GDPR, which stands for the General Data Protection Regulation is a set of guidelines that was implemented to replace the 1995 Data Protection Directive, which was previously used in many European countries.
Because of the increasing prevalence of the internet, the EU Parliament decided there was a need to update the data guidelines, so that they would align with a more interconnected world. However, when the GDPR was created, AI chatbot ChatGPT wasn’t even a thing.
So, does ChatGPT violate GDPR? Basically ChatGPT does not violate GDPR, but like many questions, it’s complicated. We’ll go over the issues with you below.
GDPR, Privacy, and the Internet
Before the GDPR, each European country had the freedom to establish and customize its own privacy regulations. This regulatory regime obviously created challenges for businesses that operate across borders. They had to navigate multiple privacy requirements, as well as ensure compliance with all of them.
The GDPR resolved this problem by establishing one set of guidelines and requirements that businesses are able to refer to whenever they conduct business across EU member states. The regulation officially came into effect on May 25, 2018, and has since become the guiding framework for privacy laws in the European Union.
The GDPR established one set of guidelines and requirements that businesses are able to refer to whenever they conduct business across EU member states. The regulation officially came into effect on May 25, 2018, and has since become the guiding framework for privacy laws in the European Union.
It should be noted that the United Kingdom has its own version of the GDPR, which is based on the EU version, but was created by the UK Information Commissioner’s Office as part of the 2018 Data Protection Act following Brexit, when the country left the EU.
Does ChatGPT Violate GDPR?
In March 2023, the Italian Data Protection Authority, known as the Garante, put a ban on the use of ChatGPT. It deemed that the wildly popular AI chatbot that had recently been launched was breaching GDPR, since there was no lawful basis for it processing personal data.
The Garante was also concerned that ChatGPT wasn’t transparent about letting users know about its data collection operations.
In addition, the lack of age verification meant that minors could be exposed to inappropriate generated content.
However, the Italian ban was soon lifted, after ChatGPT’s parent company, OpenAI, claimed to have implemented changes that would be satisfactory to the regulators. But it made many people question how ChatGPT and other generative AI applications would co-exist with current data privacy regulation, as well as copyright and intellectual property.
The Italian ban was soon lifted, after ChatGPT’s parent company, OpenAI, claimed to have implemented changes that would be satisfactory to the regulators. But it made many people question how ChatGPT and other generative AI applications would co-exist with current data privacy regulation.
So, does ChatGPT actually violate GDPR? And what are the data protection issues that have arisen between the various Eurozone countries and ChatGPT? Let’s take a closer look at the GDPR itself to see…
The Key GDPR Objectives
The GDPR was implemented by the EU in 2018, designed to protect the data of citizens in the European Economic Area (EEA), and give them greater control over their personal information. Some of the regulation’s key features include the fact that individuals are given the rights to rectify, restrict, and erase their personal data on databases.
In addition, whenever there is a data breach, an organization or business must promptly notify the appropriate supervisory authority, as well as all of the individuals affected, because of the risk to their individual rights and freedoms.
The GDPR also imposes restrictions on the transfer of personal data to countries that are outside of the EU, and don’t provide the same level of data protection. Plus there are significant penalties for non-compliance, which includes fines of up to 4% of annual global turnover or €20 million, whichever is higher.
This all means that the GDPR’s main aim is to establish a high standard of privacy rights and protections for individuals across the EU member states, placing a strong emphasis on the transparency, accountability, and responsible handling of personal data among organisations and businesses.
And as far as generative AI large language models go, because they don’t have access to personal data, nor do they store personal information, technically it means that they should not violate GDPR.
And as far as generative AI large language models go, because they don’t have access to personal data, nor do they store personal information, technically it means they should not violate GDPR.
However, it’s very important to note that the way ChatGPT is used by different platforms or organizations can impact GDPR compliance.
For instance, if personal data is collected, processed, or stored during the conversation with ChatGPT, the platform or organization that is responsible for the implementation needs to ensure compliance with GDPR regulations.
Different Countries, Different Issues
In order to get the Italian ban lifted, OpenAI implemented measures to prioritize user privacy and data protection to ensure compliance with the GDPR. However, the data protection challenges associated with the latest AI systems, including ChatGPT, are a concern for different Eurozone countries.
For instance, there are currently ongoing discussions to further develop guidelines that ensure the ethical use of artificial intelligence across many Eurozone countries, including issues that are related to its transparency and accountability.
Some countries in the EU, such as Ireland, have shown interest in investigating the reasons behind Italy’s ban on the AI chatbot. Others have suggested that banning these emerging systems may not be the optimal solution, just like the UK government has been reported as saying.
So, to address this situation, the European Data Protection Board has established a dedicated task force to investigate ChatGPT, with the goals of enhancing collaboration among data protection authorities, and facilitating the sharing of information and enforcing measures.
However, the German Federal Commissioner for Data Protection and Freedom of Information has indicated that the country could follow Italy in banning ChatGPT, due to concerns over data security. This suggests that other countries could also take similar actions if they believe that ChatGPT violates their data protection regulations.
In addition, Spain’s AEPD data protection agency has begun an investigation into OpenAI for possible breaches of data protection regulations. And while the AEPD does support the development and implementation of innovative technologies like AI, it wants to ensure that they are in compliance with the existing GDPR legislation.
In the UK, the response to Italy’s ban focused on the development of guidelines for the ethical use of AI, rather than adding restrictions. The UK government has been making significant investments in its AI sector, which means that it’s unlikely to impose restrictions on ChatGPT, without compelling evidence of harm.
Regarding the disclosure of AI usage by IT contractors though, the UK government took steps toward increased transparency and ethical use of AI by releasing proposed regulations for organizations using the emerging technology.
The new guidelines suggest that companies should openly communicate their use of AI, as well as provide clear information to stakeholders regarding when and how it is use. However, the guidelines aren’t legally binding.
The EU AI Objective
At the end of May 2023, Margrethe Vestager, the European Commission’s executive vice president, announced at the of the US-EU Trade & Tech Council that the EU is in talks with the US to develop an AI Code of Conduct that will regulate the use of the emerging technology.
France’s digital minister, Jean-Noël Barrot, has also argued that it is more sensible to regulate and master new technologies, rather than attempting an outright ban.
This means that OpenAI, and other generative AI applications, will probably be faced with increased scrutiny from the European regulators, as the compliance of data protection regulations become vital for companies operating within the EU.
ChatGPT’s Italian incident serves as a reminder that artificial intelligence companies can’t disregard regulatory compliance if they want to roll out the service to users who live within the EU.
Whether other Eurozone countries will take similar actions against ChatGPT, or indeed other AI chatbots, remains to be seen. But does ChatGPT violate GDPR? Technically not, but the Italian situation underscored the significance of adhering to GDPR regulations for companies developing and deploying AI systems in Europe.