OpenAI Faces GDPR Compliance Issues over Data Protection Breaches
OpenAI Faces GDPR Compliance Issues over Data Protection Breaches

Krishi Chowdhary
OpenAI Faces GDPR Compliance Issues over Data Protection

OpenAI, the creator of ChatGPT, is under scrutiny once again for potential violations of the General Data Protection Regulation (GDPR) in the European Union.

The complaint, lodged with the Polish Data Protection Authority, accuses the company of breaching essential standards of the GDPR like transparency, fairness, privacy, and the right to access data.

Lukasz Olejnik, a security and privacy researcher, filed the 17-page complaint after he used ChatGPT to generate a biography about himself and discovered discrepancies in the output.

Concerned with the inaccuracies, he addressed the errors by contacting OpenAI and requesting to rectify them. The complaint states that the company failed to furnish all the necessary information about its data processing practices, as required by the GDPR.

GDPR’s Clauses For Data Controllers

According to the established standards of the GDPR, data controllers need to have a valid legal basis to process personal data. Besides, they need to communicate this legality transparently.

The complaint alleges that OpenAI processed personal data “unlawfully, unfairly, and in a non-transparent manner.”

The complaint also highlights the lack of compliance of OpenAI with the right of individuals to correct inaccuracies in their personal data, which further violates the GDPR.

The complaint points out that the design of ChatGPT, along with the alleged breaches, contradicts the principle of GDPR of protecting data. It argues that generative AI has been launched in Europe without conducting a proactive assessment.

No local regulators were engaged, which violates GDPR’s requirement for prior consultation. Therefore, OpenAI has violated Article 15 of the GDPR.

This isn’t the first time OpenAI has faced concerns related to compliance. Earlier this year, OpenAI faced temporary restrictions in Italy after Garante, its privacy watchdog, ordered an investigation into its GDPR privacy breaches and practices for verifying age.

The investigation is still underway, although ChatGPT was subsequently allowed to operate in Italy after it made some adjustments.

Although OpenAI indicates that the data used to train the [AI] models includes personal data, OpenAI does not actually provide any information about the processing operations involving this data.Official complaint

The fallout of violating GDPR on ChatGPT can be adverse, leading to penalties of up to 4% of the company’s global annual turnover. As a part of corrective measures, the company may also have to adjust its technological operations in the EU.

Polish Data Protection Authority To Investigate The Complaint

The Polish Data Protection Authority will investigate the complaint, and the process can span several months to a few years. OpenAI is yet to respond to inquiries from the media about these allegations.

However, it may face regulatory actions from data protection authorities throughout the EU if investigators find the allegations true.

This case also marks the importance of respecting data protection regulations like the GDPR in a rapidly evolving AI landscape.

At a time when data privacy is of paramount importance, the outcome of this complaint may have a far-reaching impact on OpenAI and other organizations in the generative AI field.

Krishi is an eager Tech Journalist and content writer for both B2B and B2C, with a focus on making the process of purchasing software easier for businesses and enhancing their online presence and SEO.

Krishi has a special skill set in writing about technology news, creating educational content on customer relationship management (CRM) software, and recommending project management tools that can help small businesses increase their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.

