BACKGROUND:
Several European Supervisory Authorities initiated data protection investigations against the company OpenAI for processing operations carried out in the context of the ChatGPT service.
Meanwhile, the European Data Protection Board (‘EDPB’) decided, on 13 April 2023, to create a taskforce to promote cooperation and exchange information on actions carried out by Supervisory Authorities.
MOST RELEVANT PRELIMINARY CONSIDERATIONS OF ChatGPT’s GDPR COMPLIANCE:
1. Lawfulness: the first stages of the processing of personal data (collection of data, preprocessing of personal data and training) carry particular risk for the fundamental rights and freedoms of natural person as “web scraping” enables the automated collection and extraction of certain information from different publicly available sources on the Internet.
The assessment of the legitimate interest as an appropriate legal basis for this purpose is still subject to pending investigations. In any case, the EDPB points out several measures that have to be taken by the controller, such as:
(i) To define precise collection criteria and ensuring that certain data categories are not collected (e.g. public social media profiles); as well as
(ii) To delete or anonymise personal data that has been collected via web scraping before the training stage.
2. Fairness: the responsibility for ensuring compliance with General Data Protection Regulation (“GDPR”) should not be transferred to the data subjects; e.g. by placing a clause in the Terms and Conditions that data subjects are responsible for their chat inputs.
3. Transparency: when web scrapping personal data large amounts of data are collected, it is usually not possible to inform each data subject about the circumstances. Therefore, the exemption pursuant Art. 14(5)(b) GDPR could apply, as long as all requirements of this provision are fully met.
4. Data Accuracy: it is of importance that proper information on the probabilistic output creation mechanisms and on their limited level of reliability is provided by the controller, including explicit reference to the fact that the generated text, although syntactically correct, may be biased or made up. Although the measures taken in order to comply with the transparency principle are beneficial to avoid misinterpretation of the output of ChatGPT, they are not sufficient to comply with the data accuracy principle.
Finally, the EDPB provides a common set of questions to be used by the Supervisory Authorities as a starting basis for their exchanges with OpenAI.
The investigations conducted by the respective Supervisory Authorities are currently ongoing. Therefore, considerations made in the EDPB report are to be regarded as preliminary view on certain aspects of the investigations.