OpenAI has come under the magnifying glass of the Italian data protection authority, the Guarantor, for alleged violations of the GDPR, the European Union's General Data Protection Regulation. It should be remembered in March last year there was a ChatGPT block in Italy. Now there is some news as it seems that OpenAI is perpetrating the privacy violation regardless.
Violation of privacy for OpenAI: conflict with Europe again
OpenAI recently received a violation notice from the Italian Guarantor, following a several-month investigation into the ChatGPT GDPR compliance. Details of the authority's preliminary findings were not disclosed, but it is understood that OpenAI has 30 days to respond to the allegations.
Violations may result fines of up to 20 million euros or up to 4% of annual global turnover. For an AI giant like OpenAI, data protection authorities can issue orders requiring changes to data processing to put an end to confirmed breaches. This may force the company to change its operation or withdraw its service from EU member states where privacy authorities try to force changes.
The fundamental problem concerns the legality of training artificial intelligence models. The Italian regulator raised doubts about OpenAI's compliance with the GDPR already last year, when it ordered a temporary suspension of ChatGPT's processing of local data, leading to the temporary suspension of the ChatGPT chatbot.
Here is the statement from the Privacy Guarantor:
The Guarantor for the protection of personal data has notified OpenAI, the company that manages the artificial intelligence platform ChatGPT, of the complaint for violating the legislation on the protection of personal data.
Following the measure of temporary limitation of processing, adopted by the Guarantor towards the Company last March 30, and following the outcome of the investigation carried out, the Authority considered that the elements acquired could constitute one or more offenses with respect to that established by the EU Regulation.
OpenAI will have 30 days to communicate its defense briefs regarding the alleged violations complained of.
In defining the procedure, the Guarantor will take into account the work in progress within the special task force, established by the Board bringing together the EU Data Protection Authorities (EDPB)
The Guarantor highlighted both the lack of an adequate legal basis for the collection and processing of personal data for the purposes of training the algorithms underlying ChatGPT, and the tendency of the AI tool to hallucinate (i.e. to produce inaccurate information) as problems of concern. Furthermore, child safety was highlighted as an issue.
OpenAI, after addressing some issues raised by the Italian authority, was able to quickly resume the ChatGPT service in Italy last year. However, the authority continued to investigate OpenAI and the alleged privacy violation. It has now reached the preliminary conclusion that the tool violates EU law.
One of the crucial issues concerns the legal basis that OpenAI supports for the data processing personal for training its artificial intelligence models. ChatGPT was developed using huge amounts of data collected from the Internet, including personal data of individuals. In the context of the European Union, the processing of data of EU individuals requires a valid legal basis.
