Last week, OpenAI resolved issues with Italian data authorities and lifted the effective ban on ChatGPT in Italy. However, the company's troubles with European regulators are far from over. ChatGPT, a popular and controversial chatbot, faced allegations of violating EU data protection rules, resulting in a restriction of access to the service in Italy while OpenAI worked on fixing the problem.
The chatbot has since returned to Italy after minor changes were made to address the concerns raised by the Italian Data Protection Authority. While the GPDP has welcomed these changes, OpenAI's legal battles and those of similar chatbot developers are likely just beginning. Regulators in multiple countries are investigating how these AI tools collect and produce information, citing concerns such as unlicensed training data collection and misinformation dissemination.
The General Data Protection Regulation (GDPR) is one of the world's strongest legal privacy frameworks, and its application in the EU is expected to have global effects. Moreover, EU lawmakers are currently crafting a law tailored to AI, which could introduce a new era of regulation for systems like ChatGPT.
However, at least three EU countries — Germany, France, and Spain — have initiated their own investigations into ChatGPT since March. Meanwhile, Canada is assessing privacy concerns under the Personal Information Protection and Electronic Documents Act, or PIPEDA. The European Data Protection Board (EDPB) has even formed a task group to assist in the coordination of investigations. And if these agencies demand adjustments from OpenAI, it may have an impact on how the service operates for users all across the world.
Regulators are concerned about two things: where ChatGPT's training data comes from and how OpenAI delivers information to its customers. The European Union's General Data Protection Regulation (GDPR) could present significant challenges for OpenAI due to concerns over the collection and processing of personal data from EU citizens without explicit consent. GDPR requires companies to obtain consent for personal data collection, provide legal justification for collection, and be transparent about data usage and storage.
European regulators have raised concerns over OpenAI's training data and claim that the organization has "no legal basis" for collecting the data. This situation highlights a potential issue for future data scraping efforts. Additionally, GDPR's "right to be forgotten" allows users to demand corrections or removal of personal information, but this can be difficult to achieve given the complexity of separating specific data once it's integrated into large language models. OpenAI has updated its privacy policy to address these concerns.
OpenAI is known to collect various types of user data, including standard information like name, contact details, and card details, in addition to data on users' interactions with ChatGPT. This information is used to train future versions of the model and is accessible to OpenAI employees. However, the company's data collection policies have raised concerns, particularly regarding the potential collection of sensitive data from minors. While OpenAI claims not to knowingly collect information from children under 13, there is no strict age verification gate in place. The lack of age filters also means that minors may be exposed to inappropriate responses from ChatGPT. Additionally, storing this data poses a security risk, as evidenced by a serious data leak that occurred with ChatGPT.
Furthermore, GDPR regulations require personal data to be accurate, which may be a challenge for AI text generators like ChatGPT, which can produce inaccurate or irrelevant responses to queries. In fact, a regional Australian mayor has threatened to sue OpenAI for defamation after ChatGPT falsely claimed that he had served time in prison for bribery. These concerns have prompted some companies to ban the use of generative AI tools by their employees. Italy has even banned ChatGPT's use following the data leak incident.
ChatGPT's popularity and present market dominance make it an especially appealing target, but there's no reason why its competitors and collaborators, like Google with Bard or Microsoft with its OpenAI-powered Azure AI, won't be scrutinized as well. Prior to ChatGPT, Italy prohibited the chatbot platform Replika from gathering information on children – and it has remained prohibited to this day.
While GDPR is a strong collection of regulations, it was not designed to solve AI-specific challenges. Rules that do, on the other hand, maybe on the horizon. The EU presented its first draught of the Artificial Intelligence Act (AIA) in 2021, legislation that will work in tandem with GDPR. The legislation oversees AI technologies based on their assessed danger, ranging from "minimal" (spam filters) to "high" (AI tools for law enforcement or education) or "unacceptable" and hence prohibited (such as a social credit system). Following the proliferation of large language models such as ChatGPT last year, lawmakers are now scrambling to establish rules for "foundation models" and "General Purpose AI Systems (GPAIs)" — two acronyms for large-scale AI systems that include LLMs — and potentially classifying them as "high risk" services.
The provisions of the AIA go beyond data protection. A recently proposed amendment would require businesses to disclose any copyrighted content utilized in the development of generative AI systems. This might expose previously confidential datasets and subject more corporations to infringement litigation, which is already affecting some services.
Laws governing artificial intelligence may not be implemented in Europe until late 2024. However, passing it may take some time. On April 27th, EU parliamentarians struck a tentative agreement on the AI Act. On May 11th, a committee will vote on the draught, and the final plan is due by mid-June. The European Council, Parliament, and Commission must then address any outstanding issues before the law can be implemented. If all goes well, it might be implemented by the second half of 2024, putting it somewhat behind the official objective of Europe's May 2024 elections.
For the time being, the spat between Italy and OpenAI provides an early indication of how authorities and AI businesses might negotiate. The GPDP recommended lifting the restriction provided OpenAI meets numerous proposed resolutions by April 30th. This includes educating users on how ChatGPT keeps and processes their data, requesting explicit agreement to use said data, facilitating requests to amend or remove the inaccurate personal information provided by ChatGPT, and requiring Italian users to confirm their age when signing up for an account. OpenAI did not meet all of the requirements, but it has done enough to satisfy Italian regulators and restore access to ChatGPT in Italy.
OpenAI still has goals to achieve. It has until September 30th to implement a stricter age gate to keep youngsters under the age of 13 out and to seek parental authorization for older underage teens. If it fails, it may find itself barred once more. However, it has served as an example of what Europe considers acceptable behavior for an AI business – at least until new rules are enacted.