Another EU privacy investigation is underway for OpenAI’s ChatGPT generative AI chatbot.
ChatGPT and OpenAI were accused of violating the EU’s General Data Protection Regulation in Poland last month. Polish authorities made an unusual public announcement yesterday to confirm an investigation.
In a press release, the Office for Personal Data Protection [UODO] said it was investigating a complaint about ChatGPT, in which the complainant accused OpenAI of processing data in an unlawful, unreliable manner and following opaque rules.
Since OpenAI is outside the EU and the generative AI chatbot technology it will be examining is new, the authority expects a “difficult” investigation.
UODO president Jan Nowak said, “The case concerns the violation of many provisions of the protection of personal data, so we will ask OpenAI to answer a number of questions in order to thoroughly conduct the administrative proceedings.”
In the authority’s press release, deputy president Jakub Groszkowski warned that new technologies must comply with the GDPR. He said OpenAI’s systemic approach to European data protection principles is questioned in the complaint, and the authority will “clarify these doubts, in particular against the background of the fundamental principle of privacy by design contained in the GDPR”.
Local privacy and security researcher Lukasz Olejnik accused OpenAI of violating the pan-EU regulation’s lawful basis, transparency, fairness, data access rights, and privacy by design.
It discusses OpenAI’s refusal to correct Olejnik’s biography on ChatGPT for personal data errors. He also accuses the AI giant of inadequately responding to his subject access request and providing evasive, misleading, and internally contradictory answers.
Using a large language model (LLM), a generative AI model trained on massive amounts of natural language data, ChatGPT can respond like a human. Given its general purpose, the tool has been trained on all kinds of information to answer different questions and asks, including data about living people.
One reason ChatGPT is in EU regulatory trouble is OpenAI’s unauthorised scraping of the public Internet for training data. Other examples include its apparent inability to explain how it processes personal data or correct mistakes when its AI “hallucinates” and misrepresents named individuals.
The bloc requires processors to collect and use personal data legally. Fairness and transparency are also required of processors. EU citizens also have the right to correct inaccurate data about them.
The complaint by Olejnik tests OpenAI’s GDPR compliance in several ways. Enforcement could influence generative AI development.
After UODO confirmed it’s investigating the ChatGPT complaint, Olejnik told : “Privacy by design/data protection by design is absolutely critical and I expected this to be the main aspect. So it makes sense. It would involve LLM system design and deployment.”
His experience trying to get OpenAI to answer his questions about its processing of his data felt like Josef K in Kafka’s The Trial. “If this is the Josef K. moment for AI/LLM, let’s hope it illuminates the processes,” he added.
Poland’s quick response to the complaint and transparency about the investigation are notable.
It compounds OpenAI’s EU regulatory issues. Italian DPA intervention earlier this year suspended ChatGPT in the country, prompting the Polish investigation. The Garante is also investigating GDPR compliance issues like lawful basis and data access rights.
Spain’s DPA is investigating. An earlier this year taskforce set up by the European Data Protection Board is studying how data protection authorities should respond to AI chatbot tech to find a consensus among the bloc’s privacy watchdogs on how to regulate it.
Authorities’ investigations are not replaced by the taskforce. In the future, it may harmonize how DPAs regulate cutting-edge AI. Divergence is possible if DPAs have strong and diverse views. What further enforcement actions the bloc’s watchdogs could take on ChatGPT is unknown. (Or how fast they act.)
President of UODO says the authority is taking ChatGPT investigation “very seriously” in press release, which mentions taskforce. He also notes that ChatGPT’s compliance with European data protection and privacy laws has been questioned before.
Olejnik’s complaint lawyer, Maciej Gawronski of GP Partners, told : “UODO is becoming more and more vocal about privacy, data protection, technology and human rights. I think our complaint allows [it] to reconcile digital and societal progress with individual agency and human rights.
Poland is very IT-advanced. The UODO approach and proceedings should be reasonable. Indeed, as long as OpenAI remains open for discussion.”
“The authority is monitoring technology advancements pretty closely,” Gawronski said when asked if the complaint will be decided quickly. UODO’s new technology conference is where I am. Numerous actors have approached UODO about AI. However, a quick decision is unlikely. Nor will I end proceedings prematurely. I’d like to have an honest and insightful discussion with OpenAI about ChatGPT’s GDPR compliance, especially data subject rights.
OpenAI declined to comment on the Polish DPA’s investigation.
Due to EU regulatory complexity, the AI giant is moving. It opened an office in Dublin, Ireland, likely to streamline its data protection regulations if it can route GDPR complaints through Ireland.
The US company is not considered “main established” in any EU Member State (including Ireland) for GDPR purposes because its California headquarters makes decisions affecting local users. The Dublin office is a small satellite. This allows data protection authorities across the bloc to investigate ChatGPT concerns on their territory. So more research could occur.
Anyone in the EU can file complaints about OpenAI before its main establishment status changes.