OpenAI is the developer behind the popular AI-powered chatbot ChatGPT and they are currently facing pressure from European Union data protection law regulations. The company has been given until April 30th to meet the requirements of the data protection laws or face fines and a potential ban in Italy, which has already fully prohibited the platform. OpenAI uses a training model that scrapes the internet for content and this makes it difficult for them to meet the EU’s requirements. OpenAI must ask for user consent or prove that they have a “legitimate interest” in accessing the data they use while using the ChatGPT platform. Additionally, they need to be more transparent with users about how ChatGPT uses their data and give users the ability to correct or delete any data they do not want the platform to use.
To make this process even more difficult for OpenAI, separating Italy’s data from other countries would take a great deal of effort. This could force them to have to completely revamp their tech. OpenAI has argued that the US has a doctrine that states that when the data is publicly available, it is no longer private, which is not the case in Europe. This has caused more investigations from data regulators in France, Germany, Ireland, and Canada. The case could potentially end up in the Court of Justice of the European Union.
The Wall Street Journal recently reported a data breach of 256,000 customers and 45 financial institutions from the US Consumer Financial Protection Bureau (CFPB). The CFPB claims that the data was sent to an employee’s personal email account and there is no physical evidence the data went beyond that account. Many lawmakers are asking the CFPB to share more information about the incident and how it was handled. The CFPB has referred the incident to its inspector general and all their employees have gone through training in regards to their obligations of safeguarding confidential and personal information.
Darren James, Senior Product Manager for Specops Software, sees the incident as an example of clumsy data handling. The effects have been the same, whether it was malicious or not, and could have been avoided if there were proper data handling practices in place. Chris Hauk, consumer privacy champion for Pixel Privacy, believes that it is important to ensure access is locked down to former employees. Paul Bischoff, privacy advocate for Comparitech, finds it interesting that the CFPB had to deal with this issue and he recommends that employees receive more training about data handling. Joe Payne, CEO of Code42, believes that CFPB needs to explain how they will manage risk going forward.
Overall, proper safekeeping of data needs to be a top priority in all organizations. OpenAI needs to find a way to comply with the EU Regulations or risk being fined and banned in Italy, while CFPB needs to explain how they can prevent future incidents, invest in Cyber Aware Training, and take extra security measures to ensure data is safe.
