A data protection panel that spent over a year assessing OpenAI’s popular chatbot ChatGPT ‘s compliance with EU data protection law released preliminary findings on Friday. The working group of privacy enforcers is undecided on key legal concerns, including OpenAI’s processing lawfulness and fairness.
The problem is relevant since the bloc’s privacy laws may fine violators 4% of worldwide revenue. The watchdogs may also block non-compliant processing. In principle, OpenAI faces significant legal risk in the area at a time when AI rules are few and, even in the EU, years from implementation.
Despite growing complaints that its technology violates the bloc’s General Data Protection Regulation, OpenAI will likely feel empowered to continue business as usual without clarity from EU data protection enforcers on how current data protection laws apply to ChatGPT. 
Poland’s data protection authority (DPA) launched this inquiry after a complaint about the chatbot creating information about a person and refusing to amend it. Austria recently filed a similar suit.
Lots of GDPR concerns, little enforcement
Large language models (LLMs) like OpenAI’s GPT, the AI model behind ChatGPT, collect and process personal data at scale by scraping data from the public internet, including social media posts, in compliance with the GDPR.
The EU rule allows DPAs to halt non-compliant processing. If GDPR authorities remove it, ChatGPT’s AI giant’s regional operations might be shaped.
Last year, Italy’s privacy police temporarily banned OpenAI from processing ChatGPT users’ data. Using GDPR emergency powers, the AI giant temporarily shut down the country’s service.
After OpenAI changed user information and controls to meet DPA standards, ChatGPT restarted in Italy. However, the Italian inquiry into the chatbot continues, covering key problems like OpenAI’s legal basis for processing people’s data to develop its AI models. The gadget is surrounded by an EU legal shroud.
Any organisation that processes personal data must have a legal basis under GDPR. The rule lists six bases, but OpenAI cannot use most of them. The Italian DPA already told the AI giant it cannot claim a contractual necessity to process people’s data to train its AIs, leaving it with two legal bases: consent (i.e., asking users for permission to use their data) or legitimate interests (LI), which requires a balancing test and requires the controller to allow consumers to object to the processing.
Following Italy’s involvement, OpenAI asserts that it has a license to process personal data for model training. In January, the DPA’s draft inquiry conclusion determined OpenAI breached GDPR. The authority’s legal foundation evaluation remains unknown due to the lack of specifics in the draft conclusions. The complaint’s outcome is pending.
A precise ‘fix’ for ChatGPT’s legality?
The taskforce’s report states that ChatGPT needs a legal basis for all stages of personal data processing, including training data collection, pre-processing (such as filtering), training, prompts and outputs, and prompt training.
The taskforce calls the first three steps “peculiar risks” for people’s basic rights, noting how web scraping’s size and automation may lead to large-scale personal data collection that covers many parts of people’s lives. The GDPR also states that scraped data may contain “special category data,” including health information, sexuality, and political beliefs, which has a higher legal hurdle for processing than basic personal data.
The taskforce also claims that special category data is not “manifestly” public merely because it is public, which would exclude it from the GDPR’s specific permission requirement. “In order to rely on the exception laid down in Article 9(2)(e) GDPR, it is important to ascertain whether the data subject intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public,” it adds.
To use LI as its legal basis, OpenAI must demonstrate that it needs to process the data, limit it to what is necessary, and balance its legitimate interests against the rights and freedoms of the data subjects.
The taskforce suggests that “adequate safeguards,” such as “technical measures,” “precise collection criteria,” and/or blocking out certain data categories or sources (like social media profiles), could “change the balancing test in favor of the controller” and reduce data collection to reduce impacts on individuals.
This might make AI businesses more careful about how and what data they acquire to reduce privacy issues.
The taskforce also recommends deleting or anonymizing online scraped personal data before training.
LI is also being considered to process ChatGPT prompt data for OpenAI model training. The paper stresses that users must be “clearly and demonstrably informed” before using such information for training, which is one of the LI balance test considerations.
Individual DPAs reviewing complaints will evaluate whether the AI behemoth meets LI standards. If it can’t, ChatGPT’s manufacturer would have to seek EU approval. Given the volume of personal data present in the training data sets, this approach may not be feasible. The agreements the AI giant is negotiating with news publishers to license their journalism don’t apply to the licensing of Europeans’ personal data, as they require free consent.
