\n<\/p>\n
A data protection taskforce that\u2019s spent over a year considering how the European Union\u2019s data protection rulebook applies to OpenAI\u2019s viral chatbot, ChatGPT, reported preliminary conclusions<\/a> Friday. The top-line takeaway is that the working group of privacy enforcers remains undecided on crux legal issues, such as the lawfulness and fairness of OpenAI\u2019s processing.<\/p>\n The issue is important as penalties for confirmed violations of the bloc\u2019s privacy regime can reach up to 4% of global annual turnover. Watchdogs can also order non-compliant processing to stop. So \u2014 in theory \u2014 OpenAI is facing considerable regulatory risk in the region at a time when dedicated laws for AI<\/a> are thin on the ground (and, even in the EU\u2019s case<\/a>, years away from being fully operational).<\/p>\n But without clarity from EU data protection enforcers on how current data protection laws apply to ChatGPT, it\u2019s a safe bet that OpenAI will feel empowered to continue business as usual \u2014 despite the existence of a growing number of complaints its technology violates various aspects of the bloc\u2019s General Data Protection Regulation (GDPR).<\/p>\n For example, this investigation from Poland\u2019s data protection authority (DPA)<\/a> was opened following a complaint about the chatbot making up information about an individual and refusing to correct the errors. A similar complaint was recently lodged in Austria<\/a>.<\/p>\n On paper, the GDPR applies whenever personal data is collected and processed \u2014 something large language models (LLMs) like OpenAI\u2019s GPT, the AI model behind ChatGPT, are demonstrably doing at vast scale when they scrape data off the public internet to train their models, including by syphoning people\u2019s posts off social media platforms.<\/p>\n The EU regulation also empowers DPAs to order any non-compliant processing to stop. This could be a very powerful lever for shaping how the AI giant behind ChatGPT can operate in the region if<\/em> GDPR enforcers choose to pull it.<\/p>\n Indeed, we saw a glimpse of this last year<\/a> when Italy\u2019s privacy watchdog hit OpenAI with a temporary ban on processing the data of local users of ChatGPT. The action, taken using emergency powers contained in the GDPR, led to the AI giant briefly shutting down the service in the country.<\/p>\n ChatGPT only resumed in Italy after OpenAI made changes to the information and controls<\/a> it provides to users in response to a list of demands by the DPA<\/a>. But the Italian investigation into the chatbot, including crux issues like the legal basis OpenAI claims for processing people\u2019s data to train its AI models in the first place, continues. So the tool remains under a legal cloud in the EU.<\/p>\n Under the GDPR, any entity that wants to process data about people must have a legal basis for the operation. The regulation sets out six possible bases \u2014 though most are not available in OpenAI\u2019s context. And the Italian DPA already instructed<\/a> the AI giant it cannot rely on claiming a contractual necessity to process people\u2019s data to train its AIs \u2014 leaving it with just two possible legal bases: either consent (i.e. asking users for permission to use their data); or a wide-ranging basis called legitimate interests (LI), which demands a balancing test and requires the controller to allow users to object to the processing. <\/p>\n Since Italy\u2019s intervention, OpenAI appears to have switched to claiming it has a LI for processing personal data used for model training. However, in January<\/a>, the DPA\u2019s draft decision on its investigation found OpenAI had violated the GDPR. Although no details of the draft findings were published so we have yet to see the authority\u2019s full assessment on the legal basis point. A final decision on the complaint remains pending.<\/p>\n The taskforce\u2019s report discusses this knotty lawfulness issue, pointing out ChatGPT needs a valid legal basis for all stages of personal data processing \u2014 including collection of training data; pre-processing of the data (such as filtering); training itself; prompts and ChatGPT outputs; and any training on ChatGPT prompts.<\/p>\n The first three of the listed stages carry what the taskforce couches as \u201cpeculiar risks\u201d for people\u2019s fundamental rights \u2014 with the report highlighting how the scale and automation of web scraping can lead to large volumes of personal data being ingested, covering many aspects of people\u2019s lives. It also notes scraped data may include the most sensitive types of personal data (which the GDPR refers to as \u201cspecial category data\u201d), such as health info, sexuality, political views etc, which requires an even higher legal bar for processing than general personal data.