Italy gives OpenAI first list of things to do to lift ChatGPT suspension order
Italy’s data protection watchdog explained what OpenAI needs to do to lift an order against ChatGPT issued to the end of last month – when he said he suspected the AI chatbot service was in breach of EU General Data Protection Regulation (GDPR) and ordered the US-based company to stop processing data. resident data.
EU GDPR applies whenever personal data is processed, and there’s no doubt that big language models like OpenAI’s GPT have fetched vast amounts of stuff from the public internet in order to form their generative AI models to be able to respond in a human way. as a means of natural language prompts.
OpenAI responded to the order of the Italian data protection authority by geographical blocking of access to ChatGPT. In a brief public statement, OpenAI CEO Sam Altman also tweeted confirmation that it had stopped offering the service in Italy – doing so alongside Big Tech’s usual disclaimer that it “believes[s] we comply with all privacy laws.
The Italian Garante obviously has a different point of view.
The short version of the regulator’s new compliance request is as follows: OpenAI will have to be transparent and publish a notice detailing its processing of data; it must immediately adopt an age restriction to prevent minors from accessing technology and move to more robust age verification measures; it must clarify the legal basis it claims for processing people’s data for training its AI (and cannot rely on the performance of a contract – which means it must choose between consent or legitimate interests); it must also provide means for users (and non-users) to exercise their rights over their personal data, including by requesting corrections to misinformation generated about them by ChatGPT (or having their data deleted); it must also provide users with the ability to object to OpenAI’s processing of their data for training its algorithms; and it must carry out a local awareness campaign to inform Italians that it processes their information to train its AIs.
The DPA gave OpenAI a deadline – April 30 – to do most of it. (The local radio, TV and internet awareness campaign has a slightly more generous May 15 timeframe to be implemented.)
There’s also a bit more time for the additional requirement to migrate from the immediately required (but weak) child-safety technology to a more difficult-to-work-around age-verification system. OpenAI was given until May 31 to submit a plan to implement age verification technology to screen out users under the age of 13 (and users between the ages of 13 and 18 who did not have obtained parental consent) – with the deadline for implementing this more robust system. to September 30.
In a Press release Detailing what OpenAI needs to do to lift the temporary suspension of ChatGPT, ordered two weeks ago when the regulator announced it was opening a formal investigation into alleged GDPR violations, he writes:
OpenAI will have to comply by April 30 with the measures planned by the Italian SA [supervisory authority] regarding transparency, the rights of data subjects — including users and non-users — and the legal basis of processing for algorithmic training based on user data. Only in this case will the Italian SA lift its order which temporarily limited the processing of Italian users’ data, the urgency underlying the order no longer being present, so that ChatGPT will be available again from Italy.
Going into more detail on each of the “concrete measures” required, the DPA stipulates that the mandatory information notice must describe “the methods and logic of the data processing necessary for the operation of ChatGPT as well as the rights granted to the persons concerned (users and non-users)”, adding that it “should be easily accessible and placed so that it can be read before subscribing to the service”.
Users from Italy must receive this notice before registering and also confirm that they are over 18, this is additionally required. While users who registered before the DPA’s data processing stop order will need to see the notice when accessing the reactivated service and will also need to be pushed through an age barrier to screen users minors.
On the question of the legal basis attached to OpenAI’s processing of people’s data for the training of its algorithms, the Garante reduced the available options to two: consent or legitimate interests – stipulating that it must immediately remove any reference to the performance of a contract “in accordance with the [GDPR’s] principle of responsibility. (OpenAI Privacy Policy Currently cites all three grounds, but seems to rely most heavily on performance of a contract for the provision of services such as ChatGPT.)
“This will be without prejudice to the exercise of the SA’s investigative and enforcement powers in this regard,” it adds, confirming that it withholds judgment on whether the two remaining grounds can also be legally used for OpenAI purposes.
In addition, the GDPR provides data subjects with a series of access rights, including a right to correct or delete their personal data. This is why the Italian regulator has also required that OpenAI put in place tools allowing data subjects – i.e. both users and non-users – to exercise their rights and have their rights rectified. the falsehoods that the chatbot generates about them. Or, if correcting AI-generated lies about named individuals proves “technically unfeasible,” the DPA says the company must provide a means to delete their personal data.
“OpenAI shall provide easily accessible tools to enable non-users to exercise their right to object to the processing of their personal data as invoked for the operation of the algorithms. The same right should be granted to users if legitimate interest is chosen as the legal basis for the processing of their data,” he adds, referring to another of the rights that the GDPR grants to data subjects when the interest legitimate is invoked as the legal basis for the processing. personal data.
All measures announced by the Garante are contingencies, based on its preliminary concerns. And his press release notes that his formal investigations – “to establish possible breaches of the law” – are continuing and could lead him to decide to take “additional or different measures if this proves necessary at the end of the investigation. ongoing investigation. ”
We reached out to OpenAI for a response, but the company hadn’t responded to our email as of press time.
