With provision no. 112, as of 30 March 2023 the Italian Data Protection Authority (GDPA – The Guarantor for the protection of personal data in Italy) ordered the immediate temporary limitation on the processing of all personal data of the interested parties concerned in the Italian territory on the ChatGPT platform, the intelligent chatbot developed and managed by the US company OpenAI L.L.C.
The case arose following a data breach, i.e. a security incident, which OpenAI underwent last March resulting in the leakage of personal data and credit card data of around 1 % of service subscribers. Despite the company taking immediate steps to remedy the situation, the event was immediately brought to the attention of the Italian Data Protection Authority.
The Authority, therefore, given the numerous media reports relating to the functioning of the ChatGPT service, imposed a temporary block on the data processing by OpenAI, mindful of the fact that it is a US company without an office in the European Union, but with a designated representative in the European Economic Area. The application of Regulation (EU) 2016/679 (GDPR) however, also extends to subjects who, while not established in the Union, offer goods or provide services to users who are in the Union (art. 3, par. 2, letter a of the GDPR). Therefore in the case in question, the Authority intervened against OpenAI since, although the Data Controller is based outside the European Union, the interested parties, i.e. the Italian users, are located within the Union.
In particular, the reason why the Italian Authority took action against OpenAI with an emergency provision pursuant to art. 58, par. 2, lit. f) of the GDPR, concerned OpenAI’s methods of data collection and the related treatment of that data.
Above all, the Authority found that the processing of users’ personal data was carried out by OpenAI in the absence of a disclosure pursuant to art. 13 of the GDPR, wherein it is expected that the Data Controller must provide the interested party with a series of information at the time of data collection. Furthermore, the Authority had found that the information provided by ChatGPT did not always correspond to real data, resulting in an inaccurate processing of personal data.
This was not all. The Authority also noted the absence of an appropriate legal basis for the data processing which was in violation of art. 6 of the GDPR, thereby constituting the data processing being carried out as unlawful. Another key element highlighted by the Authority in the case in question was a violation of art. 8 of the GDPR. The Authority, in fact, found the absence of any filtering and control system to verify the age of users of the ChatGPT service which, according to the terms published by OpenAI, was supposed to be reserved for subjects who are at least 13 years old.
Following on to this, after a discussion with the representatives of the US company, with subsequent provision no. 114 of 11 April 2023, the Italian Authority has imposed an injunction on OpenAI, that in order to reverse the aforementioned provision for the temporary limitation of processing, it must enforce by 30 April 2023, a series of concrete measures to protect the rights of users who connect from Italy. Among these, the predisposal of explanatory information both transparent and easily accessible , available to users on its website; and from a legal basis of the process, the removal of any reference relating to the execution of a contract, whereas, instead, consent or legitimate interest should be the prerequisite for the processing of the data; the provision of useful tools to the interested parties allowing them to request the rectification of inaccurate personal data or the cancellation of the same, as well as the exercise of the right to object to the processing. Also with regard to the verification of the age of minors, the Authority has ordered OpenAI to submit, by 31 May 2023, an action plan demonstrating the implementation of an age verification system which excludes access to users of the service under the age of thirteen and also, in the absence of parental consent, to minors over the age of thirteen.
Therefore OpenAI, in order to collaborate with the recent ruling of the Authority, has reopened the platform in Italy and introduced a series of measures in compliance with the requests of the Authority and, in particular: it has prepared and published on its website accurate information aimed at users and not of the chatbot service, aimed at providing interested parties with a detailed description of the data processed and the way it is processed, specifically for the training of the algorithm: remembering that Chat GPT is a chatbot based on machine learning .
OpenAI has also expanded the privacy information reserved for users of the service, providing for the possibility for interested parties to delete information deemed incorrect (given the current technical impossibility to correct errors) and has implemented a procedure for the exercise of the right to object; and finally, it has provided for a block on for user registration for those under the age of thirteen and, for minors over the age of thirteen, confirmation of parental consent will be required for use of the service.
OpenAI’s efforts towards adapting to European privacy legislation are not yet concluded, given that the US company also has to comply with the additional requests called for in the Guarantor’s decision of 11 April 2023, amont which is the implementation of a system for age verification. The Authority will therefore continue its investigative activity with the work being carried out in the context of the ChatGPT task force specifically set up within the European Data Protection Board (EDPB), in the hope that technological progress will be combined with a respect for users’ rights.