OpenAI is currently facing another privacy complaint in the European Union, this time initiated by the privacy rights nonprofit noyb, which represents an unnamed public figure.
The complaint, filed with the Austrian data protection authority, centers on ChatGPT, OpenAI’s AI chatbot, which incorrectly published the complainant’s birth date. This action breaches the EU’s General Data Protection Regulation (GDPR), which mandates accurate processing of personal data and the rectification of incorrect information.
GDPR is known for its stringent regulations, including potential penalties that can amount to up to 4% of an offending company’s global annual turnover. The regulation not only penalizes but also empowers regulators to mandate operational changes in data processing to ensure compliance.
This aspect of GDPR means that the ongoing enforcement could significantly influence how generative AI tools function within the EU.
The Complaint Against OpenAI
Previously, OpenAI had to implement changes following an intervention by Italy’s data protection authority in 2023, which resulted in a temporary suspension of ChatGPT’s operations in Italy.
The latest complaint specifically argues that OpenAI did not comply with GDPR’s right to rectification. The complainant had requested the correction of their incorrect birth date, but OpenAI reportedly responded that it was technically impossible to make such corrections. Instead, the company proposed to either filter or block the data when specific prompts, like the name of the complainant, were used.
Furthermore, OpenAI’s privacy policy does allow users to submit “correction requests” for any “factually inaccurate information” via their website or email. However, the policy also states that due to the technical complexity of its models, it might not always be possible to correct inaccuracies.
Non-Negotiable GDPR Rights
GDPR also includes rights for individuals to request the deletion of their data. noyb’s complaint highlights that it is not within OpenAI’s discretion to choose which rights to fulfill — whether correction or deletion — as GDPR does not offer these rights à la carte.
The complaint by noyb also emphasizes transparency issues, accusing OpenAI of not being able to identify where the data it generates comes from, nor to specify what data is stored about individuals. This is critical because GDPR grants individuals the right to request such information through a subject access request (SAR). According to noyb, OpenAI did not adequately respond to the complainant’s SAR, failing to disclose any information about the data processed, its sources, or its recipients.
Maartje de Graaf, a data protection lawyer at noyb, stressed the problematic nature of AI systems generating false information about individuals, stating that such systems must adhere to legal standards to ensure accuracy and transparency. If these systems fail to meet these requirements, they should not be used to generate data about individuals.
In addition to urging the Austrian authority to investigate this complaint, noyb is also advocating for a fine against OpenAI to enforce future compliance. The broader implications suggest that OpenAI could face similar GDPR enforcement actions across multiple EU Member States, as the company has also encountered similar issues in Poland and continues to be under investigation in Italy.
In response to the increasing regulatory pressures in the EU, last fall OpenAI established a regional office in Dublin. This move is perceived as an attempt to mitigate regulatory risks by centralizing the oversight of cross-border complaints through Ireland’s Data Protection Commission, leveraging a GDPR mechanism designed to streamline such processes by funneling them to a single member state authority where the company is primarily established.
Related News:
Featured Image courtesy of FLORENCE LO/REUTERS