Italy’s data protection watchdog has explained what OpenAI needs to do to lift the order issued on ChatGPT. end of last month — said it suspected its AI chatbot service violated the EU’s General Data Protection Regulation (GDPR) and ordered the US-based company to stop processing data on local residents.
The EU GDPR applies whenever personal data is processed. And there is no doubt that large scale language models such as OpenAI’s GPT have gleaned vast amounts of stuff from the public internet to train generative AI models to be able to respond in the human brain. . Like a natural language prompt.
OpenAI responds quickly to Italian data protection authority orders Geoblocking access to ChatGPTIn a brief public statement, OpenAI CEO Sam Altman also said: murmured We have confirmed that we have stopped providing services in Italy.[s] We comply with all privacy laws. “
Galante in Italy clearly has a different point of view.
Here’s a short version of the regulator’s new compliance request: Age gating should be adopted immediately to prevent minors from accessing technology, and we should move to more robust age verification measures. You should clarify the legal basis you are claiming for processing people’s data to train AI (and you cannot rely on the performance of a contract, i.e. either consent or legitimate interest). must choose). You must also provide ways for users (and non-users) to exercise their rights over their personal data. This includes requesting the correction of misinformation (or deleting data) generated by ChatGPT. You should also provide users with the ability to object to OpenAI processing their data to train their algorithms. We also need to conduct local awareness campaigns to let Italians know that we are processing information to train AI.
The DPA gave OpenAI an April 30th deadline to complete most of it. (Local radio, TV, and internet awareness campaigns have a little extra time scheduled for May 15th.)
Additional requirements to move from immediately necessary (but weak) age-gating child safety tech to age verification systems that are more difficult to circumvent will also take some more time. have been given to submit a plan to implement age verification technology to exclude users under the age of 13 (and users between the ages of 13 and 18 without parental consent). September 30.
and press release It detailed what OpenAI had to do to lift ChatGPT’s temporary suspension, ordering two weeks before the regulator announced it would launch a formal investigation into alleged GDPR violations.
OpenAI must comply with the measures set by SA in Italy by April 30th. [supervisory authority] It concerns transparency, the rights of data subjects, including users and non-users, and the legal basis for processing algorithmic training that relies on user data. Only then will SA in Italy lift the order imposing a temporary restriction on the processing of Italian users’ data, the urgency to support the order will cease and ChatGPT will again be available from Italy.
Elaborating on each of the “specific measures” required, the DPA states that the required information notice includes “data processing arrangements and logic necessary for the operation of ChatGPT and data subjects (users and should be accessible and readable prior to signing up for the service,” he added.
Italian users must present this notice and confirm they are over 18 years of age before signing up. Users who registered prior to the DPA’s data processing suspension order must view a notice when accessing the resumed services.
Garante has narrowed the available options to two, given the legal basis issues attached to OpenAI’s processing of people’s data to train its algorithms. consent or legitimate interest.of [GDPR’s] Principle of accountability. ”(OpenAI Privacy Policy currently cite all three reasons, but seem to rely most heavily on fulfilling contracts to provide services like ChatGPT. )
“This is without prejudice to SA’s exercise of its investigative and enforcement powers in this regard,” it added, withholding judgment as to whether the remaining two grounds could also be lawfully used for OpenAI’s purposes. has been confirmed.
Additionally, the GDPR provides a set of access rights for data subjects. This includes the right to rectification or deletion of personal data. As such, the Italian regulator may also allow OpenAI to implement tools to allow data subjects (meaning both users and non-users) to exercise their rights and correct falsehoods generated by chatbots. I am requesting. Alternatively, if he proves “technically impossible” to correct AI-generated lies about a named individual, the DPA provides a way for companies to delete personal data. stipulate that it is necessary.
“OpenAI should make readily accessible tools available to non-users to exercise their right to object to the processing of personal data that relies on the manipulation of algorithms. The same rights should be given to users where they are chosen as the legal basis,” adding that the GDPR provides data subjects with different rights when relying on legitimate interests as the legal basis for data processing. I am referring to personal data.
All actions announced by Galante are contingent on preliminary concerns. The press release also stated that a formal investigation was ongoing “to establish possible violations of the law” and that “additional or different measures may be taken if proven necessary upon completion of the ongoing fact-finding.” It could lead to a decision to take “
We reached out to OpenAI for a response, but the company has not responded to our emails at press time.
