Spain’s privacy watchdog says it’s probing ChatGPT too

Spain’s data protection authority, the AEPD, has followed Italy’s lead and announced a preliminary investigation of ChatGPT-maker OpenAI over suspected breaches of the European Union’s General Data Protection Regulation (GDPR).

At the end of last month, Italy’s DPA ordered OpenAI to stop processing locals’ data — over a range of suspected breaches of the GDPR — which swiftly led to OpenAI geoblocking the service in Italy.

At the time of writing ChatGPT remains accessible via a Spanish IP address. But the regulator does not appear to have issued an order that it suspend processing.

In a press release about its action (which we’ve translated from Spanish) it writes: “The Spanish Data Protection Agency (AEPD) has initiated ex officio preliminary investigation proceedings against the U.S. company OpenAI, owner of the ChatGPT service, for possible non-compliance with the regulations.”

The release does not provide any details of the specific concerns the AEPD has but we’ve reached out with questions.

Italy’s DPA has raised a range of GDPR concerns over ChatGPT, including the lawfulness of OpenAI’s processing, transparency issues, plus child protection and data access requirements.

Earlier this week it published a list of measures OpenAI must implement if it wants the local suspension order lifted, giving it a deadline of the end of the month to make most of the changes.

OpenAI has not commented publicly on the changes the Italian agency has asked for.

An OpenAI spokeswoman declined comment on the Spanish investigation now.

The AEPD’s press release confirms it earlier asked the European Data Protection Board (EDPB), a steering body for applying the GDPR, to include ChatGPT in a plenary discussion this week.

It says it made that ask considering OpenAI’s “global processing operations may have a significant impact on the rights of individuals” — which it also said may require “harmonized and coordinated actions at European level”.

“The Committee decided at today’s plenary session to launch a task force to promote cooperation and exchange information on the actions carried out by data protection authorities,” the AEPD adds.

The EDPB task force on ChatGPT will act in parallel to individual authority probes. But it may, ultimately, help to coordinate GDPR enforcement on the generative AI technology across the bloc. Although, in the short term, early mover DPAs like Italy and Spain could conclude their investigations and take enforcement action before the Board is in a position to offer any harmonizing recommendations.

One difference of approach is already in evidence: With Italy’s DPA issuing a suspension order, while Spain’s AEPD has only announced it’s taking a preliminary look into ChatGPT at this stage. Though that could suggest Spain’s probe is less advanced than Italy’s.

In further public remarks, the AEPD said it “advocates for the development and implementation of innovative technologies, such as artificial intelligence”. But it emphasized that such development must fully comply with the EU’s data protection framework and the rights and freedoms the GDPR affords individuals.

For more on how regulations like the GDPR are being applied to generative AI check out our deep dive.