In previous newsletters, we have analyzed the possible privacy violations committed by ChatGPT’s parent company, OpenAI. Specifically, we noted that the company may have violated EU privacy laws.
Potential privacy concerns were not properly assessed and addressed… the language model collects your account information, data from your device and browser as well as any information you type into the chatbot itself. This is undoubtedly news to many users who view the chatbot as a tool and not an information-gathering device for OpenAI.
In the time since our last ChatGPT update, we have gained further clarity. Italy’s data protection authority (Garante) notified OpenAI that the company violated Europe’s General Data Protection Regulation rules. What we do not know, as of yet, is what constitutes this violation; however, we do know that OpenAI has 30 days to respond to the allegations and faces up to €20 million in fines. We also know that the company was said to violate articles 5, 6, 8, 13 and 25 of the EU’s General Data Protection Regulation last year as a result of the data protection authority’s investigation.
In that fact-finding mission, Garante discovered that the messages and payment information of some users were exposed for others to view. Additionally, ChatGPT did not have a system that could verify the age of its users, which meant that minors were able to prompt the chatbot to provide inappropriate answers for their ages. Beyond the scope of fact finding, the data protection authority questioned whether the sheer tonnage of data that OpenAI collected was legally protected as well as concerns about fake information that the chatbot was able to produce.
This is not the first time that the data protection authorities have expressed concern over ChatGPT or generative AI more broadly. Regulators are growing increasingly concerned with how generative AI systems acquire personal data. In the United States, for example, the Federal Trade Commission has opened an inquiry into the funding of AI systems by tech giants like Amazon, Google and Microsoft. These concerns are even stronger overseas, where the notorious privacy-protective EU has unanimously endorsed the AI Act—the first comprehensive legal guide to artificial intelligence. Once the act is in effect, it is only a matter of time before another generative AI company finds itself in hot water.