Italy’s data protection watchdog OpenAI explained what it had to do to lift an injunction against ChatGPT late last month – when it suspected that the IA chatbot service had breached the EU’s General Data Protection Regulation (GDPR). and ordered the US-based company to stop processing residents’ data.
The EU GDPR applies whenever personal data is processed, and there’s no doubt that big language models like OpenAI’s GPT have taken a lot of material from the public internet to form generative AI models that can respond in a human way. as a natural language calling tool.
OpenAI quickly blocked access to ChatGPT in response to an order from the Italian data protection authority. In a brief public statement, OpenAI CEO Sam Altman also tweeted The confirmation that it has suspended service in Italy does so alongside Big Tech’s usual disclaimer that it believes “we comply with all privacy laws”.
Italian Garante clearly has a different approach.
The short version of the regulator’s new compliance request is as follows: OpenAI must be transparent and publish a detailed notice of its data processing; it should immediately adopt age restrictions and move to more robust age verification measures to prevent minors from accessing technology; it must specify the legal basis it requires to process people’s data to train its AI (and cannot rely on contract enforcement – meaning it must choose between consent or legitimate interests); it must also provide users (and non-users) with the means to exercise their rights in relation to their personal data, including by correcting (or deleting their data) false information made about them by ChatGPT; it must also provide users with the ability to object to OpenAI’s processing of their data to train its algorithms; and it should run a local awareness campaign to make Italians aware of the information they process to train its AI.
The DPA gave OpenAI a deadline of April 30 to do most of it. (Local radio, TV and Internet advertising campaign should be implemented by May 15.)
There is also some time to move the additional requirement from the immediately required (but weak) child safety technology to a more difficult-to-operate age verification system. OpenAI has been given until May 31 to submit a plan to implement age verification technology to verify users under the age of 13 (and users between 13 and 18 without parental consent) – with a longer implementation deadline. solid system. Until September 30.
In a press release on what to do to lift ChatGPT’s suspension of OpenAI, which was ordered two weeks ago when the regulator announced it had launched a formal investigation into alleged GDPR violations, it writes:
OpenAI has until April 30 to comply with the Italian SA (supervisory authority) on transparency, rights of data subjects, including measures for users and non-users, and the legal basis for processing user-based algorithmic learning. ‘ data. Only in this case will the Italian SA withdraw its order temporarily restricting the processing of Italian users’ data, the urgency underlying the order no longer exists, so that ChatGPT is once again available from Italy.
Elaborating on each of the “specific measures” required, the DPA states in a mandatory information notice “the data processing methods and logic necessary for the operation of ChatGPT, as well as the rights granted to interested parties (users and non-users)”, “which is easily accessible and read before subscribing to the service should be placed in such a way,” he added.
Users from Italy must receive this notice before registering and must also verify that they are over 18 years of age, which is an additional requirement. Users registered prior to the DPA’s data processing stop order must see a warning when accessing the reactivated service and must pass an age restriction to screen out underage users.
On the question of the legal basis given to OpenAI’s processing of human data to train its algorithms, Garante narrowed the available options down to two: consent or legitimate interests – requiring the immediate removal of any reference to contract enforcement. according to the principle of reporting (GDPR). (OpenAI’s privacy policy currently refers to all three frameworks, but seems to depend heavily on contract performance for services such as ChatGPT.)
“This is without prejudice to the SA’s exercise of investigative and enforcement powers in this regard,” he added, confirming that he would not rule on whether the other two grounds could legally be used for OpenAI purposes.
In addition, the GDPR gives data subjects a number of access rights, including the right to correct or delete their personal data. Therefore, the Italian regulator required OpenAI to implement tools that would allow data subjects – both users and non-users – to exercise their rights and have their rights rectified. false information that the chatbot creates about them. Alternatively, if it is “technically impossible” to correct AI-generated lies about named individuals, the DPA says the company must provide a means to delete their personal data.
“OpenAI provides easily accessible tools that allow non-users to exercise their right to object to the processing of their personal data used for the operation of algorithms. The same right should be granted to users if legitimate interest is chosen as the legal basis for processing their data,” he added, referring to other rights that the GDPR gives to data subjects when legitimate interests are used as legitimate. will be the basis for processing. personal data.
All measures announced by Garante are contingencies based on its prior concerns. Its press release said its official investigations – “to identify possible wrongdoing” – were ongoing, and that it “may decide to take additional or other action if necessary” at the end of its investigation. »
We reached out to OpenAI for a response, but the company did not respond to our email by press time.
All news on the site does not represent the views of the site, but we automatically submit this news and translate it through software technology on the site rather than a human editor.
