OpenAI – Violation Found (Italy, 2023)

The Italian DPA after receiving complaint from Inder Kahlon on 24th February 2023 (Numero protocollo: 0033835) opened an investigation concerning ChatGPT, an AI service offered by the American company OpenAI. The investigation focused on three main areas. First, the controller did not provide the data subjects whose personal data had been collected through the Internet with appropriate information about the processing. Second, the DPA found that ChatGPT final outcome – its “answers” – despite based also on personal data and thus often containing personal data, did not always represent reality in an accurate way. Finally, the investigation showed that OpenAI did not adopt any measure to check that users were above the minimum age requirement of 13 years. The Italian DPA held that the controller did not comply with its obligation to provide data subjects with a privacy policy pursuant to Article 13 GDPR. Moreover, the collection of personal data and their use in the training of ChatGPT algorithms were undertaken in lack of a proper legal basis,in violation of Article 5 and 6 GDPR. Concerning specifically data of people other than the users, namely those data subjects whose data were collected on the internet, the DPA found that the algorithms behind the functioning of ChatGPT did not guarantee the principle of accuracy as enshrined in Article 5(1)(d). Finally, the DPA also considered that the lack of any mechanism to check the age of the users entailed a violation of Article 8 GDPR. In light of the above and in the context of an urgency procedure, the DPA imposed on OpenAI a temporary limitation of processing pursuant to Article 58(2)(f) GDPR. Such limitation concerns all processing operations involving data subjects on the Italian territory.