OpenAI, the San Francisco-based AI research laboratory, has blocked access to its generative AI chatbot, ChatGPT, in Italy following an order by the local data protection authority. The regulator has opened an investigation into ChatGPT over suspected breaches of the European Union’s General Data Protection Regulation (GDPR), stating that it is concerned OpenAI has unlawfully processed Italians’ data. OpenAI has disabled access to users in Italy at the request of the data protection authority, known as the Garante, and will issue refunds to all users in Italy who bought the ChatGPT Plus subscription service last month. The company is also temporarily pausing subscription renewals in Italy. OpenAI appears to be applying a simple geoblock at this point, which means that using a VPN to switch to a non-Italian IP address offers a simple workaround for the block. However, if a ChatGPT account was originally registered in Italy, it may no longer be accessible, and users wanting to circumvent the block may have to create a new account using a non-Italian IP address.
The Garante has raised concerns over the accuracy of the information the chatbot provides. ChatGPT and other generative AI chatbots are known to sometimes produce erroneous information about named individuals – a flaw AI makers refer to as “hallucinating”. This looks problematic in the EU since the GDPR provides individuals with a suite of rights over their information – including a right to rectification of erroneous information. And, currently, it’s not clear OpenAI has a system in place where users can ask the chatbot to stop lying about them.
OpenAI does not appear to have informed anyone whose online data it found and used to train the technology, such as by scraping information from Internet forums. Nor has it been entirely open about the data it’s processing – certainly not for the latest iteration of its model, GPT-4. And while training data it used may have been public (in the sense of being posted online), the GDPR still contains transparency principles – suggesting both users and people whose data it scraped should have been informed.
The pan-EU regulation calls for data protection by design and default – meaning privacy-centric processes and principles are supposed to be embedded into a system that processes people’s data from the start. Penalties for confirmed breaches of the GDPR can scale up to 4% of a data processor’s annual global turnover (or €20M, whichever is greater). Additionally, since OpenAI has no main establishment in the EU, any of the bloc’s data protection authorities are empowered to regulate ChatGPT – which means all other EU member countries’ authorities could choose to step in and investigate – and issue fines for any breaches they find (in relatively short order, as each would be acting only in their own patch). So it’s facing the highest level of GDPR exposure, unprepared to play the forum shopping game other tech giants have used to delay privacy enforcement in Europe.
In its statement to geoblocked users in Italy, OpenAI claims: “We are committed to protecting people’s privacy and we believe we offer ChatGPT in compliance with GDPR and other privacy laws.” “We will engage with the Garante with the goal of restoring your access as soon as possible,” it also writes, adding: “Many of you have told us that you find ChatGPT helpful for everyday tasks, and we look forward to making it available again soon.” Despite striking an upbeat note towards the end of the statement, it’s not clear how OpenAI can address the compliance issues raised by the Garante – given the wide scope of GDPR concerns it’s laid out as it kicks off a deeper investigation.
This is a wake-up call that GDPR, Article 8 Charter, data protection law in general, and particularly in the EU, is applicable to AI systems today, right now, and it has important guardrails in place if they are understood and applied.