Italy’s data protection agency, Garante, has issued an order to OpenAI stating that they must take specific actions to revoke a ban imposed on ChatGPT, an artificial intelligence chatbot service, due to the suspected violation of the European Union’s General Data Protection Regulation (GDPR). The watchdog has mandated that OpenAI increases its transparency and issues an information notice that outlines its data processing practices comprehensively. In addition, Garante has demanded that OpenAI puts age-gating measures in place immediately to prevent minors from accessing its technology and adopts more stringent age verification methods.
OpenAI also needs to specify and justify the legal grounds it relies upon for processing individual’s data to train its AI. It cannot rely solely on contract performance, meaning the company must seek either user consent or rely on legitimate interest. Currently, OpenAI’s privacy policy refers to three legal bases but appears to give more weight to the performance of a contract when providing services like ChatGPT.
Moreover, OpenAI needs to enable users and non-users to exercise their rights regarding their personal data, including requesting corrections for any misinformation generated by ChatGPT or deleting their data. The regulatory agency also mandates that OpenAI allows users to object to processing their data to train its algorithms.
To inform individuals that their information is being processed to train its AI, OpenAI is also required to conduct an awareness campaign in Italy. Garante has set a deadline of April 30 for OpenAI to complete most of these tasks. However, the watchdog has granted extra time to comply with the additional demand of migrating from the existing age-gating child safety technology to a more resilient age verification system.
OpenAI has until May 31 to submit a plan outlining the implementation of age verification technology. The deadline for deploying this more robust system is set for September 30. On March 31, OpenAI took ChatGPT offline in Italy following concerns raised by Garante about possible privacy violations and a failure to verify the age of users.
The GDPR, put in place three years ago, aims to protect EU citizens’ privacy rights and prevent unlawful use of their personal data by companies. The regulation mandates that entities processing individuals’ personal data must comply with certain requirements, such as ensuring that personal data is processed lawfully, transparently, and for a specific purpose that can be justified. Companies must also ensure that data collection is minimized, use proportionality to the extent that the data is necessary in relation to the purpose for which it was collected, and guarantee that the data is accurate and kept up to date.
The GDPR also grants individuals a range of rights, including the right to access their personal data, request rectification, erasure, or restriction of its processing, and to object to its processing on certain grounds.
The global nature of artificial intelligence and data processing requires clear guidelines and regulations to protect users while fostering innovation. By imposing these measures, Garante hopes to establish a precedent for AI and data protection that will benefit individuals worldwide. However, as technology continues to evolve, regulators and companies must continue to work together to ensure the safe and ethical use of data.
In conclusion, OpenAI has been ordered to take specific measures to revoke its March 2023 ban on ChatGPT in Italy. Garante mandates that OpenAI increases its transparency, implements age-gating measures immediately, specifies the legal grounds for data processing practices comprehensively, enables users and non-users to exercise their rights regarding their personal data, and allows users to object to processing their data. Garante also requires OpenAI to conduct an awareness campaign in Italy to inform individuals that their information is being processed to train its AI. OpenAI has until September 30 to deploy a more robust age verification system. The GDPR and the establishment of regulatory frameworks like this are essential for users’ privacy rights amid the surge of AI innovation.
