The chatbot application ChatGPT is breaching data protection rules, Italy’s data protection authority, Garante per la protezione dei dati personali, has told OpenAI.
Following its investigation and temporary ban from March last year, the Italian DPA has now concluded that the ‘available evidence’ contravenes the provisions of the EU GDPR. The details of the findings haven’t been disclosed, but in the provision to OpenAI in March last year, the authority said that it suspected ChatGPT to be breaching GPDR Articles 5, 6, 8, 13 and 25.
Italy became the first western country to temporarily ban ChatGPT, after concerns that the app is collecting personal data unlawfully, and the lack of age verification for children.
“The lack of whatever age verification mechanism exposes children to receiving responses that are absolutely inappropriate to their age and awareness, even though the service is allegedly addressed to users aged above 13 according to OpenAI’s terms of service,” the authority said.
Imposed orders on OpenAI
Then on on April 11, 2023, an order with nine conditions on was imposed on OpenAI, which included requirements such as ensuring human oversight of the AI system, implementing robust security protocols, disclosing relevant information about the AI system to users, and establishing clear channels for user feedback and redressal.
OpenAI addressed some issues quickly, and was able to resume ChatGPT service in Italy in the end of April.
OpenAI has up to 30 days to submit counterclaims concerning the alleged breaches, and the authority says that it will take account of the work in progress within the ad-hoc task force set up by the European Data Protection Framework when making the final determination on this case.
In a e-mailed statement, OpenAI said that it believes the company’s practices are aligned with EU’s privacy laws. “We actively work to reduce personal data in training our systems like ChatGPT,” Open said and added that it has “plans to continue to work constructively with the Garante”.