OpenAI Faces GDPR Violation Accusations Over ChatGPT

OpenAI, the creator of ChatGPT, is under scrutiny following allegations of multiple GDPR breaches. A complaint submitted to the Polish data protection agency highlights potential violations in areas such as transparency, fairness, data access rights, and privacy by design.

The complaint, reviewed by TechCrunch, suggests that OpenAI may have neglected GDPR requirements, including prior consultation with regulators. This oversight could have prevented the company from launching ChatGPT in Europe without potential GDPR conflicts.

Earlier this year, Italy’s privacy watchdog, the Garante, directed OpenAI to address GDPR-related issues. While ChatGPT resumed its services in Italy after making adjustments, investigations by the Italian DPA and other EU DPAs continue.

The European Data Protection Board (EDPB) has formed a task force to evaluate the regulation of rapidly evolving technologies like ChatGPT. While the GDPR remains enforceable, its application to AI chatbots is still under discussion.

OpenAI’s lack of a primary establishment in any EU Member State for GDPR oversight leaves it vulnerable to regulatory challenges across the EU. Violations of the GDPR can result in penalties amounting to 4% of a company’s global annual turnover.

Details of the Complaint

Lukasz Olejnik, a privacy researcher, filed the 17-page complaint after ChatGPT generated an inaccurate biography of him. Despite reaching out to OpenAI for corrections, Olejnik claims the company did not provide complete information as mandated by the GDPR. He alleges that OpenAI processed his data “unlawfully, unfairly, and in a non-transparent manner.”

The complaint also criticizes OpenAI for not detailing its data processing methods, especially concerning AI model training. OpenAI’s lack of transparency in its data processing operations appears to be a significant concern.

Another point of contention is ChatGPT’s inability to correct inaccuracies in the data it generates. The GDPR grants individuals the right to rectify their personal data, a right Olejnik claims OpenAI has ignored.

The complaint further challenges ChatGPT’s design, suggesting it violates the GDPR’s principle of data protection by design and default. OpenAI’s approach to testing ChatGPT using personal data in a production environment, rather than during the design phase, is highlighted as a concern.

OpenAI has yet to respond to the allegations. The Polish DPA, UODO, confirmed receiving the complaint and is currently assessing further actions. The UODO emphasized the importance of a data protection impact assessment (DPIA) for tools like ChatGPT.

Olejnik’s lawyer, Maciej Gawronski, anticipates the investigation could take between six months to two years. If the UODO confirms GDPR violations, they expect the agency to ensure OpenAI’s compliance with the GDPR.

Olejnik hopes the complaint will enable him to exercise his GDPR rights, expressing trust in the GDPR process.

Write a Comment

Your email address will not be published. Required fields are marked *