The Italian Data Protection Authority (DPA) has notified OpenAI of potential violations of EU privacy laws in connection to its AI chatbot, ChatGPT. OpenAI has been given 30 days to respond to the allegations made against it. Violating EU privacy laws could lead to fines of up to €20 million or 4% of the company’s global annual turnover. Additionally, data protection authorities could issue orders requiring changes to how data is processed.
OpenAI claims that its practices align with GDPR and other privacy laws and that it takes steps to protect individuals’ data and privacy. However, the Italian DPA had raised concerns about OpenAI’s compliance with the EU’s General Data Protection Regulation (GDPR) last year. Last year, ChatGPT was temporarily suspended in the Italian market due to concerns about data processing. OpenAI addressed some of the issues raised by the DPA, allowing ChatGPT to resume service in Italy.
The Italian DPA suspects ChatGPT of breaching several articles of the GDPR, particularly concerning the lack of a suitable legal basis for collecting and processing personal data for training the AI model and its potential to produce inaccurate information about individuals. OpenAI was instructed to remove a specific legal basis for model training, leaving it with limited options for justifying its data processing. The company has also faced scrutiny over GDPR compliance in other EU countries and is attempting to establish a physical base in Ireland to potentially switch oversight of its GDPR compliance.
The Italian DPA’s statement is not final, and it will wait for OpenAI’s response before making a final decision. While efforts are being made to coordinate oversight of ChatGPT across EU countries, each authority remains independent and competent to issue its own decisions.
