Complaint Alleges OpenAI's ChatGPT Violates GDPR Regulations
OpenAI, the organization behind the development of advanced AI models, including ChatGPT, faces a significant legal challenge as a complaint has been filed with Poland's Office for Personal Data Protection (DPA) alleging multiple violations of the General Data Protection Regulation (GDPR). Lukasz Olejnik, a privacy and security researcher at a law firm in Warsaw, filed the complaint, accusing OpenAI of breaching GDPR rules related to data processing, access, fairness, transparency, and personal privacy.
ChatGPT, a widely-used AI chatbot, has been operational in Europe but has encountered various regulatory issues, including a temporary ban in Italy over privacy concerns and ongoing investigations by several European authorities.
The comprehensive 17-page complaint highlights several key GDPR violations allegedly committed by OpenAI. It begins with an accusation of an Article 36 violation, suggesting that OpenAI failed to consult adequately with European regulators before collecting user data. The complaint also asserts that OpenAI lacked a lawful basis for processing personal data under GDPR and failed to communicate this basis to users, violating transparency requirements.
OpenAI has stated that it does not incorporate personal data into its training model and makes efforts to filter it out. However, Olejnik's complaint stems from a situation where personal data appeared in ChatGPT's outputs, sparking concerns about GDPR compliance.
Olejnik reported attempting to generate a biography using ChatGPT and subsequently requested that OpenAI provide the source of certain personal information it had obtained about individuals. In response, OpenAI provided only a portion of the Subject Access Request (SAR) data required by GDPR, particularly lacking information about ChatGPT's internal processes. This limitation raises potential GDPR violations regarding the right to view and correct personal data.
Furthermore, the complaint highlighted instances of ChatGPT providing inaccurate information, referred to as "hallucinations," and OpenAI's refusal to correct these errors. This refusal to correct inaccurate information could also constitute a GDPR violation.
The overall pattern of potential GDPR violations has raised concerns that OpenAI may not prioritize compliance with European data protection regulations. While the organization may face fines and restrictions across Europe, it could be considering the approach taken by tech giants like Facebook and Google, who have occasionally paid fines while continuing to operate. However, OpenAI does not enjoy the same regulatory advantages as firms based in Dublin, leaving it exposed to regulatory scrutiny across the European Union.
OpenAI previously faced a temporary ban in Italy and is still under investigation by several European data protection authorities, including those in France, Spain, and the Netherlands. These challenges coincide with the European Data Protection Board's (EDPB) development of broader regulations for AI-powered products, indicating that the legal landscape for AI developers in Europe is evolving rapidly.
As the complaint against OpenAI progresses, the outcome could significantly impact the regulation of AI models and data protection standards in the European Union.