| On
2023-08-31 10:31 AM

OpenAI Under Fire: GDPR Violations Spark Controversy

  • OpenAI faces GDPR complaint over alleged breaches, including transparency and data access rights, filed by Lukasz Olejnik.
  • Complaint highlights inaccuracies in ChatGPT-generated data and OpenAI's lack of transparency, potentially violating GDPR provisions.
  • OpenAI accused of disregarding data protection by design principle, faces potential penalties and regulatory orders if violations confirmed.
By Lethabo Ntsoane

OpenAI, the US-based artificial intelligence (AI) giant, is facing yet another challenge as a detailed complaint has been filed with the Polish data protection authority, alleging that the company is in breach of the European Union’s General Data Protection Regulation (GDPR). The complaint, which highlights a range of issues including transparency, fairness, data access rights, and privacy by design, raises questions about OpenAI’s compliance with EU privacy rules.

The complaint, filed by security and privacy researcher Lukasz Olejnik and represented by Warsaw-based law firm GP Partners, asserts that OpenAI’s AI model, ChatGPT, violates several key provisions of the GDPR. ChatGPT is a widely used AI-powered chatbot that generates text-based responses.

Allegations Against OpenAI

According to the complaint, OpenAI’s actions are framed as systematic breaches of the GDPR across multiple dimensions. The complainant argues that OpenAI has failed to establish a valid lawful basis, transparency, and fairness in its data processing practices. It also accuses OpenAI of not adequately facilitating data access rights and ignoring the principle of privacy by design, as outlined in Articles 5(1)(a), 12, 15, 16, and 25(1) of the GDPR.

Olejnik’s concern was sparked after he used ChatGPT to generate a biography of himself, which contained inaccuracies. Upon reaching out to OpenAI to correct the errors and obtain information about his data processing, he alleges that OpenAI provided some information but omitted crucial details about its processing of personal data for AI model training.

Breaches of GDPR Provisions

The complaint argues that OpenAI’s processing of personal data for training ChatGPT models is both unlawful and non-transparent. To comply with the GDPR, a data controller must establish a valid legal basis for processing personal data and communicate this transparently. The complainant contends that OpenAI’s failure to do so constitutes a violation of Article 5(1)(a) of the GDPR.

Additionally, the complaint highlights OpenAI’s inability to rectify inaccuracies in data generated by ChatGPT, which goes against individuals’ right to rectification of their personal data as guaranteed by the GDPR. The complainant suggests that OpenAI should develop mechanisms to verify and correct content generated by ChatGPT to ensure data accuracy.

Privacy by Design and Default

One of the focal points of the complaint is OpenAI’s alleged disregard for the GDPR’s principle of data protection by design and default. The complainant asserts that OpenAI’s design of ChatGPT contradicts the GDPR’s requirements, particularly in terms of testing the tool with personal data in a production environment rather than in the design phase.

Potential Consequences and Regulatory Response

OpenAI’s potential violations of the GDPR could have significant repercussions. Confirmed violations of the GDPR can result in penalties of up to 4% of a company’s global annual turnover. Additionally, data protection authorities (DPAs) may issue corrective orders that could reshape how AI technologies operate within the EU.

The Polish data protection authority (UODO) is expected to conduct an investigation into the complaint. If the UODO confirms GDPR violations, it may order OpenAI to comply with the regulations and ensure that its data processing operations within ChatGPT are lawful.

Lack of Prior Consultation and Compliance

One notable aspect of the complaint is OpenAI’s alleged failure to engage in prior consultation with EU regulators, as required by Article 36 of the GDPR. The complainant suggests that OpenAI’s lack of engagement with regulators before launching ChatGPT in Europe may have contributed to the alleged violations.

Uncertain Future for AI Regulation

The complaint against OpenAI is part of a broader conversation about the challenges of regulating AI technologies and ensuring compliance with data protection laws. As AI continues to advance and become more integrated into various aspects of society, regulatory bodies are grappling with how to strike a balance between innovation and safeguarding individuals’ rights to privacy and data protection.

The outcome of this case could set a precedent for how AI companies operate within the EU and handle personal data. As EU data protection authorities continue to assess the implications of AI technologies like ChatGPT, the broader conversation around the harmonization of AI regulation remains ongoing.

Join Our Newsletter
Subscribe to our newsletter and stay updated.


Start trading with a free $30 bonus

Unleash your trading potential with XM—your gateway to the electric world of financial markets! Get a staggering $30 trading bonus right off the bat, with no deposit required. Dive into a sea of opportunities with access to over 1000 instruments on the most cutting-edge XM platforms. Trade with zest, at your own pace, anytime, anywhere. Don't wait, your trading journey begins now! Click here to ignite your trading spirit!

Lethabo Ntsoane

Lethabo Ntsoane holds a Bachelors Degree in Accounting from the University of South Africa. He is a Financial Product commentator at Rateweb. He is an expect financial product analyst with years of experience in reviewing products and offering commentary. Lethabo majors in financial news, reviews and financial tips. He can be contacted: Email: lethabo@rateweb.co.za Twitter: @NtsoaneLethabo