OpenAI is under investigation to determine if its generative AI chatbot, ChatGPT, adheres to European Union privacy regulations. A complaint was lodged in Poland last month, alleging multiple violations of the EU’s General Data Protection Regulation (GDPR). Following this, the Polish Office for Personal Data Protection (UODO) publicly disclosed that it has officially initiated an investigation.
According to the UODO's press release, “The Office for Personal Data Protection is examining a complaint regarding ChatGPT. The complainant accuses OpenAI, the tool's creator, of processing data in an unlawful and unreliable manner, with opaque operational rules.” The authority anticipates a “challenging” investigation due to OpenAI’s location outside the EU and the innovative nature of the generative AI technology in question.
Jan Nowak, president of the UODO, stated, “The case involves the violation of various personal data protection regulations, so we will require OpenAI to respond to several inquiries to ensure a comprehensive investigation.” Deputy president Jakub Groszkowski emphasized that new technologies must comply with legal frameworks, asserting the complaint raises concerns regarding OpenAI's systematic compliance with EU data privacy principles. He noted that the investigation will scrutinize OpenAI’s adherence to the fundamental principle of “privacy by design,” as enshrined in the GDPR.
Filed by local privacy researcher Lukasz Olejnik, the complaint details alleged breaches across multiple GDPR domains, including lawful processing, transparency, fairness, data access rights, and privacy by design. Central to the complaint is Olejnik's attempt to rectify inaccurate personal data included in a biography generated by ChatGPT, which OpenAI reportedly failed to address. He also claims that OpenAI did not adequately respond to his request for data access, providing evasive and contradictory information.
ChatGPT operates using a large language model (LLM), a generative AI system trained on vast amounts of natural language data. While this enables conversational responses, it also means the model has been trained on various information types, including data about living individuals. OpenAI’s practice of collecting training data from the public internet without individuals’ consent is a significant concern that has drawn the scrutiny of regulators in the EU. Additionally, the company's difficulty in explaining how it handles personal data or correcting inaccuracies when its AI generates misleading information has raised further alarms.
The EU regulates personal data processing, mandating that processors have a legitimate basis for collecting and utilizing personal information. Key requirements include transparency and fairness, alongside data access rights that allow EU residents to request corrections to erroneous personal data.
Olejnik's complaint puts OpenAI's GDPR compliance to the test on several fronts, and any enforcement actions could significantly influence the future of generative AI regulations. "Emphasizing privacy by design and data protection by design is crucial," Olejnik said, remarking that it aligns with the main aspects of the investigation. He also expressed hope that this issue could provide insights into the underlying processes involved with AI systems, drawing a parallel to Josef K in Kafka’s "The Trial."
The rapid response from the Polish authority, coupled with its transparency, is noteworthy amid increasing regulatory challenges for OpenAI across the EU. This investigation comes on the heels of an intervention by Italy's DPA earlier this year, which temporarily halted ChatGPT operations in the country. Spain’s DPA has also launched a probe into OpenAI, while a task force established by the European Data Protection Board is considering how various data protection authorities might collaborate to regulate emerging AI technologies.
Although the task force’s efforts do not replace individual investigations, they may lead to more consistency in how data protection authorities manage cutting-edge AI. However, divergent approaches may still occur depending on differing views among the agencies. The UODO’s press release acknowledges the task force while also stressing the seriousness of its investigation. President Nowak pointed out that the allegations are not the first concerning ChatGPT's adherence to EU privacy regulations.
Maciej Gawronski from the law firm GP Partners, representing Olejnik, commented on the UODO’s active engagement with privacy and technology issues, suggesting that the complaint offers a chance for the authority to balance digital innovation with human rights. He noted, “Poland is advanced regarding IT. I expect the UODO to be reasonable in its proceedings, provided OpenAI is receptive to discussion.”
Regarding the timeline for the investigation, Gawronski indicated that while the authority closely monitors technological advancements, a swift decision is not anticipated. He expressed a preference for a thorough and honest dialogue with OpenAI surrounding GDPR compliance matters, particularly concerning data subject rights.
OpenAI did not respond to requests for comment on the Polish DPA's investigation. In light of the evolving regulatory landscape in the EU, the company has taken steps to address its compliance challenges, including opening an office in Dublin, Ireland. However, it is important to note that OpenAI is not yet classified as "mainly established" in any EU member state for GDPR considerations, as key decisions involving local users continue to occur at its U.S. headquarters in California. This means that data protection authorities across the EU retain the authority to investigate concerns related to ChatGPT. Consequently, further investigations into the AI tool may emerge.
In summary, the ongoing scrutiny of OpenAI and ChatGPT highlights the complexities of GDPR compliance and the regulatory landscape surrounding generative AI. As the investigation unfolds, its outcomes may significantly shape the approach to AI technologies in the EU and beyond.
Ranking
