ChatGPT: the Italian Data Protection Authority closes the preliminary investigation
OpenAI will have to carry out a six-month information campaign and pay a fine of EUR 15 million.
The Italian Data Protection Authority has recently taken corrective and sanctioning measures against OpenAI in relation to the management of the ChatGPT service.
The measure, which ascertains the breaches that were contested with the Californian company at the time, reaches the result of an investigation initiated in March 2023 and after the EDPB (European Data Protection Board) published its opinion identifying a common approach to some of the most important issues related to the processing of personal data in the context of the design, development and deployment of AI-based services.
According to the Italian Data Protection Authority, the US company, which created and manages the generative artificial intelligence chatbot, did not notify the Italian Data Protection Authority of the data breach it underwent in March 2023, it has processed users’ personal data to train ChatGPT without first identifying an appropriate legal basis and has violated the principle of transparency and the related information obligations toward users. Furthermore, OpenAI has not provided for mechanisms for age verification, which could lead to the risk of exposing children under 13 to inappropriate responses with respect to their degree of development and self-awareness.
The Italian Data Protection Authority, with the aim of ensuring, first and foremost, effective transparency in the processing of personal data, ordered OpenAI to carry out a 6-month institutional communication campaign on radio, television, newspapers and the Internet.
The content, to be agreed with the Italian Data Protection Authority, should promote public understanding and awareness of the functioning of ChatGPT, in particular on the collection of user and non-user data for the training of generative artificial intelligence and the rights exercised by data subjects, including the rights to object, rectify and delete their data.
Through this communication campaign, users and non-users of ChatGPT will have to be made aware of how to oppose generative artificial intelligence being trained with their personal data and thus be effectively enabled to exercise their rights under the GDPR.
The Italian Data Protection Authority imposed a fine of EUR 15 million on OpenAI, which was also calculated taking into account the company’s cooperative attitude.
Finally, in view of the fact that the company established its European headquarters in Ireland in the course of the preliminary investigation, the Italian Data Protection Authority, in compliance with the so-called one stop shop mechanism, forwarded the procedural documents to the Irish Data Protection Authority (DPC), which became lead supervisory authority under the GDPR so as to continue investigating any ongoing infringements that have not been exhausted before the opening of the European headquarters.
To learn more, contact me.
Leave a Reply