Data Protection Aspects When Using the ChatGPT-API
Recent events surrounding OpenAI's chatbot, ChatGPT, have highlighted various data protection challenges. The Italian Data Protection Authority, for example, has temporarily banned ChatGPT's operation in Italy because of a lack of a legal basis for processing personal data and failing to integrate an effective age verification system to protect children under 13. Other supervisory authorities worldwide have also started investigations.
Companies that integrate ChatGPT into their products and services via the API become data controllers under data protection law, with OpenAI becoming a service provider and processor acting on the instructions of the company using the API. As controllers, companies using the API must demonstrate for each processing step that the processing in question is data protection compliant. The controller must have a legal basis for the data processing when using the chatbot.
It is essential that when integrating ChatGPT into products and services, the applicable data protection requirements are properly implemented to avoid becoming an addressee of supervisory measures. For instance, companies using the API must transparently explain to users how and why their data is being processed, how long it is stored, when it is deleted, and how they can exercise their data protection rights. A data processing agreement can be concluded electronically between the client as the data controller and OpenAI as the processor.
It is critical to ensure that sensitive content is not further processed for the AI algorithm. The responsible party can regularly invoke a necessity for the protection of a legitimate interest or for the performance of a contract to protect users' data. The controller must make data processing transparent through independent information about the data processing. Instead of merely referring to the OpenAI privacy policy, the controller must provide clear information about how and for what purposes the data of the users is processed.
It is essential to properly implement the applicable data protection requirements when integrating ChatGPT into products and services via the API to ensure compliance with data protection laws. Companies using the API must ensure that data processing is transparent, have a legal basis for data processing, and ensure sensitive content is not further processed for the AI algorithm.
