"ChatGPT-maker OpenAI accused of string of data protection breaches in GDPR complaint filed by privacy researcher", 30 August 2023

Questions about ChatGPT-maker OpenAI’s ability to comply with European privacy rules are in the frame again after a detailed complaint was filed with the Polish data protection authority...

The complaint, which TechCrunch has reviewed, alleges the U.S. based AI giant is in breach of the bloc’s General Data Protection Regulation (GDPR) — across a sweep of dimensions: Lawful basis, transparency, fairness, data access rights, and privacy by design are all areas it argues OpenAI is infringing EU privacy rules.

Indeed, the complaint frames the novel generative AI technology and its maker’s approach to developing and operating the viral tool as essentially a systematic breach of the pan-EU regime. Another suggestion, therefore, is that OpenAI has overlooked another requirement in the GDPR to undertake prior consultation with regulators (Article 36) — since, if it had conducted a proactive assessment which identified high risks to people’s rights unless mitigating measures were applied it should have given pause for thought. Yet OpenAI apparently rolled ahead and launched ChatGPT in Europe without engaging with local regulators which could have ensured it avoided falling foul of the bloc’s privacy rulebook.

OpenAI is not main established in any EU Member State for the purpose of GDPR oversight, which means it remains exposed to regulatory risk in this area across the bloc. So could face outreach from DPAs acting on complaints from individuals anywhere in the bloc.

Confirmed violations of the GDPR, meanwhile, can attract penalties as high as 4% of global annual turnover. DPAs’ corrective orders may also end up reworking how technologies function if they wish to continue operating inside the bloc.

Complaint of unlawful processing for AI training

The 17-page complaint filed yesterday with the Polish DPA is the work of Lukasz Olejnik, a security and privacy researcher, who is being represented for the complaint by Warsaw-based law firm, GP Partners.

Olejnik tells TechCrunch he became concerned after he used ChatGPT to generate a biography of himself and found it produced a text that contained some errors. He sought to contact OpenAI, towards the end of March, to point out the errors and ask for the inaccurate information about him to be corrected. He also asked it to provide him with a bundle of information that the GDPR empowers individuals to get from entities processing their data when the information has been obtained from somewhere other than themselves, as was the case here.

Per the complaint, a series of email exchanges took place between Olejnik and OpenAI between March and June of this year. And while OpenAI responded by providing some information in response to the Subject Access Request (SAR) Olejnik’s complaint argues it failed to produce all the information it must under the law — including, notably, omitting information about its processing of personal data for AI model training. 

Under the GDPR, for personal data processing to be lawful the data controller needs a valid legal basis — which must be transparently communicated.

...he argues the company processed his data “unlawfully, unfairly, and in a non-transparent manner”. “From the facts of the case, it appears that OpenAI systemically ignores the provisions of the GDPR regarding the processing of data for the purposes of training models within ChatGPT, a result of which, among other things, was that Mr. Łukasz Olejnik was not properly informed about the processing of his personal data,” the complaint notes. 

It also accuses OpenAI of acting in an “untrustworthy, dishonest, and perhaps unconscientious manner” by failing to be able to comprehensively detail how it has processed people’s data.

... the GDPR requires not only a lawful basis for processing people’s data but transparency and fairness vis-a-vis any such operations. So OpenAI appears to have got itself into a triple bind here. Although it remains to be seen how EU regulators will act on such complaints as they weigh how to respond to generative AI chatbots.

Right to correct personal data ignored

Another aspect of Olejnik’s beef with OpenAI fixes on errors ChatGPT generated about him when asked to produce a biography — and its apparent inability to rectify these inaccuracies when asked. Instead of correcting falsehoods its tool generated about him, he says OpenAI initially responded to his ask by blocking requests made to ChatGPT that referenced him — something he had not asked for.

Subsequently it told him it could not correct the errors. Yet the GDPR provides individuals with a right to rectification of their personal data.

The complaint goes on to argue OpenAI “should develop and implement a data rectification mechanism based on an appropriate filter/module that would verify and correct content generated by ChatGPT (e.g., based on a database of corrected results)”, suggesting: “It is reasonable in the context of the scope of the obligation to ensure data accuracy to expect OpenAI to correct at least data reported or flagged by users as incorrect.”

“We believe that it is possible for OpenAI to develop adequate and GDPR-compliant mechanisms for correcting inaccurate data (it is already possible to block the generation of certain content as a result of a blockade imposed by OpenAI),” it adds. “However, if, in OpenAI’s opinion, it is not possible to develop such mechanisms — it would be necessary to consult the issue with the relevant supervisory authorities, including, for example, through the prior consultation procedure described in Article 36 of GDPR.”

Data protection incompatibility by design?

The complaint also seeks to spotlight what it views as a total violation of the GDPR’s principle of data protection by design and default.

“The way the ChatGPT tool was designed, taking into account also the violations described [earlier] in the complaint (in particular, the inability to exercise the right to rectify data, the omission of data processing operations for training GPT models) — contradicts all the indicated assumptions of the principle of data protection by design,” it argues. “In practice, in the case of data processing by OpenAI, there is testing of the ChatGPT tool using personal data, not in the design phase, but in the production environment (i.e., after the tool is made available to users).

We’ve asked OpenAI to respond to the complaint’s claims that its AI chatbot violates the GDPR and also to confirm whether or not it produced a data protection impact assessment prior to launching ChatGPT.

Additionally, we’ve asked it to explain why it did not seek prior consultation with EU regulators to get help on how to develop such a high risk technology in a way that could have mitigated GDPR risks. At the time of writing it had not responded to our questions but we’ll update this report if we get a response.

We’ve also reached out to the Polish DPA about the complaint. However EU DPAs don’t often have much to say on open complaints.

In another step, the complaint urges the Polish regulator to require OpenAI to submit a data protection impact assessment (DPIA) with details of its processing of personal data for purposes related to ChatGPT ...

For his part, Olejnik says his hope in bringing the complaint against OpenAI and ChatGPT is that he will be able to properly exercise all the GDPR rights he has found himself unable to so far.