Already under investigation by the data protection authorities (DPAs) of several EU nations, OpenAI is now facing scrutiny in Poland in response to an August GDPR complaint.
Filed by security and privacy researcher Lukasz Olejnik on August 29, the GDPR complaint asserts a wide variety of violations by ChatGPT (including inadequate transparency and improper legal basis for processing data). The Polish Office for Personal Data Protection (UODO) made a public announcement of the investigation, something that it does not normally do, and said that it will likely be “difficult” due to the newness of the technology and OpenAI’s lack of physical presence in the EU.
Polish GDPR complaint results in investigation
The GDPR complaint cites about half a dozen EU privacy rules: Articles 5(1)(a), 12, 15, 16 and 25(1), and potentially Article 36, to be specific. Olejnik’s motion stems from a biography of himself that he asked ChatGPT to generate, one that contained mistakes that OpenAI was recalcitrant about responding to requests to fix. The complaint asserts that no valid legal basis to collect personal data is communicated, that users are also not properly apprised of what data is being collected and how it is being used, and that OpenAI does not adequately clarify what sources of personal information it is using in its training data. Olejnik also claims that OpenAI’s refusal to correct the mistakes in his biography constitutes a violation of the GDPR’s right to correction of stored data.
UODO deputy president Jakub Groszkowski specified that new technologies do not fall outside the scope of the GDPR, and that rules that have been governing advertising algorithms and databases to date will also apply to AI and “large language models” (LLMs) even if their inner workings are still unknown to the general public. OpenAI is facing scrutiny throughout the world for its opaque collection of personal information to add to its training models, which is presumed to have been scraped from many different internet sources and likely without the awareness or permission of those sources.
OpenAI is facing similar probes and investigations in France, Germany, Ireland, Italy, Spain and Switzerland. Italy took the additional step of prohibitively banning ChatGPT for several weeks until it made changes to demonstrate that it was complying with requirements to protect the personal information of minors.
Polish GDPR complaint investigation expected to be “complex,” “not a fast decision”
The European Data Protection Board (EDPB) has had a working group dedicated to OpenAI in place since April of this year. The intent of the group is to coordinate enforcement actions by individual EU nations, given that each is free to act as it chooses given OpenAI’s lack of an office in the bloc (though it has recently announced it intends to establish one in Dublin sometime in the coming months).
The region’s regulatory framework for AI is also not yet in place, likely to still rattle along for about a year before it becomes law. The AI Act is the world’s first piece of legislation of its kind and got underway in April 2021, with a provisional deal finally struck by lawmakers about two years later. The EU Parliament settled on its final proposal in June, and is now hashing out final terms with the European Council and European Commission. Whatever version emerges is most likely to go into force sometime in the second half of 2024, after the May elections are held. As the proposed rules currently stand, ChatGPT would be looking at some new requirements: implementation of some sort of guardrails that prevent illegal content from being created, summaries disclosing any copyrighted data that was included in training models, and required public disclosure of any content created by AI among them.
Investigations of the current GDPR complaints (and penalties) can proceed in spite of this uncertainty, but establishment of a Dublin office by OpenAI could complicate the process by suddenly making the Irish DPC the point agency for all of these issues. The regulator has been famously lenient to big tech firms it plays host to, generally proposing smaller fines that other regulators are forced to contest and taking a very long time to conclude investigations.
OpenAI faces trouble not just on multiple fronts in the EU, but in multiple parts of the world. While there is nothing akin to GDPR complaints in the US at present, the company has been hauled into court on a number of civil claims including several class action lawsuits. One of these alleges that the company’s data collection violates California’s state privacy laws, and there are now several suits that allege the company has used copyrighted content without permission to train its models. OpenAI has also been taken to court for defamation in Australia, when the mayor of a town near Melbourne found that ChatGPT was falsely reporting that he had been arrested for bribery. And the company may face action in Canada under the country’s Personal Information Protection and Electronic Documents Act, where there is an inquiry open.