As artificial intelligence technologies like OpenAI’s ChatGPT advance, they encounter increasing scrutiny from regulatory bodies, particularly concerning data protection and privacy. The European Data Protection Board (EDPB) has been investigating whether ChatGPT complies with the General Data Protection Regulation (GDPR). This blog explores the key issues identified by the EDPB, how the EU AI Act and GDPR influence this, and the potential implications for OpenAI.

First, let’s examine how the GDPR and EU AI Act converge on consumer protection when it comes to automated decision-making.

GDPR vs EU AI Act

Although AI isn’t specifically mentioned in the GDPR, Article 22 indirectly controls AI use by regulating automated decision-making that impacts individuals. There’s some tension between GDPR and AI since AI often involves collecting large amounts of data and has broad applications, making it hard to define “processing purposes” clearly. However, many data protection principles overlap with those in the EU AI Act, which acknowledges the GDPR’s importance. The EU AI Act was developed partly based on Article 16 of the Treaty on the Functioning of the European Union, which mandates EU rules for personal data protection and this clearly interacts with GDPR.

Key GDPR Concerns

As OpenAI navigates compliance with GDPR, it must address several critical issues highlighted by the European Data Protection Board (EDPB). These concerns include establishing a valid legal basis for data processing, ensuring data accuracy, and meeting transparency obligations. Understanding and effectively managing these key areas are essential for OpenAI to comply with GDPR and maintain user trust.

· Lawfulness and Fairness of Data Processing

The GDPR mandates a valid legal basis for all stages of personal data processing. Initially, OpenAI claimed contractual necessity but was instructed by the Italian Data Protection Authority (DPA) to rely on either consent or legitimate interests (LI). OpenAI now claims LI, but it must prove the necessity and proportionality of processing data against the rights of individuals.

· Data Accuracy

Article 5 of the GDPR requires that personal data be accurate and up to date. AI models like ChatGPT can “hallucinate,” generating incorrect or misleading information. The EDPB emphasizes transparency about potential inaccuracies and mandates mechanisms for correcting false information to ensure compliance with this principle.

· Transparency Obligations

GDPR Article 14 necessitates informing individuals when their data is collected and processed. While OpenAI may invoke an exemption if notifying individuals is impractical, transparency remains crucial. Users must be clearly informed that their inputs may be used for AI training purposes, ensuring that they understand how their data is utilized.

Data Scraping and Privacy Risks

One of the most contentious issues surrounding the deployment of AI technologies like ChatGPT is their reliance on vast amounts of data scraped from the internet. This process, essential for training large language models (LLMs), raises significant privacy concerns. The European Data Protection Board (EDPB) has highlighted the inherent risks associated with data scraping, particularly regarding the collection of personal and sensitive data without explicit consent. Understanding and mitigating these risks is crucial for ensuring compliance with GDPR and protecting individuals’ privacy rights.

· Web Scraping

Large language models (LLMs) like ChatGPT rely on data scraped from the internet, including personal data. The EDPB suggests limiting data collection from certain sources, such as public social media profiles, to mitigate privacy risks. Additionally, measures should be in place to delete or anonymize personal data before the training stage to enhance data protection.

· Special Category Data

Scraped data may include sensitive personal information, such as health or political views, which require explicit consent for processing under the GDPR. Meeting this high bar for consent is crucial to avoid violating GDPR principles, ensuring that OpenAI handles such data with the necessary legal safeguards.

Data Subject Rights

A cornerstone of the General Data Protection Regulation (GDPR) is the protection of data subject rights, ensuring individuals have control over their personal data. For AI technologies like ChatGPT, upholding these rights presents unique challenges, especially in providing access, rectification, and erasure of data. The European Data Protection Board (EDPB) has underscored the importance of these rights, emphasizing that users must have the ability to manage their data effectively. Addressing these concerns is not only a legal obligation for OpenAI but also a critical factor in building user trust and ensuring ethical AI deployment.

· Right to Access and Rectification

GDPR grants individuals the right to access and correct their personal data. Complaints against OpenAI have highlighted issues with correcting inaccurate information generated by ChatGPT. The EDPB emphasizes the importance of providing mechanisms for users to exercise their rights effectively, ensuring they can access and rectify their data as needed.

· Continuous Monitoring and Improvement

Continuous monitoring is essential to keep the ethics framework current and robust. Implementing adequate safeguards and technical measures can help balance the interests of data processing with individual rights, ensuring ongoing compliance with GDPR requirements.

The Path Forward for OpenAI

· Enhancing Transparency and User Control

To address transparency concerns, OpenAI must be clear about data sources and usage. Informing users about the possibility of their data being used for training AI models and offering options to opt-out is crucial for maintaining user trust and regulatory compliance.

· Addressing Data Accuracy and Correction Mechanisms

Providing mechanisms for correcting inaccuracies and offering explanations for data sources are essential steps for OpenAI. Transparent communication about the limitations and potential biases of AI outputs can help build user trust and ensure compliance with the GDPR’s data accuracy principle.

· Compliance with Data Subject Rights

Ensuring that users can easily access, correct, and delete their data is a fundamental requirement. OpenAI must inform users about their rights and provide clear processes for exercising them, reinforcing its commitment to data protection and privacy.

Navigating the complexities of GDPR compliance is a significant challenge for OpenAI and other AI developers. As investigations continue, OpenAI must enhance its data protection practices, ensure transparency, and uphold user rights to avoid regulatory penalties and build trust with users through both GDPR and EU AI Act compliance.

Under Article 22 of GDPR, individuals have the right to avoid solely automated decisions involving their personal data that result in significant effects, unless based on specific grounds. Similarly, the EU AI Act emphasizes protecting fundamental rights through human supervision, mandating a “human-in-the-loop” approach for high-risk AI systems. Article 14 requires these systems to be designed for effective human oversight, while Article 26.1 obliges deployers to ensure AI use aligns with provided instructions, including human oversight.

Effective human intervention during AI decision-making may exclude the system from being considered wholly automated under GDPR, ensuring fairness and protecting individuals’ rights. The evolving regulatory landscape underscores the importance of integrating robust data protection measures into AI development processes from the outset.