photo
20.09.2023

The technology has to be compliant with the GDPR

The Personal Data Protection Office is handling a complaint on ChatGPT, in which the complainant accuses the tool's creator, OpenAI, of, among other things, processing data in an unlawful, unreliable manner and that the rules on which this is done are not transparent.

The proceedings will certainly be one of the difficult ones, it concerns a company located outside the European Union, and ChatGPT itself is a new and in fact still undiscovered - also for new technology researchers - tool using generative artificial intelligence.

– “The case involves the breach of a number of data protection provisions, so we will ask Open AI to answer a number of questions in order to be able to thoroughly conduct administrative proceedings” – says Jan Nowak, President of the Polish supervisory authority. He assures that the Office is taking the matter very seriously. And he adds that these are not the first doubts as to ChatGPT's compliance with European data protection and privacy rules. – “The European Data Protection Board has set up a special working group on OpenAI” – Jan Nowak points out.

In this case, the complainant turned to the Polish supervisory authority after his requests relating to the exercise of his rights under GDPR were not completed by OpenAI. As it turns out, ChatGPT generated inaccurate information about the complainant in response to his request. In turn, the request for its rectification was not fulfilled by OpenAI, despite the fact that every controller is obliged to process accurate data. It was also not possible for the complainant to find out what data CharGPT was processing about him at all. However, this is not the end of the matter. He also resents the company for breaching Article 12 and Article 5(1)(a) of the GDPR in its response to his requests. It gave him evasive, misleading and, in addition, contradictory answers. And this has only fuelled concerns about the legality as well as the transparency of the processing of personal data by the developer of this tool. He points to a lack of transparency in the company's data processing rules, which is supposed to be evidenced both by correspondence with the company, but also by its privacy policy.

In the complaint sent to the Polish supervisory authority, we also read that the company did not fulfil its information obligation towards the complainant. It acquired this person's data in 2021. And according to the complainant, the information obligation should have already been fulfilled at the stage of processing of data acquired for the training of artificial intelligence language models. The company also failed to inform the complainant of the source of the data on him or of the recipients or categories of recipients of those data.

The complainant requests that the Personal Data Protection Office not only oblige OpenAI to properly exercise its rights under the GDPR, but also examine the compliance of OpenAI's ChatGPT personal data processing model with data protection regulations.

Jakub Groszkowski, Deputy President of the Personal Data Protection Office, points out that artificial intelligence technology, in this case the so-called large model language (LLM), has entered the commercial stage and into widespread use. In his opinion, there is no doubt that this is a breakthrough technology and a watershed moment. – “The development of new technologies has to respect the rights of individuals under, inter alia, the GDPR. It is the task of the European data protection authorities to protect EU citizens from the negative effects of information processing technologies”, notes Jakub Groszkowski.

He adds that the allegations in the complaint raise doubts about OpenAI's systemic approach to european data protection principles. The Office will therefore clarify these doubts, in particular against the background of the fundamental principle of privacy by design contained in the GDPR.