On March 2023, Italy’s Garante ordered a temporary stop-processing order on ChatGPT, saying it was concerned the services breach EU data protection laws. It also commenced an investigation into the suspected breaches of the General Data Protection Regulation (GDPR).
Garante issued a list of measures that OpenAI (the developers of ChatGPT) must implement in order to have the suspension order lifted by the end of April — including adding age-gating to prevent minors from accessing the service and amending the legal basis claimed for processing local users’ data.
OpenAI have addressed or clarified the issues raised by the Garante, including:
- A new help centre article on how they collect and use training data.
- Greater visibility of their Privacy Policy on the OpenAI homepage and ChatGPT login page.
- Greater visibility of their user content opt-out form in help center articles and Privacy Policy.
- Continuing to offer the existing process for responding to privacy requests via email, as well as a new form for EU users to exercise their right to object to the use of personal data to train the models.
- A tool to verify users’ ages in Italy upon sign-up.
A few days after OpenAI announced this set of privacy controls for its generative AI chatbot, the service has been made available again to users in Italy.
These cases strongly emphasise the importance of regulating AI, specifically with regards to data protection, as these systems collect masses of information, often without the consent of the information’s owners.