A month ago, a complaint was lodged against ChatGPT and OpenAI in Poland, alleging a series of violations of the European Union’s General Data Protection Regulation (GDPR). The Polish authority has now announced publicly that it has initiated an investigation to address these allegations.
“The Office for Personal Data Protection is investigating a complaint about ChatGPT, in which the complainant accuses the tool’s creator, OpenAI, of, among other things, processing data in an unlawful, unreliable manner, and the rules under which this is done are opaque,” the UODO wrote in a press release.
Deputy President Jakub Groszkowski stated in the press release that emerging technologies must adhere to the legal framework and uphold GDPR principles. He noted that the filed complaint has raised concerns regarding OpenAI’s overall compliance with European data protection principles, particularly in the context of the GDPR’s fundamental concept of privacy by design. The authority is committed to investigating and addressing these concerns to provide clarity.
The complaint, submitted by local privacy and security researcher Lukasz Olejnik, alleges that OpenAI has committed a series of violations under the EU-wide regulation. These violations encompass various aspects, including lawful basis, transparency, fairness, data access rights, and adherence to the privacy by design principle.
The complaint centers on OpenAI’s handling of Lukasz Olejnik’s request to rectify inaccurate personal information in a biography generated by ChatGPT. OpenAI conveyed its inability to fulfill this request. Additionally, Olejnik accuses the AI company of inadequately addressing his subject access request and of offering evasive, misleading, and internally conflicting responses when he attempted to exercise his legal rights regarding data access.
OpenAI’s practice of collecting data from the public internet for training purposes without individuals’ awareness or consent is a significant factor that has drawn regulatory scrutiny to ChatGPT in the EU. Furthermore, its apparent difficulty in clearly explaining how it processes personal data and its inability to rectify errors when its AI generates erroneous information about specific individuals have also contributed to the regulatory challenges it faces.
The European Union (EU) governs the processing of personal data, mandating that any entity processing such data must have a legitimate legal basis for its collection and utilization. Processors are also obliged to adhere to transparency and fairness standards. Additionally, a comprehensive set of data access rights is provided to EU residents, granting them the authority to, among other things, request the correction of inaccurate data related to them.
Olejnik’s complaint assesses OpenAI’s GDPR compliance on several fronts, touching upon various dimensions of the regulation. Therefore, any enforcement action resulting from this complaint could carry significant implications for the future development of generative AI, potentially influencing its trajectory in compliance with data protection standards.