OpenAI, the company behind the AI chatbot ChatGPT, has been notified of a suspected violation of European Union privacy laws by Italy’s data protection authority. This development follows a multi-month investigation into ChatGPT by the Italian authority.
GDPR Compliance Issue
The Italian data protection authority, known as the Garante, raised concerns about OpenAI’s compliance with the General Data Protection Regulation (GDPR) last year. This led to a temporary suspension of ChatGPT in Italy.
The main issues highlighted were the lack of a suitable legal basis for collecting and processing personal data for training ChatGPT’s algorithms and the potential for the AI tool to produce inaccurate information about individuals.
The Legal Basis for Data Processing
One of the critical challenges for OpenAI in the European Union is ensuring that the processing of EU citizens’ data has a valid legal basis.
The GDPR lists six possible legal bases, most of which are not applicable in the context of ChatGPT. OpenAI’s reliance on “legitimate interests” as a legal basis is under scrutiny, as this requires a balance between the company’s interests and the rights and freedoms of individuals whose data is being processed.
Confirmed breaches of the GDPR can attract fines of up to €20 million or up to 4% of global annual turnover. More significantly, data protection authorities can issue orders requiring changes to data processing practices, which could force OpenAI to alter how it operates ChatGPT in the EU.
OpenAI has been given 30 days to respond to the Garante’s notification and defend against the allegations. The company’s response and subsequent actions will be crucial in determining the future of ChatGPT’s operations in the EU.
This situation highlights the challenges AI companies face in navigating complex data protection laws. The outcome of this case could have significant implications for how AI tools are developed and used in the European Union, particularly concerning personal data processing.
The investigation into ChatGPT by Italy’s data protection authority underscores the importance of GDPR compliance for AI companies operating in the EU.
The case against OpenAI could set a precedent for how data protection laws are applied to AI technologies, emphasizing the need for legal and ethical considerations in AI development.