Italy’s data protection regulator has come to the conclusion that OpenAI’s famous chatbot ChatGPT breaches European data protection law.
The Italian Data Protection Authority, which is known as the Garante, has taken a leading role in regulating ChatGPT. In March 2023, Italy became the first western country to ban the chatbot due to alleged violations of the EU’s General Data Protection Regulation (GDPR).
The Garante said at the time that ChatGPT had an “absence of any legal basis that justifies the massive collection and storage of personal data”. Companies require a legal basis for processing personal data, and it remains unclear whether OpenAI can build a convincing case that any of the six possibilities listed in the GDPR are relevant in the case of ChatGPT.
The regulator said that ChatGPT was suspected to be in breach of Articles 5, 6, 8, 13 and 25 of GDPR.
The ban was lifted just weeks later after OpenAI took steps to address issues raised – including the right of users to refuse consent to their personal data being used to train the large language model and checks to ensure users are aged 13 or above. However, the Garante said that investigations into the laundry list of suspected GDPR violations would continue.
Now it has come to the conclusion that ChatGPT is indeed violating GDPR. Any company found in breach of the rules could face fines of up to €20m or 4% of its annual global turnover.
According to the Garante, its ‘final determination’ on the case will take into account work done by a task force set up by EU data regulators in April 2023 to examine ChatGPT.
OpenAI now has 30 days to present its defence.
In December, the EU agreed to provisional rules for regulating ChatGPT and other generative AI applications (the ‘EU AI Act’).
ChatGPT is facing regulatory challenges across the EU, with data regulators in Poland, France and Ireland all undertaking investigations. In Poland, for instance, a complaint was filed by privacy and security researcher Lukasz Olejnik, who accused OpenAI of failing to fulfil his request to correct inaccuracies in a ChatGPT-generated biography of him, among other alleged failures.
In response to these challenges, US-based OpenAI recently moved its European data processing operations to Ireland. This means that it will be subject to oversight from Ireland’s Data Protection Commission, rather than from all EU data protection authorities.