Amid Growing Privacy Concerns, Poland Investigates OpenAI’s ChatGPT for GDPR Compliance.
OpenAI’s renowned AI chatbot system, ChatGPT, is once again being scrutinized for its conformity with EU data protection laws. Following a complaint filed in Poland, local authorities have publicly confirmed the initiation of an investigation.
The Allegations
The Polish Office for Personal Data Protection (UODO) is examining the complaint against ChatGPT, in which OpenAI is accused of processing data in an unlawful and unclear manner. The authority emphasized the challenge, given OpenAI’s location outside the EU and the groundbreaking technology of the generative AI chatbot being reviewed.
Jan Nowak, the president of UODO, stated that the case involves several GDPR provisions and requires OpenAI to answer a series of questions to ensure a thorough review.
Jakub Groszkowski, the vice-president of UODO, reiterated that entities must comply with GDPR regardless of technological advancements. The complaint questions OpenAI’s compliance with European data protection standards.
Core Issues
The complaint, filed by privacy and security researcher Lukasz Olejnik, focuses on OpenAI’s inability to correct faulty personal data created by ChatGPT about him. Additionally, he claims that OpenAI has not satisfactorily responded to his data access request and has provided vague and contradictory answers.
ChatGPT’s underlying technology, a so-called large language model (LLM), was trained with a variety of data, sometimes without consent. This method of data collection and the occasional generation of false information about individuals have brought ChatGPT into conflict with EU regulations.
The Bigger Context
This investigation is another chapter in the growing list of regulatory challenges OpenAI faces in the EU. Previously, the Italian Data Protection Authority (DPA) had temporarily suspended ChatGPT, and the Spanish DPA has initiated an investigation. Moreover, a task force set up through the European Data Protection Board is examining AI chatbot technologies, paving the way for a unified approach to regulating such technologies across the EU.
Despite these challenges, OpenAI attempts to navigate the complex regulatory landscape of the EU. The company recently opened an office in Dublin, possibly to optimize its regulatory interactions in the field of data protection. However, as decision-making continues to occur at the US headquarters, DPAs across the EU retain jurisdiction to investigate issues with ChatGPT in their regions.
Maciej Gawronski from GP Partners, representing Olejnik, expressed hope for constructive dialogue with OpenAI regarding ChatGPT’s GDPR compliance. However, OpenAI has not yet commented on the ongoing investigation.
Closing Word
The evolving landscape of AI and its interactions with data protection laws highlight the need for clarity and adaptation on both sides. OpenAI’s experiences in the EU could provide valuable lessons for the entire technology industry to align innovation with data protection.