ChatGPT GDPR Compliance to Undergo Formal Inspection
ChatGPT, the AI service developed by OpenAI, is currently undergoing a formal inspection of its GDPR compliance. Following Italy’s decision to ban the service over concerns about privacy and child safety, data protection watchdogs in Germany, France and Spain have all raised questions about ChatGPT’s compliance with the EU’s General Data Protection Regulation.
While an EU task force has been formed to harmonize efforts, individual countries are currently conducting their own investigations. Germany is examining ChatGPT’s GDPR compliance in terms of required access to stored personal information, its efforts to inform data subjects of their rights under the law, and how it is handling the data of minors.
As part of its GDPR compliance review, OpenAI has been asked to complete a questionnaire regarding its GDPR compliance responsibilities. The German data regulator has said that OpenAI needs to demonstrate that it is providing the public with means to view collected personal data and to have it revised or removed, as is stipulated by GDPR terms. It also said that the firm must clarify to users how these rights can be exercised; transparency about this access is another requirement of the GDPR. The regulatory body expressed particular concern about how the data of protected minors is being handled.
While some countries have not yet targeted OpenAI with regulatory attention, others, like France, opened a formal investigation only after receiving “several” GDPR complaints related to ChatGPT. Spain has initiated an inquiry independently but is petitioning the European Data Protection Board to facilitate standards for regulation across the whole region.
In addition to answering the concerns listed on the questionnaire, OpenAI has been asked to carry out a data protection impact assessment and to determine if data protection risks are under control.
AI and Copyright
Content creators have been increasingly concerned that AI training models are scraping their work, using it without compensation, and potentially even regurgitating it for free. To this end, a large collection of German trade unions and worker’s associations have issued a call to Brussels to more quickly take up the issue of AI regulation.
Determining if ChatGPT is in violation of intellectual property protections will vary by region, but there are some fundamental shared principles that are expected to be tested by courts. One is if the AI simply made its own unauthorized copies of works to store in its training set; OpenAI says that it “may” do this, and ChatGPT spitting out certain copyrighted works on command appears to prove that it does with some frequency. The second big question will be whether ChatGPT uses legally protected materials it trains on to create derivative works.
Do “fair use” exceptions apply to an AI that is essentially a business product at the end of the day? GDPR compliance requirements do loosely include IP rights in some ways, but this element is more directly governed by a set of EU directives specific to copyright and reproductions of works.
Other elements of harm that may fall outside of GDPR compliance terms will inevitably have to be addressed. The first suicide attributed to a chatbot took place in late March, when a Belgian man who was concerned about global warming took his own life after the chatbot (a “therapist” bot called Eliza) seemingly stoked his fears and encouraged him to do so. Advocacy groups in both the US and EU are lobbying for an “AI pause” as these harms are evaluated and regulatory safeguards can be developed.
