Share This Article
The obligations imposed by the Italian data protection authority against Open AI to ensure privacy compliance on generative artificial intelligence might become a benchmark across the EU now that the EDPB has established a task force on ChatGPT.
The position of the Garante against the privacy compliance of ChatGPT
🗓 On March 30, 2023, the Italian data protection authority, the Garante, issued an urgent order of temporary limitation against Open AI regarding the processing of personal data belonging to individuals located in Italy about the ChatGPT. This order compelled Open AI to prevent Italian users from accessing the generative artificial intelligence system. Subsequent discussions between the Garante and Open AI have resulted in the Italian data protection authority agreeing to waive the order of temporary limitation. However, this is provided that Open AI satisfies specific requirements before April 30, 2023.
These requirements include
1️⃣ The publication of a fully GDPR-compliant privacy information notice on its website transparently, which should provide details on the modalities of processing individuals’ data concerning how data have been collected and processed for algorithm training;
2️⃣ The provision of tools to individuals to exercise their right to object to the processing carried out by the company for algorithm training and service delivery. Individuals should also be able to request and obtain the correction of any personal data concerning them that have been processed inaccurately in the generation of content. If correction is impossible due to the state of technology, individuals should be able to request the deletion of their personal data.
3️⃣ The identification of the legal basis of the processing of users’ personal data for algorithmic training that should be modified by Open AI, eliminating any reference to the contract performance and assuming the legal basis of processing as either consent or legitimate interest. Open AI should also make an easily accessible tool available through which users can exercise the right to object to processing their data for algorithm training if the legal basis chosen is a legitimate interest.
4️⃣ If the service is reactivated in Italy, Open AI should request all users connecting from Italy, including those already registered, to pass an age gate that excludes underage users based on their declared age.
📌 Open AI should also adopt age verification tools by May 31, 2023, suitable for excluding access to the service for users under 13 years old and under 18 years old without an express manifestation of will by those exercising parental responsibility over them. The implementation of this plan should start by September 30, 2023, at the latest. Finally, Open AI should begin, by May 15, 2023, at the latest, a non-promotional information campaign in all the leading Italian mass media (radio, television, newspapers, and the internet), the content of which will have to be agreed upon with the Garante. This campaign shall aim to inform people that (i) their personal data may have been collected for algorithm training, (ii) a detailed privacy information notice has been published on the company’s website, and (iii) a tool has been made available on the company’s website through which all those concerned may request and obtain the deletion of their personal data.
The EDPB members discussed the recent enforcement action undertaken by the Italian data protection authority against Open AI regarding the Chat GPT service and they launched a dedicated task force to foster cooperation and exchange information on possible enforcement actions conducted by data protection authorities.
Will the Italian case on ChatGPT set a benchmark for generative AI’s privacy compliance?
Regardless of the case’s merits, it will be interesting to see whether other EU privacy authorities will validate the Italian data protection authority’s position on ChatGPT and it will become a benchmark for privacy compliance of generative artificial intelligence systems. This circumstance might be beneficial for the growth of AI within the European Union since there will be a higher level of certainty about technologies that have massive potential and have exponentially been under the radar of authorities and rights holders.
This case is not the first one of the Garante against artificial intelligence systems since a similar decision had been taken against a different chatbot powered by AI (Read on the topic “Artificial intelligence powered chatbot banned by the Italian privacy authority“). Also, in the past, artificial intelligence systems used to assess workers had led to significant sanctions by the Garante for lack of transparency (Read on the topic “€ 2.6M GDPR fine for privacy breaches performed through the algorithm of a food delivery company“).
Companies understand that they need to implement generative artificial intelligence systems in their operations but are concerned about some of the grey areas relating to their compliance. A higher level of certainty on compliance would benefit the whole EU market. On the one hand, this might be achieved through the decision of the EDPB to confirm the position of the Garante and, on the other hand, by the upcoming adoption of the EU AI Act, whose approval process has been accelerated during the past weeks.
On a similar topic, you may find the following article, “EU Parliament broadens the definition of artificial intelligence under the AI Act,” useful.