OpenAI Faces GDPR Compliance Issues over Data Protection Breaches

OpenAI, the creator of ChatGPT, is under scrutiny once again for potential violations of the General Data Protection Regulation (GDPR) in the European Union.

The complaint, lodged with the Polish Data Protection Authority, accuses the company of breaching essential standards of the GDPR like transparency, fairness, privacy, and the right to access data.

Lukasz Olejnik, a security and privacy researcher, filed the 17-page complaint after he used ChatGPT to generate a biography about himself and discovered discrepancies in the output.

Concerned with the inaccuracies, he addressed the errors by contacting OpenAI and requesting to rectify them. The complaint states that the company failed to furnish all the necessary information about its data processing practices, as required by the GDPR.

GDPR's Clauses For Data Controllers

According to the established standards of the GDPR, data controllers need to have a valid legal basis to process personal data. Besides, they need to communicate this legality transparently.

The complaint alleges that OpenAI processed personal data unlawfully, unfairly, and in a non-transparent manner."

The complaint also highlights the lack of compliance of OpenAI with the right of individuals to correct inaccuracies in their personal data, which further violates the GDPR.

The complaint points out that the design of ChatGPT, along with the alleged breaches, contradicts the principle of GDPR of protecting data. It argues that generative AI has been launched in Europe without conducting a proactive assessment.

No local regulators were engaged, which violates GDPR's requirement for prior consultation. Therefore, OpenAI has violated Article 15 of the GDPR.

This isn't the first time OpenAI has faced concerns related to compliance. Earlier this year, OpenAI faced temporary restrictions in Italy after Garante, its privacy watchdog, ordered an investigation into its GDPR privacy breaches and practices for verifying age.

The investigation is still underway, although ChatGPT was subsequently allowed to operate in Italy after it made some adjustments.

Although OpenAI indicates that the data used to train the [AI] models includes personal data, OpenAI does not actually provide any information about the processing operations involving this data.Official complaint

The fallout of violating GDPR on ChatGPT can be adverse, leading to penalties of up to 4% of the company's global annual turnover. As a part of corrective measures, the company may also have to adjust its technological operations in the EU.

Polish Data Protection Authority To Investigate The Complaint

The Polish Data Protection Authority will investigate the complaint, and the process can span several months to a few years. OpenAI is yet to respond to inquiries from the media about these allegations.

However, it may face regulatory actions from data protection authorities throughout the EU if investigators find the allegations true.

This case also marks the importance of respecting data protection regulations like the GDPR in a rapidly evolving AI landscape.

At a time when data privacy is of paramount importance, the outcome of this complaint may have a far-reaching impact on OpenAI and other organizations in the generative AI field.

The post OpenAI Faces GDPR Compliance Issues over Data Protection Breaches appeared first on The Tech Report.