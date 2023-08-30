Questions about ChatGPT-maker OpenAI’s ability to comply with European privacy rules are in the frame again after a detailed complaint was filed with the Polish data protection authority yesterday.

The complaint, which TechCrunch has reviewed, alleges the US based AI giant is in breach of the bloc’s General Data Protection Regulation (GDPR) — across a sweep of dimensions: Lawful basis, transparency, fairness, data access rights, and privacy by design are all areas it argues OpenAI is infringing EU privacy rules. (Aka, Articles 5(1)(a), 12, 15, 16 and 25(1) of the GDPR).

Indeed, the complaint frames the novel generative AI technology and its maker’s approach to developing and operating the viral tool as essentially a systematic breach of the pan-EU regime. Another suggestion, therefore, is that OpenAI has overlooked another requirement in the GDPR to undertake prior consultation with regulators (Article 36) — since, if it had conducted a proactive assessment which identified high risks to people’s rights unless mitigating measures were applied it should have given pause for thought. Yet OpenAI apparently rolled ahead and launched ChatGPT in Europe without engaging with local regulators which could have ensured it avoided falling foul of the bloc’s privacy rulebook.

This is not the first GDPR concern lobbed in ChatGPT’s direction, of course. Italy’s privacy watchdog, the Garante, generated headlines earlier this year after it ordered OpenAI to stop processing data locally — directing the US-based company to tackle a preliminary list of problems it identified in areas including lawful basis, information disclosures, user controls and child safety.

ChatGPT was able to resume offering a service in Italy fairly quickly after it tweaked its presentation. But the Italian DPA’s investigation continues and it remains to be seen what compliance conclusions may emerge once that assessment has been completed. Other EU DPAs are also probing ChatGPT. While, in April, the bloc’s data protection authorities formed a task force to consider at how they should approach regulating the fast-developing tech.

That effort is ongoing — and it’s by no means certain a harmonized approach to oversight of ChatGPT and other AI chatbots will emerge — but, whatever happens there, the GDPR is still law and still in force. So anyone in the EU who feels their rights are being trampled by Big AI grabbing their data for training models that may spit out falsities about them can raise concerns with their local DPA and press for regulators to investigate, as is happening here.

OpenAI is not main established in any EU Member State for the purpose of GDPR oversight, which means it remains exposed to regulatory risk in this area across the bloc. So could face outreach from DPAs acting on complaints from individuals anywhere in the bloc.

Confirmed violations of the GDPR, meanwhile, can attract penalties as high as 4% of global annual turnover. DPAs’ corrective orders may also end up reworking how technologies function if they wish to continue operating inside the bloc.

Complaint of unlawful processing for AI training

The 17-page complaint filed yesterday with the Polish DPA is the work of Lukasz Olejnik, a security and privacy researcher, who is being represented for the complaint by Warsaw-based law firm, GP Partners.

Olejnik tells TechCrunch he became concerned after he used ChatGPT to generate a biography of himself and found it produced a text that contained some errors. He sought to contact OpenAI, towards the end of March, to point out the errors and ask for the inaccurate information about him to be corrected. He also asked it to provide him with a bundle of information that the GDPR empowers individuals to get from entities processing their data when the information has been obtained from somewhere other than themselves, as was the case here.

Per the complaint, a series of email exchanges took place between Olejnik and OpenAI between March and June of this year. And while OpenAI responded by providing some information in response to the Subject Access Request (SAR) Olejnik’s complaint argues it failed to produce all the information it must under the law — including, notably, omitting information about its processing of personal data for AI model training.

Under the GDPR, for personal data processing to be lawful the data controller needs a valid legal basis — which must be transparently communicated. So obfuscation is not a good compliance strategy. Also indeed because the regulation attaches the principle of fairness to the lawfulness of processing, which means anyone playing tricks to try to conceal the true extent of personal data processing is going to fall foul of the law too.

Olejnik’s complaint therefore asserts OpenAI breached Article 5(1)(a). Or, more simply, he argues the company processed his data “unlawfully, unfairly, and in a non-transparent manner”. “From the facts of the case, it appears that OpenAI systemically ignores the provisions of the GDPR regarding the processing of data for the purposes of training models within ChatGPT, a result of which, among other things, was that Mr. Łukasz Olejnik was not properly informed about the processing of his personal data,” the complaint notes.

It also accuses OpenAI of acting in an “untrustworthy, dishonest, and perhaps unconscientious manner” by failing to be able to comprehensively detail how it has processed people’s data.

“Although OpenAI indicates that the data used to train the [AI] models includes personal data, OpenAI does not actually provide any information about the processing operations involving this data. OpenAI thus violates a fundamental element of the right under Article 15 GDPR, i.e., the obligation to confirm that personal data is being processed,” runs another relevant chunk of the complaint (which has been translated into English from Polish using machine translation).