OpenAI is a well-known open-source AI and machine learning company that is based in San Francisco. It has been developing various AI applications for both commercial and research fields. The company recently came under scrutiny by the Italian data protection authority Garante, when their AI-powered chatbot, ChatGPT, was found to be potentially in breach of the EU’s GDPR, or General Data Protection Regulation.
Garante issued OpenAI an order, requesting the company to make their data processing practices clear to both users and non-users, creating tools to object to the processing of personal data, and specifically blocking all users that are under the age of 18. On top of this list, OpenAI must also make available an information notice that describes the way data is processed in order for ChatGPT to operate. Sam Altman, CEO of OpenAI, tweeted at the time that they were following privacy laws but should still cease offering the service in Italy.
OpenAI responded to Garante’s order by blocking Italian IP addresses and stopping the subscription to their Plus service. Later on, they posted a list of their current safety measures when training the tool. To comply with the order, OpenAI must become very open about their data collection and processing, such as drafting and making readily available an information notice of their data processing process and allowing users to exercise their right to object to the processing of their personal data.
Age-gating technology will also have to be put in place to ensure users adhere to the minimum age limit before accessing the service, which must be in place by the end of September. Additionally, OpenAI needs to legal grounds prior to processing user data and this can only be done via the consent of the user or from a legitimate interest. OpenAI must also enable a mechanism where users and non-users can have the personal information they made available inside the system corrected or removed completely.
Garante’s list of tasks is an important step for OpenAI to follow, in order to be compliant with GDPR in Italy. Sam Altman and the OpenAI team need to make sure that they follow the checklist accordingly and adhere to all those requests in order to avoid any further action or fines against the company, as well as ensuring that the right to privacy of their users is respected.