Italian Data Protection Authority Bans ChatGPT Until OpenAI Meets Privacy Compliance Requirements

On March 31, 2023, Italy’s Data Protection Authority (the Regulator) issued a press release detailing its order for an immediate ban on the artificial intelligence (AI) platform, ChatGPT (the Order).  The Order requires the US-based company behind ChatGPT, OpenAI, LLC, to temporarily cease processing Italian users’ data until it rectifies its privacy practices, which has resulted in ChatGPT being temporarily unavailable for users in Italy.

In the Order, the Regulator highlights several insufficient practices carried out by OpenAI, including (i) not providing information to users when collecting data through the ChatGPT service; (ii) having no legal basis to support the large collection and processing of personal data used to train ChatGPT; and (iii) there being no age verification mechanism in place, which “…exposes children to receiving responses that are absolutely inappropriate to their age and awareness”.

Following further communications, the Regulator provided another press release on April 12, 2023, stating that if OpenAI implemented certain immediate measures by April 30, then the Regulator would lift the ban.  These measures relate to the topics of transparency, user rights, and the legal basis for processing user data for AI training.  One of these measures requires OpenAI to change the legal basis for the processing of users’ personal data for algorithmic training to better align with compliance requirements.  In addition, OpenAI must publish a notice on its website informing users how data processing is carried out, the rationale for such processing, their rights as data subjects, and other details as applicable, including tools that allow data subjects to exercise their rights to object to the processing of their personal data for AI training purposes and obtain rectification or erasure of their personal data.  OpenAI must also add an age verification requirement that users connecting from Italy must undergo upon their initial access to the reactivated services.

Apart from the above immediate measures, the Regulator has also ordered that OpenAI:

1. submit to the Regulator a plan for the deployment of age verification tools by May 31, 2023; and
2. work with the Regulator to promote an information campaign by May 15, 2023, on all main Italian mass media to inform individuals that their personal data was likely to have been collected for the purpose of algorithmic training, an ad-hoc information notice has been published on OpenAI’s website, and there is a website tool available for data subjects to obtain erasure of their personal data.

The Regulator’s comments are currently making waves in the AI world, but it does not seem to be alone in its regulatory scrutiny of ChatGPT. Earlier this month, the Office of the Privacy Commissioner of Canada launched an investigation into OpenAI in response to a complaint alleging the collection, use and disclosure of personal information without consent.  It seems that this is just the beginning for privacy compliance discussions in the AI space.

Summary By: Imtiaz Karamat