate interests and those of third parties and broader society” [emphasis ours]. In contrast, the previous privacy policy had a more straightforward wording about the same legal basis, discussing legitimate interests in protecting services from abuse, fraud, and security risks.
This change implies OpenAI may be strategically positioning itself to defend its extensive collection of personal data for generative AI training by appealing to public interest arguments alongside its commercial interests. However, under the GDPR, there are strictly defined legal bases for processing personal data; data controllers cannot customarily mix and match this list to create their own justifications.
Notably, GDPR regulators have been striving to find common ground on addressing the complex relationship between data protection laws and data-intensive AIs through a task force established within the European Data Protection Board last year. Whether a consensus will be reached remains uncertain. Given OpenAI's initiative to establish a legal presence in Dublin as the controller of data for European users, Ireland will likely play a significant role in shaping the future of generative AI regulation and privacy rights.
If the DPC becomes the lead supervisor for OpenAI, it could potentially slow down GDPR enforcement in relation to rapidly evolving AI technologies. Previously, in April following Italy's intervention with ChatGPT, DPC's current commissioner, Helen Dixon, cautioned against rushing to ban AI technologies over data concerns, advocating for a thoughtful approach to enforcing GDPR on AI solutions.
It's important to note that U.K. users will not be affected by OpenAI's shift to Ireland’s legal arrangements as they remain under the jurisdiction of OpenAI’s U.S. entity in Delaware. Since Brexit, the EU’s GDPR does not apply in the U.K.; however, the U.K. has retained its own U.K. GDPR, which is based on the European framework but is set to evolve as the U.K. navigates its data protection regulation separate from the EU’s standards.