Italy’s data protection watchdog has laid out what OpenAI needs to do for it to lift an order against ChatGPT issued at the end of last month — when it said it suspected the AI chatbot service was in breach of the EU’s General Data Protection Regulation (GDPR) and ordered the U.S.-based company to stop processing locals’ data.
The EU’s GDPR applies whenever personal data is processed, and there’s no doubt large language models such as OpenAI’s GPT have hoovered up vast amounts of the stuff off the public internet in order to train their generative AI models to be able to respond in a human-like way to natural language prompts.
OpenAI responded to the Italian data protection authority’s order by swiftly geoblocking access to ChatGPT. In a brief public statement, OpenAI CEO Sam Altman also tweeted confirmation it had ceased offering the service in Italy — doing so alongside the usual Big Tech boilerplate caveat that it “think[s] we are following all privacy laws.”
Italy’s Garante evidently takes a different view.
The short version of the regulator’s new compliance demand is this: OpenAI will have to get transparent and publish an information notice detailing its data processing; it must immediately adopt age gating to prevent minors from accessing the tech and move to more robust age verification measures; it needs to clarify the legal basis it’s claiming for processing people’s data for training its AI (and cannot rely on performance of a contract — meaning it has to choose between consent or legitimate interests); it also has to provide ways for users (and non-users) to exercise rights over their personal data, including asking for corrections of disinformation generated about them by ChatGPT (or else have their data deleted); it must also provide users with an ability to object to OpenAI’s processing of their data for training its algorithms; and it must conduct a local awareness campaign to inform Italians that its processing their information to train its AIs.
The DPA has given OpenAI a deadline — of April 30 — to get most of that done. (The local radio, TV and internet awareness campaign has a slightly more generous timeline of May 15 to be actioned.)
There’s also a little more time for the additional requirement to migrate from the immediately required (but weak) age gating child safety tech to a harder-to-circumvent age verification system. OpenAI has been given until May 31 to submit a plan for implementing age verification tech to filter out users below age 13 (and users aged 13 to 18 who had not obtained parental consent) — with the deadline for having that more robust system in place set at September 30.