OpenAI’s ChatGPT Investigated by Polish Authorities for GDPR Violations

OpenAI is now under investigation for potential violations of European Union privacy laws following a GDPR complaint filed in Poland. The complaint, submitted last month, alleges several breaches of the EU’s General Data Protection Regulation (GDPR) by ChatGPT and OpenAI. The Polish data protection authority, known as the Office for Personal Data Protection (UODO), has publicly confirmed the launch of its investigation.

In a statement, UODO explained, “The Office for Personal Data Protection is investigating a complaint about ChatGPT. In it, the complainant accuses the tool’s creator, OpenAI, of, among other things, processing data in an unlawful, unreliable manner. Also, the rules under which this is done are opaque.”

The authority acknowledged the unique challenges posed by this investigation. This is OpenAI’s location outside the EU and the novel nature of generative AI chatbot technology the investigation. UODO’s President, Jan Nowak, emphasized the seriousness of the case. He states, “The case concerns the violation of many provisions of the protection of personal data, so we will ask OpenAI to answer several questions to conduct the administrative proceedings thoroughly.”

Jakub Groszkowski, Deputy President of UODO, issued a warning, emphasizing that new technologies must adhere to the legal framework and respect GDPR principles. He highlighted allegations in the complaint that raised doubts about OpenAI’s approach to European data protection principles, particularly the principle of privacy by design.

The complaint, filed by privacy and security researcher Lukasz Olejnik, focuses on OpenAI’s response to a request to correct inaccurate personal data generated by ChatGPT and its handling of subject access requests. Olejnik contends that OpenAI provided evasive, misleading, and contradictory responses when he sought to exercise his legal rights to access his data.

ChatGPT operates on a large language model (LLM) that has been trained on a wide range of natural language data. However, OpenAI’s data collection practices, including scraping the public internet for training data without consent, have raised concerns about GDPR compliance. Additionally, ChatGPT’s inability to explain its data processing methods or correct errors when generating false information about individuals has contributed to regulatory scrutiny.

The GDPR mandates that personal data processing must have a lawful basis, transparency, and fairness. It also grants individuals in the EU various data access rights, including the right to rectify incorrect data. Olejnik’s complaint challenges OpenAI’s compliance with these GDPR requirements, potentially influencing the development and regulation of generative AI.

In response to UODO’s investigation confirmation, Lukasz Olejnik commented, “Focusing on privacy by design/data protection by design is absolutely critical, and I expected this to be the main aspect. So this sounds reasonable. It would concern the design and deployment aspects of LLM systems.”

The speed and transparency of the Polish authority’s response to the complaint are noteworthy. This investigation adds to OpenAI’s growing regulatory challenges in the European Union, with Italy’s Data Protection Authority temporarily suspending ChatGPT in the country and Spain’s DPA also launching a probe. 

Additionally, a task force established by the European Data Protection Board is examining how to regulate AI chatbot technology. This could potentially lead to more harmonized approaches among EU privacy watchdogs. However, individual authorities can still conduct their own investigations. OpenAI’s recent establishment of an office in Dublin, Ireland, may play a role in addressing GDPR complaints in the future. However, until that doesn’t happen, investigations can occur anywhere in the EU.