Italy’s data protection agency, Garante, has issued a set of mandates for OpenAI’s ChatGPT service following concerns raised about possible privacy violations and failure to verify the age of users. The watchdog had suspected the artificial intelligence chatbot service of violating the European Union’s General Data Protection Regulation (GDPR) and had mandated the United States-based firm to halt the processing of data belonging to individuals residing in the country.
In a press release, Garante outlined the actions that OpenAI must take to revoke the order imposed on ChatGPT. The mandates require OpenAI to increase its transparency and issue an information notice comprehensively outlining its data processing practices. The statement also requires OpenAI to implement age-gating measures immediately to prevent minors from accessing its technology and adopt more stringent age verification methods.
OpenAI must specify the legal grounds it relies upon for processing individuals’ data to train its AI, and it cannot rely on contract performance. This means that OpenAI must choose between obtaining user consent or relying on legitimate interests. Currently, OpenAI’s privacy policy references three legal bases but appears to give more weight to the performance of a contract when providing services such as ChatGPT.
Furthermore, OpenAI must enable users and non-users to exercise their rights regarding their personal data, including requesting corrections for any misinformation generated by ChatGPT or deleting their data. The regulatory agency mandated that OpenAI allow users to object to processing their data to train its algorithms. OpenAI is also required to conduct an awareness campaign in Italy to inform individuals that their information is being processed to train its AIs.
Garante has set a deadline of April 30 for OpenAI to complete most of these tasks. OpenAI has been granted additional time to comply with the extra demand of migrating from the existing, age-gating child safety technology to a more resilient age verification system. Specifically, OpenAI has until May 31 to submit a plan outlining the implementation of age verification technology that screens out users under 13 years old (and those aged 13 to 18 who have not obtained parental consent). The deadline for deploying this more robust system is set for Sept. 30.
In response to the mandates, OpenAI has taken ChatGPT offline in Italy. The company has been granted additional time to comply with the age verification technology demands, but must still ensure that it meets the April 30 deadline for other compliance requirements.
OpenAI’s ChatGPT service has gained significant attention for its ability to generate natural language responses that can mimic human conversation. However, concerns have been raised about the impact of such technology on privacy and the potential for misuse, particularly with regards to minors.
This is not the first time that OpenAI has faced regulatory scrutiny. In 2019, the company announced that it would not release a powerful language-generating AI model due to concerns about its potential misuse. The company has since released similar models with additional safeguards in place.
In conclusion, Garante’s mandates for OpenAI’s ChatGPT service aim to ensure compliance with GDPR and protect the privacy of individuals, particularly minors.