The proliferation of the use of ChatGPT has recently generated interest from European data protection authorities who are concerned with how user data, linked to registration details, and data which is entered into and processed by the platform itself, is being utilised. These concerns are a logical part of the discussion around how AI platforms, including natural language processors and large language models, should be regulated.
The initial commotion around ChatGPT focused on how it could be utilised, whether for good or ill. One potential exploitation was by threat actors seeking to refine phishing materials. This anxiety has only been exacerbated by reports that users are inputting commercially sensitive information into the platform when testing its capabilities. There are also fears that users are entering confidential information and personal data into the chatbot, potentially leading to breaches of the EU GDPR/UK GDPR. Businesses need to be aware of the risks associated with use of AI platforms by their employees, whether sanctioned or unauthorised, and will need to have policies and measures in place to avoid deliberate or inadvertent breaches of the GDPR regarding such use.
The question increasingly being asked is: How is OpenAI, the developer of ChatGPT, using the data it has obtained via the tool?
OpenAI's privacy policy states that it collects the IP addresses of users, device information, browser type and settings, and how they interact with the site, including specific features, actions or types or content. Their privacy policy also states that in “certain circumstances we may provide [users'] Personal Information to third parties without further notice to [users].”
Given the broad nature of this policy, and the aforementioned concerns, it is not surprising that urgent measures are being proposed, and even undertaken, by regulators to ensure that ChatGPT itself is compliant with data protection legislation.
Aside from the EU/UK GDPR, the draft AI Act, which is proposed European Union legislation first published in 2021, has recently been amended to accommodate the recent surge in ‘general purpose’ AI models, such as ChatGPT. Once implemented, the AI Act will now require generative AI models to disclose the use of any copyrighted materials used to develop the systems. In addition, these tools will now have to be developed and designed in line with EU laws and fundamental rights – there is an interesting overlap between some of the core obligations under the draft AI Act, relating to transparency, fairness etc., with the principles of the EU/UK GPDR.
Actions of European data protection authorities
In April, the European Data Protection Board (“EDPB”) decided to launch a dedicated task force to foster cooperation and to exchange information on possible enforcement action conducted by data protection authorities against ChatGPT. The discussion at EDPB level was instigated by the Spanish data protection agency (AEPD), and was preceded by the decision of the Italian data regulator, known as the Garante, to temporarily block ChatGPT from operating in Italy. The activity was prompted by a report of a data breach affecting user conversations and payment details.
OpenAI was ordered to undertake a series of measures before the Garante was be willing to lift the temporary suspension. These measures included:
- Removal of the 'necessary for the performance of a contract' lawful basis as an option for processing personal data by ChatGPT, instead requiring OpenAI to choose between either consent or legitimate interests;
- Providing methods for users/ non-users (as appropriate) to exercise their rights in respect of their personal data. This included ensuring OpenAI was able to respond to requests for rectification of false or inaccurate information which may be generated about that data subject by ChatGPT, or in the alternative, facilitating the deletion of their data;
- Allowing users to object to OpenAI’s processing of their data for training its algorithms; and
- An information campaign had to be undertaken by OpenAI to inform Italians that OpenAI is processing their information to train the ChatGPT AI platform. The company has already made available a form for users in the European Union to object to the use of their personal data to train the models.
OpenAI responded to these requests and the ban was subsequently lifted, with ChatGPT being permitted to recommence operating in Italy.
These measures give an indication as to the steps that OpenAI and other AI platforms will increasingly face in relation to their future operations in the EU and UK.
The Italian data protection regulator also expressed concerns about the lack of an age verification mechanism which meant that ChatGPT allowed children to receive “responses that are absolutely inappropriate to their age and awareness.” In response, OpenAI was required to immediately implement an age request system for the purpose of registration and submit an action plan to introduce a robust age verification system by 30 September 2023.
These steps are unsurprising, the Italian regulator has been at the vanguard of taking proactive steps in respect of the exposure of children to AI tools, as evidenced with recent measures against the developer of the AI chatbot, Replika. We have reported recently on updates in this area too.
Other European data protection authorities have announced their own investigations into ChatGPT, including the following:
- Whilst not publicised on their website, the French data protection regulator (CNIL) stated to Reuters that it was investigating several complaints raised about ChatGPT;
- The Spanish Agency for Data Protection (AEPD) initiated investigation proceedings against OpenAI for a possible breach of GDPR on 13 April 23;
- The German data protection authority (AP) has asked OpenAI for information regarding the manner in which personal data is being handled by ChatGPT, including if the questions which people ask ChatGPT are used to train the algorithm, and if so, how. Furthermore, the AP said it has concerns about the information GPT “generates” in its answers. “The generated content may be inaccurate, outdated, inappropriate or offensive and may take on a life of its own,” the AP said. “Whether and how OpenAI can rectify or delete that data is unclear.”
- In Germany, regional data protection authorities in Schleswig-Holstein compiled a questionnaire for OpenAI. The questionnaire sought answers on whether ChatGPT has carried out a data protection impact assessment ("DPIA"), and consequently, whether any data protection risks identified by the DPIA have been sufficiently mitigated. Further, the Rhineland-Palatinate Commissioner for Data Protection has recently said that if there is no legal basis for the processing of the personal data that is being used to train the large language model, then it would consider banning Chat GPT.
- In Ireland, the Data Protection Commissioner, renowned for regularly taking enforcement action against tech giants, has:
- contacted the Garante in Italy to ask for more information on its findings. In contrast to other regulators, the Irish Data Protection Commissioner, Helen Dixson, has warned against laws or bans, and instead suggested that thoughtful analysis and consideration are required before taking such action. The Irish DPC agrees that regulation is required, but the DPAs “must figure out how to do so before rushing to prohibitions that really aren’t going to stand up”; and
- delayed the launch of Google's AI chatbot, Bard – due to a lack of a DPIA and other supporting documentation evidencing that Google is able to process citizens' data in line with the EU GDPR.
- In the UK whilst no formal investigation has been initiated, on 3 April 2023, the ICO reminded organisations using AI software that there are no exceptions to the rules when it comes to using personal data.
What next?
The urgency of these interventions and attention of the regulators reflects the widespread use of ChatGPT, and given the thought-provoking capabilities of this and other generative AI tools, it is not surprising that people are using tools such as ChatGPT without considering the associated data protection risks. Unfortunately, some of the adverse consequences arising from such use will only be encountered through trial and error and the associated publicity that this generates.
In the meantime, we will continue to report on developments in this area, in particular steps taken by data protection authorities to regulate this space.
