OpenAI is facing one other privacy grievance within the European Union. This one, which has been filed by privacy rights nonprofit noyb on behalf of a person complainant, targets the lack of its AI chatbot ChatGPT to correct misinformation it generates about individuals.
The tendency of GenAI tools to provide information that’s plain mistaken has been well documented. But it surely also sets the technology on a collision course with the bloc’s General Data Protection Regulation (GDPR) — which governs how the non-public data of regional users may be processed.
Penalties for GDPR compliance failures can reach as much as 4% of world annual turnover. Fairly more importantly for a resource-rich giant like OpenAI: Data protection regulators can order changes to how information is processed, so GDPR enforcement could reshape how generative AI tools are capable of operate within the EU.
OpenAI was already forced to make some changes after an early intervention by Italy’s data protection authority, which briefly forced a neighborhood shut down of ChatGPT back in 2023.
Now noyb is filing the newest GDPR grievance against ChatGPT with the Austrian data protection authority on behalf of an unnamed complainant who found the AI chatbot produced an incorrect birth date for them.
Under the GDPR, people within the EU have a set of rights attached to details about them, including a right to have erroneous data corrected. noyb contends OpenAI is failing to comply with this obligation in respect of its chatbot’s output. It said the corporate refused the complainant’s request to rectify the inaccurate birth date, responding that it was technically unimaginable for it to correct.
As a substitute it offered to filter or block the info on certain prompts, akin to the name of the complainant.
OpenAI’s privacy policy states users who notice the AI chatbot has generated “factually inaccurate details about you” can submit a “correction request” through privacy.openai.com or by emailing dsar@openai.com. Nonetheless, it caveats the road by warning: “Given the technical complexity of how our models work, we may not give you the option to correct the inaccuracy in every instance.”
In that case, OpenAI suggests users request that it removes their personal information from ChatGPT’s output entirely — by filling out a web form.
The issue for the AI giant is that GDPR rights will not be à la carte. People in Europe have a right to request rectification. Additionally they have a right to request deletion of their data. But, as noyb points out, it’s not for OpenAI to decide on which of those rights can be found.
Other elements of the grievance concentrate on GDPR transparency concerns, with noyb contending OpenAI is unable to say where the info it generates on individuals comes from, nor what data the chatbot stores about people.
This is significant because, again, the regulation gives individuals a right to request such info by making a so-called subject access request (SAR). Per noyb, OpenAI didn’t adequately reply to the complainant’s SAR, failing to reveal any information concerning the data processed, its sources, or recipients.
Commenting on the grievance in a press release, Maartje de Graaf, data protection lawyer at noyb, said: “Making up false information is sort of problematic in itself. But in relation to false details about individuals, there may be serious consequences. It’s clear that corporations are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it can’t be used to generate data about individuals. The technology has to follow the legal requirements, not the opposite way around.”
The corporate said it’s asking the Austrian DPA to analyze the grievance about OpenAI’s data processing, in addition to urging it to impose a high-quality to make sure future compliance. But it surely added that it’s “likely” the case will likely be handled via EU cooperation.
OpenAI is facing a really similar grievance in Poland. Last September, the local data protection authority opened an investigation of ChatGPT following the grievance by a privacy and security researcher who also found he was unable to have misinformation about him corrected by OpenAI. That grievance also accuses the AI giant of failing to comply with the regulation’s transparency requirements.
The Italian data protection authority, meanwhile, still has an open investigation into ChatGPT. In January it produced a draft decision, saying then that it believes OpenAI has violated the GDPR in various ways, including in relation to the chatbot’s tendency to provide misinformation about people. The findings also pertain to other crux issues, akin to the lawfulness of processing.
The Italian authority gave OpenAI a month to reply to its findings. A final decision stays pending.
Now, with one other GDPR grievance fired at its chatbot, the danger of OpenAI facing a string of GDPR enforcements across different Member States has dialed up.
Last fall the corporate opened a regional office in Dublin — in a move that appears intended to shrink its regulatory risk by having privacy complaints funneled by Ireland’s Data Protection Commission, because of a mechanism within the GDPR that’s intended to streamline oversight of cross-border complaints by funneling them to a single member state authority where the corporate is “important established.”