<\/p>\n On special category data, the taskforce also asserts that just because it\u2019s public does not mean it can be considered to have been made \u201cmanifestly\u201d public \u2014 which would trigger an exemption from the GDPR requirement for explicit consent to process this type of data. (\u201cIn order to rely on the exception laid down in Article 9(2)(e) GDPR, it is important to ascertain whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public,\u201d it writes on this.)<\/p>\n To rely on LI as its legal basis in general, OpenAI needs to demonstrate it needs to process the data; the processing should also be limited to what is necessary for this need; and it must undertake a balancing test, weighing its legitimate interests in the processing against the rights and freedoms of the data subjects (i.e. people the data is about). <\/p>\n Here, the taskforce has another suggestion, writing that \u201cadequate safeguards\u201d \u2014 such as \u201ctechnical measures\u201d, defining \u201cprecise collection criteria\u201d and\/or blocking out certain data categories or sources (like social media profiles), to allow for less data to be collected in the first place to reduce impacts on individuals \u2014 could \u201cchange the balancing test in favor of the controller\u201d, as it puts it.<\/p>\n This approach could force AI companies to take more care about how and what data they collect to limit privacy risks. <\/p>\n \u201cFurthermore, measures should be in place to delete or anonymise personal data that has been collected via web scraping before the training stage,\u201d the taskforce also suggests. <\/p>\n OpenAI is also seeking to rely on LI for processing ChatGPT users\u2019 prompt data for model training. On this, the report emphasizes the need for users to be \u201cclearly and demonstrably informed\u201d such content may be used for training purposes \u2014 noting this is one of the factors that would be considered in the balancing test for LI.<\/p>\n It will be up to the individual DPAs assessing complaints to decide if the AI giant has fulfilled the requirements to actually be able to rely on LI. If it can\u2019t, ChatGPT\u2019s maker would be left with only one legal option in the EU: asking citizens for consent. And given how many people\u2019s data is likely contained in training data-sets it\u2019s unclear how workable that would be. (Deals the AI giant is fast cutting with news publishers to license their journalism<\/a>, meanwhile, wouldn\u2019t translate into a template for licensing European\u2019s personal data as the law doesn\u2019t allow people to sell their consent; consent must be freely given.) <\/p>\n Elsewhere, on the GDPR\u2019s fairness principle, the taskforce\u2019s report stresses that privacy risk cannot be transferred to the user, such as by embedding a clause in T&Cs that \u201cdata subjects are responsible for their chat inputs\u201d. <\/p>\n \u201cOpenAI remains responsible for complying with the GDPR and should not argue that the input of certain personal data was prohibited in first place,\u201d it adds.<\/p>\n On transparency obligations, the taskforce appears to accept OpenAI could make use of an exemption (GDPR Article 14(5)(b)) to notify individuals about data collected about them, given the scale of the web scraping involved in acquiring data-sets to train LLMs. But its report reiterates the \u201cparticular importance\u201d of informing users their inputs may be used for training purposes. <\/p>\n The report also touches on the issue of ChatGPT \u2018hallucinating\u2019 (making information up), warning that the GDPR \u201cprinciple of data accuracy must be complied with\u201d \u2014 and emphasizing the need for OpenAI to therefore provide \u201cproper information\u201d on the \u201cprobabilistic output\u201d of the chatbot and its \u201climited level of reliability\u201d.<\/p>\n The taskforce also suggests OpenAI provides users with an \u201cexplicit reference\u201d that generated text \u201cmay be biased or made up\u201d. <\/p>\n On data subject rights, such as the right to rectification of personal data \u2014 which has been the focus of a number of GDPR complaints about ChatGPT \u2014 the report describes it as \u201cimperative\u201d people are able to easily exercise their rights. It also observes limitations in OpenAI\u2019s current approach, including the fact it does not let users have incorrect personal information generated about them corrected, but only offers to block the generation. <\/p>\n However the taskforce does not offer clear guidance on how OpenAI can improve the \u201cmodalities\u201d it offers users to exercise their data rights \u2014 