OpenAI is under scrutiny once again as it faces an investigation into whether its generative AI chatbot, ChatGPT, adheres to European Union privacy laws. Last month, a complaint was lodged against OpenAI and ChatGPT in Poland, alleging multiple breaches of the EU’s General Data Protection Regulation (GDPR). The Polish regulatory authority has now publicly confirmed that it has initiated an investigation into the matter.
In a translated press release, the Office for Personal Data Protection (UODO) stated that it is investigating a complaint against ChatGPT, in which the complainant accuses OpenAI of processing data unlawfully, in an unreliable manner, with opaque rules. The UODO anticipates a challenging investigation due to OpenAI’s location outside the EU and the unique nature of the generative AI chatbot technology it is examining.
Jan Nowak, President of the UODO, emphasized that the case involves numerous violations of personal data protection provisions, and OpenAI will be asked to respond to a series of questions as part of the administrative proceedings. Jakub Groszkowski, Deputy President of the UODO, warned that new technologies must operate within the legal framework and respect GDPR, citing allegations in the complaint that cast doubt on OpenAI’s approach to European data protection principles, particularly the GDPR’s privacy by design principle.
The complaint, filed by privacy and security researcher Lukasz Olejnik, alleges multiple GDPR breaches by OpenAI, including issues related to lawful basis, transparency, fairness, data access rights, and privacy by design. Olejnik’s complaint primarily centers on OpenAI’s response to his request to correct inaccuracies in a biography generated by ChatGPT about him. OpenAI claimed it could not make the corrections, and Olejnik further accused the company of inadequately responding to his subject access request, providing evasive, misleading, and internally contradictory answers.
The technology behind ChatGPT is a large language model (LLM), trained on vast amounts of natural language data to generate human-like responses. However, the model’s training, which includes scraping data from the public internet without individuals’ knowledge or consent, has raised GDPR compliance concerns in the EU. Additionally, OpenAI’s challenges in articulating how it processes personal data and correcting errors have attracted regulatory attention.
The EU regulates personal data processing, requiring processors to have a lawful basis, transparency, fairness, and granting data access rights to individuals, allowing them to request corrections to inaccurate data. Olejnik’s complaint tests OpenAI’s GDPR compliance across these dimensions, potentially influencing the development of generative AI.
Olejnik welcomed the UODO’s focus on privacy and data protection by design, emphasizing its importance in the investigation. He compared the experience of seeking answers from OpenAI to Kafka’s “The Trial” and hoped that this investigation would shed light on the processes involved.
The Polish authority’s prompt response and transparency in conducting the investigation are noteworthy. This investigation adds to OpenAI’s growing regulatory challenges in the EU, with Italy’s Data Protection Authority temporarily suspending ChatGPT earlier and Spain’s DPA initiating a probe. A taskforce established by the European Data Protection Board is also examining how DPAs should address AI chatbot technology, aiming to find consensus among EU privacy watchdogs on regulating novel tech.
While the taskforce does not replace individual authorities’ investigations, it may lead to harmonization in AI regulation. However, divergence remains possible if DPAs have varying views. The outcome of these investigations and the speed of regulatory action remain uncertain.
In its press release, the UODO’s president emphasized the authority’s commitment to the ChatGPT investigation, noting that the complaint’s allegations were not the first doubts regarding ChatGPT’s compliance with European data protection and privacy rules.
OpenAI, when contacted for comment on the Polish DPA’s investigation, did not provide a response. The company is taking steps to address the complex regulatory landscape in the EU, including opening an office in Dublin, Ireland, to potentially streamline its data protection regulations. However, OpenAI is not currently considered “main established” in any EU Member State for GDPR purposes, allowing competent authorities across the EU to investigate ChatGPT-related concerns. Complaints filed before any change in OpenAI’s main establishment status can still be lodged anywhere in the EU.
