Privacy concerns surrounding OpenAI’s popular language model, ChatGPT, have resurfaced with the filing of a comprehensive complaint to the Polish data protection authority. The complaint alleges that OpenAI, based in the United States, has violated multiple provisions of the European Union’s General Data Protection Regulation (GDPR). It specifically points to breaches related to lawful basis, transparency, fairness, data access rights, and privacy by design, all of which are important aspects of the GDPR.
The complaint highlights OpenAI’s failure to consult with EU regulators prior to launching ChatGPT in the region. According to Article 36 of the GDPR, companies are required to conduct an assessment of potential risks to individuals’ rights and engage with regulators when necessary. OpenAI’s lack of proactive engagement with local regulators raises questions about their compliance with European privacy rules.
This is not the first time OpenAI has faced GDPR concerns. Italy’s privacy watchdog, the Garante, previously ordered them to halt data processing activities until several issues, including lawful basis and information disclosures, were addressed. The investigation by the Italian Data Protection Authority is ongoing, and other EU regulators are also examining ChatGPT.
The GDPR grants individuals the right to raise concerns with their local Data Protection Authority if they believe their rights are being violated by AI systems that process their data. OpenAI, not being located in any EU member state, remains subject to regulatory risk across the bloc and could potentially face penalties amounting to 4% of their global annual turnover if found in violation of the GDPR.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union to safeguard individuals’ privacy rights and regulate the processing of their personal data. It came into effect in 2018 and applies to all organizations that handle EU citizens’ data, regardless of their location.
What are the major concerns raised in the complaint against OpenAI?
The complaint alleges that OpenAI has violated various aspects of the GDPR, including lawful basis, transparency, fairness, data access rights, and privacy by design. It suggests that OpenAI has launched ChatGPT in Europe without conducting a prior assessment of potential risks and without engaging with local regulators.
What are the potential consequences for OpenAI if found in violation of the GDPR?
Confirmed violations of the GDPR can result in penalties of up to 4% of a company’s global annual turnover. Additionally, Data Protection Authorities (DPAs) can issue corrective orders that may require reworking of technologies to ensure compliance with privacy regulations.
What actions can individuals take if they believe their rights are being violated by AI systems under the GDPR?
Individuals in the EU who have concerns about their data processing rights being infringed can raise complaints with their local Data Protection Authority (DPA) and request regulators to initiate investigations. DPAs have the authority to assess potential violations of the GDPR and impose penalties on non-compliant organizations.