ChatGPT Under Scrutiny: Italy Flags Potential EU Privacy Violations

Following an extensive investigation by the Italian Data Protection Authority (DPA), OpenAI, the developers behind the AI chatbot ChatGPT, have been accused of breaching European Union data protection laws. This violation could lead to substantial fines, up to 20 million euros or 4% of their annual revenue. OpenAI has 30 days to formally respond to the charges.

Last year, Italian authorities expressed concerns about OpenAI’s compliance with the General Data Protection Regulation (GDPR), leading to a temporary ban on the model in Italy. In March, the DPA in Italy pointed out the lack of legal basis for collecting and processing personal data for training the algorithm, emphasizing risks to child safety and the AI’s tendency to create false content.

OpenAI may need to modify its information processing methods to ensure citizens’ privacy protection. The developers might have to revise their approach or stop offering their services in the European Union.

New York Times Sues OpenAI

Despite addressing some of the violations quickly in 2023 and resuming ChatGPT’s operation in Italy, further investigation showed that the platform still violates European legislation.

A major issue for OpenAI in the EU is the need for specific legal grounds to process European citizens’ data. Under GDPR, there are six permissible reasons, but most don’t relate to chatbot training. The Italian DPA suggested two solutions for OpenAI: either seek explicit user consent or prove that data processing is in the company’s legitimate interests.

Considering the vast content OpenAI uses without rights holders’ consent, these requirements pose a significant challenge. The Italian DPA might not deem the company’s reasons for processing personal data as legitimate.

Such instances have occurred before: the European Court did not recognize Meta’s legitimate interests as sufficient for data collection for targeted advertising. This precedent could complicate OpenAI’s position in Europe, especially considering new risks associated with AI, like spreading misinformation and fraud.

To mitigate regulatory risks, OpenAI is establishing a new organization in Ireland, hoping this will ease GDPR compliance. However, until this status is achieved, ChatGPT remains under scrutiny by DPAs in other EU countries.

The Italian DPA has also announced a special working group within the European Data Protection Board to coordinate ChatGPT oversight. However, each national DPA still maintains its independence and authority to make decisions autonomously.