ChatGPT-maker OpenAI on GDPR violations. OpenAI geo-blocked the service in Italy after Italy’s DPA ordered OpenAI to halt processing residents’ data for various GDPR violations at the end of last month.
Spanish I.P. addresses still allow ChatGPT access. However, the regulator has not ordered it to stop processing. “The Spanish Data Protection Agency (AEPD) has initiated ex officio preliminary investigation proceedings against the U.S. company OpenAI, owner of the ChatGPT service, for possible non-compliance with the regulations,” it says in a press release (translated from Spanish). The announcement doesn’t specify the AEPD’s concerns, but we’ve asked.
Italy’s DPA voiced GDPR concerns concerning ChatGPT, including OpenAI’s lawfulness, transparency, kid protection, and data access. It provided a list of modifications OpenAI must undertake by the end of the month to lift the local suspension order earlier this week.
OpenAI has not officially addressed the Italian agency’s requests. OpenAI denied comment on the Spanish probe.
The AEPD’s news statement indicates it urged the European Data Protection Board (EDPB), a GDPR steering body, to include ChatGPT in this week’s plenary session.
It asked because OpenAI’s “global processing operations may significantly impact the rights of individuals” and may necessitate “harmonized and coordinated actions at the European level.” “The Committee decided at today’s plenary session to launch a task force to promote cooperation and exchange information on data protection authorities’ actions,” the AEPD said.
The EDPB ChatGPT task group will work alongside authority probes. It may help the group coordinate GDPR enforcement on generative A.I. technologies. In the near run, early mover DPAs like Italy and Spain may finish their investigations and start enforcement action before the Board can make harmonized recommendations.
Italy’s DPA has suspended ChatGPT, while Spain’s AEPD has declared a preliminary investigation. However, Spain’s probe may be less advanced than Italy’s.
The AEPD “advocates for developing and implementing innovative technologies, such as artificial intelligence,” through public statements. However, it stressed that any development must conform with the E.U.’s data protection framework and GDPR rights and freedoms. See our deep dive on GDPR and generative AI.
