Italian Data Protection Authority Accuses ChatGPT of violating GDPR

OpenAI’s ChatGPT Faces Data Protection Challenges in Italy.  In recent developments, the italian data protection authority, Garante, has taken a firm stance against OpenAI, the company behind ChatGPT, for potential breaches of the European Union’s General Data Protection Regulation (GDPR).

The Italian watchdog originally initiated an investigation last year, resulting in a temporary ban of ChatGPT, and has recently issued a new notification to OpenAI citing possible GDPR violations.

Legal Implications

OpenAI faces a complex legal challenge in the European Union, where data processing requires a valid legal basis under GDPR. The Italian authority pointed out the lack of a suitable legal basis for the mass collection and storage of personal data for training ChatGPT’s algorithms. OpenAI has been given 30 days to present defense arguments. The investigation will also take into account the ongoing work of a European task force comprising national privacy watchdogs.

OpenAI’s Response

OpenAI maintains that its practices are aligned with GDPR and other privacy laws. The company emphasizes its commitment to minimizing the use of personal data in training systems like ChatGPT and asserts that it does not aim to learn about private individuals but about the world in general. Despite this, the Italian authority has raised concerns over the collection and processing of personal data for training algorithms, the tendency of the AI tool to produce inaccurate information (referred to as ‘hallucination’), and the issue of child safety.

Wider EU Context and Potential Consequences

This situation reflects a broader concern within the European Union about the compliance of AI technologies with GDPR. The GDPR lists six possible legal bases for data processing, and OpenAI’s reliance on large datasets, including personal data scraped from the internet, complicates its compliance. Fines for breaching GDPR rules can be as high as 4% of a company’s global turnover, indicating significant potential penalties.

As the situation unfolds, it will be crucial for OpenAI to address the concerns raised by the Italian authority and possibly other EU countries. The company has already taken steps to establish a physical base in Ireland, aiming for a more centralized assessment of its GDPR compliance. However, the resolution of these legal challenges will be crucial in shaping the future of AI technology in the European Union, particularly regarding data privacy and protection.