Fairness and openness are required.
On the GDPR’s fairness principle, the taskforce’s study emphasises that users cannot bear privacy risks by including a phrase in the T&Cs stating, “Data subjects are responsible for their chat inputs.”.
“OpenAI remains responsible for complying with the GDPR and should not argue that certain personal data was prohibited in the first place,” it says.
Given the extent of web scraping to acquire data sets to train LLMs, the taskforce seems to think OpenAI might invoke an exemption (GDPR Article 14(5)(b)) to tell people about the data gathered about them. However, the study underscores the crucial need to inform consumers about the potential use of their comments for training purposes.
The report also addresses the issue of ChatGPT ‘hallucinating’ or fabricating information, cautioning against the GDPR’s “principle of data accuracy” and urging OpenAI to provide “proper information” about the chatbot’s “probabilistic output” and “limited level of reliability”.
The taskforce recommends OpenAI to inform users explicitly that the generated content might be biased or fabricated.
According to the study, it is “imperative” that data subjects readily exercise their rights, such as the right to correct personal data, which has been the basis of many GDPR complaints regarding ChatGPT. The study also highlights the shortcomings of OpenAI, including its incapacity to rectify inaccurate personal data created about users and its sole focus on preventing its creation.
The taskforce only recommends that OpenAI take “appropriate measures designed to implement data protection principles in an effective manner” and “necessary safeguards” to meet GDPR requirements and protect data subjects’ rights. It does not specify how OpenAI can improve its “modalities” for users to exercise their data rights. This suggests that we are at a loss for solutions.
ChatGPT GDPR paused?
Italy created the ChatGPT taskforce in April 2023 to streamline EU privacy enforcement on the new technology, following its headline-grabbing involvement in OpenAI. The European Data Protection Board (EDPB) oversees EU law implementation in this sector, where the taskforce functions. While GDPR enforcement is decentralised, DPAs are autonomous and may police the law on their own.
Despite DPAs’ local enforcement independence, watchdogs seem apprehensive about how to handle a new innovation like ChatGPT.
The Italian DPA said in its draft ruling that it will “take into account” the EDPB taskforce’s work earlier this year. Other signals suggest watchdogs may wait for the working group’s final report, perhaps in a year, before enforcing. So the taskforce’s presence may already be slowing GDPR enforcement on OpenAI’s chatbot by delaying judgements and complaint investigations.
In an interview with local media, Poland’s data protection authorities said their OpenAI inquiry will wait for the taskforce’s completion.
When asked whether the ChatGPT taskforce’s parallel workstream is delaying enforcement, the watchdog did not comment. The EDPB spokeswoman stated that the taskforce “does not prejudge the analysis that each DPA will make in their respective, ongoing investigations.” “While DPAs are competent to enforce, the EDPB has an important role to play in promoting DPA enforcement cooperation.”
As it stands, DPAs seem divided on how quickly to address ChatGPT issues. Ireland’s (now former) data protection commissioner, Helen Dixon, told a Bloomberg conference in 2023 that DPAs needed time to figure out “how to regulate it properly” before banning ChatGPT. Italy’s watchdog made headlines for its swift interventions last year.
It’s certainly no coincidence that OpenAI opened an EU operation in Ireland last autumn. In December, it quietly changed its T&Cs to name its new Irish entity, OpenAI Ireland Limited, as the regional provider of services like ChatGPT, allowing the AI giant to apply for Ireland’s Data Protection Commission (DPC) to become its GDPR lead supervisor.
According to the EDPB ChatGPT taskforce’s report, OpenAI received main establishment status on February 15, enabling it to benefit from the GDPR’s One-Stop Shop (OSS), which directs cross-border complaints to a lead DPA in the country of main establishment (in OpenAI’s case, Ireland).
While this may seem complicated, it implies that the AI corporation may avoid more decentralized GDPR enforcement, as in Italy and Poland, because Ireland’s DPC will decide which complaints to investigate, how, and when.
The Irish regulator is known for being business-friendly when implementing GDPR on Big Tech. Thus, Dublin’s generosity in interpreting the bloc’s data protection law may help ‘Big AI’ in the future.
OpenAI has not replied to the EDPB taskforce’s preliminary findings as of press time.
