One of the breaking news today that the Italian data protection authority (Garante) has decided to block the use of ChatGPT and the related data processing activities in Italy with immediate effect. In connection with the use of ChatGPT, the star of artificial intelligence (AI) developments in recent months, several concerns have already been expressed, and a data breach concerning ChatGPT users has recently become known (the incident was also referred to by Garante in the press release issued in connection with the suspension of ChatGPT´s use).
The ban of ChatGPT in Italy came after the publication of an open letter calling for a moratorium on the developments of AI systems more advanced than GPT4 for at least 6 months until risks associated with such AI systems could be assessed and risk mitigation measures could be implemented. In the United States, there have also been reports of a complaint filed with the Federal Trade Commission (FTC), which also raises the possibility of suspending the releases of new versions of large language models.
Today, Garante has decided that OpenAI must immediately suspend data processing via its ChatGPT app for Italian data subjects until the conditions for lawful data processing are established. At the same time, Garante launched an investigation into data processing related to ChatGPT.
What does Garante object to?
Based on the short press release available at Garante´s website, the Italian Data Protection Authority raised the following main points in connection with data processing activities by the use of ChatGPT:
- the lack of an adequate legal basis for processing large amounts of personal data used for the training of the AI system,
- the lack of adequate information regarding data processing,
- providing erroneous outputs ("hallucinations") leading to the processing of inaccurate personal data,
- although OpenAI states that the service is intended for users over the age of 13, no age-verification mechanism is in place.
What's next?
OpenAI is not a data controller established in the EU (however, due to the extraterritorial scope of the GDPR, GDPR covers data processing carried out by OpenAI through ChatGPT, see Article 3 (2) GDPR), but has appointed a representative in accordance with the GDPR. OpenAI has 20 days to declare the implementation of the measures that are required by Garante.
Little information is available about the procedure concerning ChatGPT yet, but the initiation of the procedure shows that very turbulent events can be expected in the coming period in the field of technological developments, the evolving legal environment and the application of the law to different AI-based solutions. There is also an increasing pressure on EU legislation to adopt the AI Act as soon as possible before it is too late.
It is also worth mentioning that Garante´s investigation against OpenAI is not a first one against a data controller providing an artificial intelligence-based service. In 2022, the Italian authority fined Clearview AI, which develops a facial recognition system that processes huge amounts of personal data (including facial images collected from the internet) for this purpose. In addition to the fine, the authority ordered the deletion of unlawfully processed data and prohibited the collection of new data. (After the Italian authority, the French data protection authority, CNIL also fined Clearview AI for EUR 20 million, also in 2022. However, Clearview AI still operates and according to recent news, it has been used nearly 1 million times by police agencies in the U.S. and now has a database of more than 30 billion facial images collected without consent.)