Italian privacy regulator bans ChatGPT over collection, storage of personal data

Italy’s data privacy regulator has banned ChatGPT over alleged privacy violations relating to the chatbot’s collection and storage of personal data. With immediate effect, the Guarantor for the protection of personal data has ordered the temporary limitation of the processing of data of Italian users by ChatGPT parent firm OpenAI until it complies with EU General Data Protection Regulation (GDPR) privacy laws. It has also launched an investigation into ChatGPT, the Guarantor said. The ban comes in the wake of an open letter in which Twitter owner Elon Musk and a group AI industry executives called for a six-month pause in developing systems more powerful than OpenAI’s newly launched GPT-4, citing potential risks to society.

ChatGPT lacks “legal basis” for mass collection, storage of personal data

In the provision, the privacy Guarantor noted the lack of information to users and all interested parties whose data is collected by OpenAI, along with the absence of a legal basis that justifies the mass collection and storage of personal data for the purposes of training the algorithms underlying the operation of the platform.

“As evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus determining an inaccurate processing of personal data,” it added. What’s more, the Authority pointed out the absence of a filter for verifying the age of users, exposing minors to “unsuitable answers” compared to their degree of development and self-awareness. According to the terms published by OpenAI, the service is aimed at people over the age of 13.

“OpenAI, which does not have an office in the Union [EU] but has designated a representative in the European Economic Area, must communicate within 20 days the measures undertaken in implementation of what is requested by the Guarantor, under penalty of a fine of up to 20 million euros or up to 4% of the annual global turnover,” the privacy Guarantor wrote.

Last week, OpenAI confirmed that a bug in an open-source library allowed some ChatGPT users to see titles from another active user’s chat history. The same bug may also have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window.

Update: Italy’s Guarantor to conditionally lift ChatGPT ban

On April 12, the Guarantor said it will lift its temporary ban on ChatGPT if OpenAI meets a set of data protection requirements by April 30. The Guarantor ordered that OpenAI will need to comply with measures concerning transparency, the right of data subjects – including users and non-users – and the legal basis for the processing for algorithmic training relying on users’ data. Only in that case will the regulator lift its order that placed a temporary limitation on the processing of Italian users’ data.

Among the requirements are:

• An information notice describing the arrangements and logic of the data processing required for the operation of ChatGPT, along with the rights afforded to data subjects
• The removal of all references to contractual performance and with reliance on either consent or legitimate interest as the applicable legal basis for the processing of users’ personal data for training algorithms
• Accessible tools that allow non-users to exercise their right to object to the processing of their personal data as relied upon for the operation of the algorithms
• An age gating system for the purpose of signing up to the service
• An information campaign through radio, TV, newspapers, and the internet to inform individuals on use of their personal data for training algorithms

The Guarantor said it will carry on its inquiries to establish possible infringements of the legislation in force and may decide to take additional or different measures if this proves necessary upon completion of the fact-finding exercise already under way.