it just makes a generic recommendation the company applies \u201cappropriate measures designed to implement data protection principles in an effective manner\u201d and \u201cnecessary safeguards\u201d to meet the requirements of the GDPR and protect the rights of data subjects\u201d. Which sounds a lot like \u2018we don\u2019t know how to fix this either\u2019. <\/p>\n The ChatGPT taskforce was set up, back in April 2023<\/a>, on the heels of Italy\u2019s headline-grabbing intervention on OpenAI, with the aim of streamlining enforcement of the bloc\u2019s privacy rules on the nascent technology. The taskforce operates within a regulatory body called the European Data Protection Board (EDPB), which steers application of EU law in this area. Although it\u2019s important to note DPAs remain independent and are competent to enforce the law on their own patch where GDPR enforcement is decentralized. <\/p>\n Despite the indelible independence of DPAs to enforce locally, there is clearly some nervousness\/risk aversion among watchdogs about how to respond to a nascent tech like ChatGPT. <\/p>\n Earlier this year, when the Italian DPA announced its draft decision, it made a point of noting its proceeding would \u201ctake into account\u201d the work of the EDPB taskforce. And there other signs watchdogs may be more inclined to wait for the working group to weigh in with a final report \u2014 maybe in another year\u2019s time \u2014 before wading in with their own enforcements. So the taskforce\u2019s mere existence may already be influencing GDPR enforcements on OpenAI\u2019s chatbot by delaying decisions and putting investigations of complaints into the slow lane.<\/p>\n For example, in a recent interview in local media<\/a>, Poland\u2019s data protection authority suggested its investigation into OpenAI would need to wait for the taskforce to complete its work. <\/p>\n The watchdog did not respond when we asked whether it\u2019s delaying enforcement because of the ChatGPT taskforce\u2019s parallel workstream. While a spokesperson for the EDPB told us the taskforce\u2019s work \u201cdoes not prejudge the analysis that will be made by each DPA in their respective, ongoing investigations\u201d. But they added: \u201cWhile DPAs are competent to enforce, the EDPB has an important role to play in promoting cooperation between DPAs on enforcement.\u201d<\/p>\n As it stands, there looks to be a considerable spectrum of views among DPAs on how urgently they should act on concerns about ChatGPT. So, while Italy\u2019s watchdog made headlines for its swift interventions last year, Ireland\u2019s (now former) data protection commissioner, Helen Dixon, told a Bloomberg conference in 2023<\/a> that DPAs shouldn\u2019t rush to ban ChatGPT \u2014 arguing they needed to take time to figure out \u201chow to regulate it properly\u201d.<\/p>\n It is likely no accident that OpenAI moved to set up an EU operation in Ireland last fall<\/a>. The move was quietly followed, in December<\/a>, by a change to its T&Cs \u2014 naming its new Irish entity,\u00a0OpenAI\u00a0Ireland Limited, as the regional provider of services such as ChatGPT \u2014 setting up a structure whereby the AI giant was able to apply for Ireland\u2019s Data Protection Commission (DPC) to become its lead supervisor for GDPR oversight.<\/p>\n This regulatory-risk-focused legal restructuring appears to have paid off for OpenAI as the EDPB ChatGPT taskforce\u2019s report suggests the company was granted main establishment status as of February 15 this year \u2014 allowing it to take advantage of a mechanism in the GDPR called the One-Stop Shop (OSS), which means any cross border complaints arising since then will get funnelled via a lead DPA in the country of main establishment (i.e., in OpenAI\u2019s case, Ireland). <\/p>\n While all this may sound pretty wonky it basically means the AI company can now dodge the risk of further decentralized GDPR enforcement \u2014 like we\u2019ve seen in Italy and Poland \u2014 as it will be Ireland\u2019s DPC that gets to take decisions on which complaints get investigated, how and when going forward. <\/p>\n The Irish watchdog has gained a reputation for taking a business-friendly approach to enforcing the GDPR on Big Tech. In other words, \u2018Big AI\u2019 may be next in line to benefit from Dublin\u2019s largess in interpreting the bloc\u2019s data protection rulebook.<\/p>\n OpenAI was contacted for a response to the EDPB taskforce\u2019s preliminary report but at press time it had not responded. <\/p>\n<\/div>\nLots of GDPR complaints, a lot less enforcement <\/h2>\n
A precision \u2018fix\u2019 for ChatGPT\u2019s lawfulness?<\/h2>\n
Fairness & transparency aren\u2019t optional<\/h2>\n
ChatGPT GDPR enforcement on ice? <\/h2>\n