ChatGPT Faces Another EU Privacy Complaint

OpenAI has found itself embroiled in yet another privacy dispute within the European Union. This time, a complaint has been lodged by the privacy rights nonprofit noyb on behalf of an individual complainant. The complaint takes aim at the incapacity of OpenAI’s AI chatbot, ChatGPT, to rectify misinformation it generates about individuals.

The propensity of AI tools like ChatGPT to churn out inaccurate information has long been recognized. However, this not only poses ethical dilemmas but also brings these technologies into direct conflict with the European Union’s General Data Protection Regulation (GDPR), which dictates how the personal data of EU citizens can be handled.

Under the GDPR, penalties for non-compliance can soar up to 4% of global annual turnover. Additionally, data protection regulators hold the authority to mandate changes in data processing practices, potentially reshaping the landscape for generative AI tools within the EU.

OpenAI was compelled to enact changes previously after Italy’s data protection authority intervened, resulting in a temporary shutdown of ChatGPT in 2023.

The latest GDPR complaint against ChatGPT has been lodged by noyb with the Austrian data protection authority. It represents an unnamed complainant who discovered that the AI chatbot had generated an incorrect birth date for them.

According to the GDPR, individuals in the EU possess a suite of rights concerning their personal information, including the right to rectify incorrect data. noyb alleges that OpenAI is failing to adhere to this obligation regarding the output of its chatbot. OpenAI purportedly claimed technical impossibility in correcting the misinformation and instead offered to filter or block certain data prompts, such as the name of the complainant.

OpenAI’s privacy policy outlines a process for users to request corrections for “factually inaccurate information about you” by submitting a “correction request” through privacy.openai.com or by emailing dsar@openai.com. However, it cautions that due to the technical complexity of their models, not all inaccuracies may be correctable. In such cases, users are advised to request the removal of their personal information from ChatGPT’s output by filling out a web form.

The main issue for the AI Giant is that GDPR rights are not selectively applicable. Individuals in Europe are entitled to request both rectification and deletion of their data. But, as noyb asserts that, OpenAI cannot cherry-pick which rights to honor.

Additionally, the complaint raises concerns about GDPR transparency, with noyb alleging that OpenAI fails to disclose the sources of the data it generates on individuals or what data the chatbot stores about them. The regulation grants individuals the right to request such information through a subject access request (SAR), which OpenAI allegedly did not adequately respond to in this case, unable to disclose any information about the data processed, its sources, or its recipients.

Maartje de Graaf, data protection lawyer at noyb, commented in a statement against a complaint that “Making up false information is quite problematic in itself. But when it comes to false information about individuals, there can be serious consequences. It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around.”

The company has disclosed that it is urging the Austrian DPA to investigate the complaint about Open AI’s data processing and impose fines to ensure future compliance, although it anticipates the case will be handled via EU cooperation mechanisms.

OpenAI is grappling with a similar complaint in Poland, where the local data protection authority initiated an investigation into ChatGPT last September. The investigation was prompted by a complaint from a privacy and security researcher who found themselves unable to correct inaccurate information generated by OpenAI. This complaint also alleges that the AI giant has failed to comply with the transparency requirements outlined in the GDPR.

Meanwhile, the Italian data protection authority continues its investigation into ChatGPT. In January, it released a draft decision asserting that OpenAI has violated the GDPR on several fronts, including the chatbot’s tendency to generate misinformation about individuals. The findings also address other critical issues, such as the lawfulness of data processing.

OpenAI was given a month to respond to the Italian authority’s findings, and a final decision is still pending.

Now that yet another GDPR complaint has been lodged against its chatbot, OpenAI faces an increased risk of enforcement actions across different EU Member States.

In an attempt to mitigate regulatory risks, OpenAI established a regional office in Dublin last fall. This strategic move aims to minimize regulatory exposure by channeling privacy complaints through Ireland’s Data Protection Commission. The GDPR includes a mechanism that streamlines oversight of cross-border complaints by directing them to a single member state authority where the company is “main established.”

Read More: Sanctuary’s Latest Humanoid Robot With Rapid Learning at Reduced Cost