Italy’s data protection regulator has asserted that ChatGPT, the popular conversational AI system created by OpenAI, has breached European Union privacy laws. The regulator sent OpenAI formal notice that the system is illegally processing personal data of Italian citizens.
Background on ChatGPT and Privacy Concerns
ChatGPT launched to great fanfare in November 2022 as a free chatbot that can understand natural language questions and provide human-like responses on nearly any topic. Behind the chatbot is OpenAI’s powerful GPT-3.5 natural language model, trained on vast troves of internet text data.
Soon after launch however, concerns emerged that ChatGPT was retaining and reusing chunks of that training data without permission. This could potentially violate GDPR rules around processing personal information in the EU.
Critics like former Facebook CSO Alex Stamos pointed out examples of ChatGPT apparently paraphrasing private emails, rebutting OpenAI’s claim that the model produced “entirely new” text. Others asked how OpenAI could properly anonymize the gargantuan training data sets used by such large language models.
In December 2022, OpenAI admitted that ChatGPT sometimes “memorizes” parts of its training data, opening it to privacy complaints. The company argued though that overall ChatGPT followed best practices, and was not designed to expose personal info intentionally.
Italian Regulator’s Assessment and Action
On January 28th, Italy’s Data Protection Agency (the ‘Garante’) announced the results of its assessment into potential GDPR violations by ChatGPT in the handling of Italian citizens’ personal information.
The Garante determined that OpenAI had indeed breached Articles 5(1)(a) and 6 of the GDPR on the principles and lawfulness of personal data processing. Specifically:
- OpenAI did not adopt appropriate technical and organizational measures to ensure GDPR compliance from the design phase
- OpenAI does not have a valid legal basis for processing any personal data of Italian data subjects that may be present in ChatGPT’s training data or responses
The Garante has given OpenAI 15 days to address these alleged violations, provide evidence ensuring GDPR conformity, or risk further coercive sanctions under Article 83 of the regulation.
What OpenAI and Microsoft Must Now Do
As ChatGPT’s exclusive licensing partner, Microsoft also faces scrutiny and liability over potential GDPR issues with the system.
To satisfy regulators and avoid hefty EU fines, OpenAI and Microsoft urgently need to:
- Demonstrate how exactly personal information of EU residents has been processed, anonymized and protected in ChatGPT’s training data
- Clarify the legal basis legitimizing this processing under the GDPR
- Implement stricter controls to prevent revealing personal data in chat responses
- Respect the rights of EU data subjects, including deletion of info on request
- Make systems fully compliant “by design and default” as mandated by GDPR
If OpenAI cannot adequately prove GDPR compliance to Italian authorities, forced changes to ChatGPT could be soon needed. But given the central importance of massive training data to systems like ChatGPT, truly aligning such AIs with EU privacy laws poses an immense technological and legal challenge.
What This Means for the Future of AI
With hype around ChatGPT reaching fever pitch, Italy’s action signals the growing scrutiny AI systems will face over data privacy issues. This case underscores how historically lax Big Tech approaches to data collection and consent clash with Europe’s tough stances protecting consumer rights.
As advanced AI continues spreading through consumer products and workplaces globally, expect more legal sparring about regulating these technologies amid concerns over data abuse, security risks and the ethics of automated decision-making impacting people’s lives. The battle in Europe over ChatGPT and privacy is just one early skirmish in what promises to be a prolonged struggle to govern AI responsibly worldwide.
Table: Key Comparisons of AI Laws Proposed in US and EU
| Scope and Focus | User Rights | Transparency | Accountability | Automated Decisions | High-Risk Systems | Enforcement Powers | |
|---|---|---|---|---|---|---|---|
| US AI Bill of Rights | Broad principles for use of automated systems by companies | Consent, fairness, accuracy, redress | Broad right to notice and explanation of system’s capabilities | None specified | None specified | None specified | FTC oversight with limited rulemaking abilities |
| EU AI Act | Narrow ban plus restrictions on specific “high-risk” AI uses | Broad GDPR rights reinforced | Extensive documentation required on high-risk systems | Mandatory human oversight; risk management systems | Additional safeguards and ability to opt-out | Clearly defined with tailored requirements | Sweeping powers including fines up to 6% of global turnover |
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
