Italy’s data protection authority has ordered OpenAI to immediately stop processing people’s data locally, citing concerns that ChatGPT, its powerful generative AI model, is breaching the European Union’s General Data Protection Regulation (GDPR). The regulator expressed concerns that OpenAI has unlawfully processed people’s data and lacks any system to prevent minors from accessing the technology. OpenAI has 20 days to respond to the order, which is backed by the threat of penalties that can scale up to 4% of annual turnover or €20m. Since OpenAI does not have a legal entity established in the EU, any data protection authority is empowered to intervene, under the GDPR, if it sees risks to local users.

OpenAI’s large language model has been shown to be processing EU users’ personal data, which is covered by the GDPR. The model has been producing false information about named individuals, potentially raising GDPR concerns over the right to rectification of errors. OpenAI has not provided details of the training data used for the latest iteration of the technology, but earlier models were trained on data scraped from the internet, including forums such as Reddit. OpenAI has not informed people whose data it has repurposed to train its commercial AIs, which could be a problem for it.

DPAs across the bloc could order data to be deleted if OpenAI has processed Europeans’ data unlawfully, although this may not force it to retrain models trained on data unlawfully obtained. The GDPR allows for a number of possibilities for lawful processing, from consent to public interest, but the scale of processing to train these large language models complicates the legality question. Data minimization is a big focus in the regulation, which also contains principles that require transparency and fairness.

OpenAI is not actively preventing people under the age of 13 from signing up to use ChatGPT, such as by applying age verification technology. The regulator is concerned about the risk of minors’ data being processed by OpenAI, as it recently ordered a similar ban on the virtual friendship AI chatbot, Replika, over child safety concerns. If OpenAI cannot confirm the age of any users it has signed up in Italy, it could be forced to delete their accounts and start again with a more robust sign-up process.

Categorized in: