OpenAI, a significant force in artificial intelligence, finds itself under the scrutiny of the Italian Data Protection Authority (DPA). The DPA is investigating potential violations of EU privacy laws, particularly the General Data Protection Regulation (GDPR). The stakes are high, with potential fines reaching €20 million or 4% of OpenAI’s annual turnover. OpenAI has a crucial 30-day window to formulate a comprehensive response to the weighty allegations.
Compliance Challenges in the EU:
At the heart of the investigation are concerns raised by Italian authorities about OpenAI’s adherence to GDPR. These concerns prompted the temporary suspension of ChatGPT in the European market last year. In a “register of measures” released on March 30, the Italian DPA highlighted critical issues. These include the absence of a suitable legal basis for the collection and processing of personal data, crucial for training ChatGPT’s algorithms. Additionally, worries surfaced regarding the AI tool’s inclination towards “hallucinations” and potential risks to child safety. The alleged breaches span several GDPR articles, including Articles 5, 6, 8, 13, and 25, notes NIX Solutions.
Data Processing and Legal Basis:
The core challenge revolves around ChatGPT’s unique position in the EU landscape. Developed using data from the public internet, including personal information, the AI tool must meticulously comply with the GDPR’s rigorous regulations. OpenAI faces the complex task of selecting a valid legal basis for processing the data of EU residents. With only two plausible options, “validated consent” and “legitimate interests,” the latter confronts potential objections from data owners and regulatory skepticism. Striking a balance between OpenAI’s interests and the rights of individuals becomes a formidable challenge under the GDPR framework.
Regulatory Mitigation Efforts:
Mindful of looming regulatory risks, OpenAI strategically positions itself to address potential fallout. The organization aims to establish a separate entity in Ireland, with aspirations to attain “principal establishment” status. This status would streamline GDPR compliance assessments exclusively through the Irish Data Protection Commission, mitigating regulatory complexities. However, OpenAI’s pursuit of this status leaves ChatGPT exposed to investigations by data protection authorities in other EU countries.