\n<\/p>\n
OpenAI is facing another privacy complaint in the European Union. This one, which has been filed by privacy rights nonprofit noyb<\/a> on behalf of an individual complainant, targets the inability of its AI chatbot ChatGPT to correct misinformation it generates about individuals.<\/p>\n The tendency of GenAI tools to produce information that\u2019s plain wrong has been well documented. But it also sets the technology on a collision course with the bloc\u2019s General Data Protection Regulation (GDPR) \u2014 which governs how the personal data of regional users can be processed.<\/p>\n Penalties for GDPR compliance failures can reach up to 4% of global annual turnover. Rather more importantly for a resource-rich giant like OpenAI: Data protection regulators can order changes to how information is processed, so GDPR enforcement could reshape how generative AI tools are able to operate in the EU.<\/p>\n OpenAI was already forced to make some changes after an early intervention by Italy\u2019s data protection authority, which briefly forced a local shut down of ChatGPT back in 2023<\/a>.<\/p>\n Now noyb is filing the latest GDPR complaint against ChatGPT with the Austrian data protection authority on behalf of an unnamed complainant who found the AI chatbot produced an incorrect birth date for them.<\/p>\n Under the GDPR, people in the EU have a suite of rights attached to information about them, including a right to have erroneous data corrected. noyb contends OpenAI is failing to comply with this obligation in respect of its chatbot\u2019s output. It said the company refused the complainant\u2019s request to rectify the incorrect birth date, responding that it was technically impossible for it to correct.<\/p>\n Instead it offered to filter or block the data on certain prompts, such as the name of the complainant.<\/p>\n OpenAI\u2019s privacy policy<\/a> states users who notice the AI chatbot has generated \u201cfactually inaccurate information about you\u201d can submit a \u201ccorrection request\u201d through privacy.openai.com<\/a> or by emailing dsar@openai.com<\/a>. However, it caveats the line by warning: \u201cGiven the technical complexity of how our models work, we may not be able to correct the inaccuracy in every instance.\u201d<\/p>\n In that case, OpenAI suggests users request that it removes their personal information from ChatGPT\u2019s output entirely \u2014 by filling out a web form<\/a>.<\/p>\n The problem for the AI giant is that GDPR rights are not \u00e0 la carte. People in Europe have a right to request rectification. They also have a right to request deletion of their data. But, as noyb points out, it\u2019s not for OpenAI to choose which of these rights are available.<\/p>\n Other elements of the complaint focus on GDPR transparency concerns, with noyb contending OpenAI is unable to say where the data it generates on individuals comes from, nor what data the chatbot stores about people.<\/p>\n This is important because, again, the regulation gives individuals a right to request such info by making a so-called subject access request (SAR). Per noyb, OpenAI did not adequately respond to the complainant\u2019s SAR, failing to disclose any information about the data processed, its sources, or recipients.<\/p>\n Commenting on the complaint in a statement, Maartje de Graaf, data protection lawyer at noyb, said: \u201cMaking up false information is quite problematic in itself. But when it comes to false information about individuals, there can be serious consequences. It\u2019s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around.\u201d The company said it\u2019s asking the Austrian DPA to investigate the complaint about OpenAI\u2019s data processing, as well as urging it to impose a fine to ensure future compliance. But it added that it\u2019s \u201clikely\u201d the case will be dealt with via EU cooperation.<\/p>\n OpenAI is facing a very similar complaint in Poland. Last September, <\/a>the local data protection authority opened an investigation of ChatGPT following the complaint<\/a> by a privacy and security researcher who also found he was unable to have incorrect information about him corrected by OpenAI. That complaint also accuses the AI giant of failing to comply with the regulation\u2019s transparency requirements.<\/p>\n The Italian data protection authority, meanwhile, still has an open investigation into ChatGPT. In January<\/a> it produced a draft decision, saying then that it believes OpenAI has violated the GDPR in a number of ways, including in relation to the chatbot\u2019s tendency to produce misinformation about people. The findings also pertain to other crux issues, such as the lawfulness of processing.<\/p>\n The Italian authority gave OpenAI a month to respond to its findings. A final decision remains pending.<\/p>\n Now, with another GDPR complaint fired at its chatbot, the risk of OpenAI facing a string of GDPR enforcements across different Member States has dialed up.<\/p>\n
<\/em><\/p>\n