A complaint has been filed against OpenAI by privacy researcher Lukasz Olejnik, alleging that the company has violated the General Data Protection Regulation (GDPR). The complaint, filed with the Polish data protection authority, accuses OpenAI of breaching several aspects of EU privacy rules, including transparency, fairness, data access rights, and privacy by design. According to the complaint, OpenAI failed to engage with local regulators before launching its ChatGPT tool in Europe, potentially violating GDPR requirements for prior consultation.
GDPR Concerns for ChatGPT
This is not the first time that OpenAI and its ChatGPT tool have faced GDPR concerns. Earlier this year, Italy’s privacy watchdog ordered OpenAI to stop processing data locally due to issues related to lawful basis, information disclosures, user controls, and child safety. While ChatGPT was able to resume its service in Italy after making adjustments, the investigation by the Italian Data Protection Authority is ongoing, and other EU regulators are also looking into the matter.
OpenAI’s lack of establishment in any EU member state for GDPR oversight exposes it to regulatory risk across the bloc. Violations of the GDPR can result in penalties of up to 4% of global annual turnover. Additionally, corrective orders from data protection authorities may require OpenAI to make changes to ensure compliance with privacy regulations.
A complaint has been filed against OpenAI for alleged violations of the GDPR, including transparency, fairness, and privacy by design. This is not the first time ChatGPT has faced GDPR concerns, with Italy’s privacy watchdog ordering OpenAI to halt data processing earlier this year. OpenAI’s lack of establishment in an EU member state exposes it to regulatory risk, potentially resulting in significant penalties and corrective measures.
Unlawful Processing and Lack of Transparency
Olejnik’s complaint centers around OpenAI’s processing of personal data for training AI models without a valid legal basis and in a non-transparent manner. The complaint argues that OpenAI failed to provide sufficient information about its data processing operations, notably omitting details about its processing of personal data for training models. OpenAI’s alleged obfuscation and lack of transparency potentially violate GDPR requirements for lawful processing and fairness.
The complaint accuses OpenAI of processing personal data “unlawfully, unfairly, and in a non-transparent manner.” It also alleges that OpenAI’s inability to correct inaccuracies generated by ChatGPT violates individuals’ right to rectification of their personal data. Furthermore, the complaint highlights OpenAI’s failure to comply with the GDPR’s principle of data protection by design and default, as the company’s actions contradict the regulations’ requirements.
Possible Outcome and Next Steps
The Polish data protection authority will investigate the complaint, a process that could take anywhere from six months to two years. If the violation is confirmed, OpenAI may be ordered to address Olejnik’s rights and bring its data processing operations in compliance with the GDPR. The complaint also calls for OpenAI to submit a data protection impact assessment (DPIA), which is a standard element of GDPR compliance, to provide more clarity on its processing of personal data related to ChatGPT.
Olejnik hopes that through this complaint, he will be able to exercise his GDPR rights properly. He emphasizes the importance of the GDPR process in addressing privacy concerns and ensuring compliance.