German Regulators Begin Inquiry into ChatGPT Compliance with GDPR

 August 16, 2023

By  Kyrie Mattos

OpenAI is facing an investigation by German state regulators concerning its privacy practice and compliance with the European Union’s General Data Protection Regulation (GDPR). German regulators are searching for answers about the firm’s intentions and its capabilities to adhere to the EU’s stringent data privacy laws.

On April 24th, 2023, experts at Crypto Minded published a press release stating that regulators are inquiring if a data protection impact assessment was organized and if data protection risks are under control. The country is also requesting information on issues arising from the European GDPR.

Commissioner for the Northern German state of Schleswig-Holstein, Marit Hansen, said that “regulators in Germany want to know if a data protection impact assessment has been carried out and the data protection risks are under control.” Commissioner Hansen also noted that “the country was also asking OpenAI for information on issues that stem from European General Data Protection Regulation. It is also necessary to clarify how these rights can be exercised”. The Commissioner added, “Regulators were particularly concerned about processing data relating to minors. As soon as personal data of European citizens is processed, European data protection law must be respected”.

Background on OpenAI

OpenAI was established in December 2015 in the United States. It is an artificial intelligence (AI) research laboratory. ChatGPT is a tool powered by AI that allows users to chat and get answers to almost any question and has taken the world by storm. Most governments across the globe are starting to notice these tools and have launched investigations into OpenAI’s ChatGPT.

Other Countries Probing OpenAI Data Protection

This development is not unexpected as the German watchdog group has recently recommended further examination, which adds to the complex situation OpenAI is presently facing in Europe. In March 2023, OpenAI released its GPT-4 model and started encountering increased scrutiny from European regulators. In March 2023, Italy became the first Western nation to discharge a ban on the products over allegations its data-gathering broke privacy laws. Italy’s data protection agency mandated, “OpenAI must increase its transparency and issue an information notice comprehensively outlining its data processing practice.”

The mandate added that “the statement requires OpenAI to implement age-gating measures immediately to prevent minors from accessing its technology and adopt more stringent age verification methods.” The mandate also required OpenAI to specify the legal grounds for processing individual data and must sanction users and non-users to exercise their rights regarding their data.

These include corrections for any misinformation generated by ChatGPT or deleting their data. OpenAI had until March 31st, 2023, to submit a plan outlining the implementations of the order imposed on ChatGPT, with a deadline for deploying a robust system set for September 31st, 2023. On March 31st, 2023, OpenAI took ChatGPT offline in Italy following the concerns raised by the national data protection agency regarding possible privacy violations and negligence in verifying the age of users. Italy has asked OpenAI to adjust its ChatGPT so it can return online at the end of April 2023.

On April 14th, 2023, France said it had opened a formal conduct after receiving five complaints, three of which were made public. However, France’s data protection regulator (CNIL) made no official announcements. According to the French journal, the first complaint came from Zoe Villain, a lawyer and President of Janus International, an association that raises awareness of digital issues. In her complaint sent to the CNIL on April 4th, 2023, Villain said, “OpenAI did not ask me to consent to any terms of use or privacy policy when signing up.” She added that she “was unable to access the personal data the company retained.”

The second complaint came from David Libeau, a Developer who posted in a blog post and noted, “OpenAI lacks transparency and fairness and fails to safeguard people’s right to data protection.” The third complaint was sent to the CNIL on April 12th, 2023, by a Member of Parliament, Eric Bothorel. To test the tool, Bothorel asked ChatGPT for information about himself, resulting in inaccurate results, including his date of birth. He said, “ChatGPT often gives erroneous information.” Bothorel has organized a seminar on ChatGPT for French members of parliament on May 9th, 2023, at the National Assembly. In the meantime, the French city of Montpellier has banned officials from using ChatGPT as a precaution.

On April 13th, 2023, Spain’s Data Protection Agency (AEPD) announced an independent investigation of OpenAI’s practice for possible breaches. It has opened an inquiry into the software and its US owner. AEPD also requested that the EU’s data protection watchdog include ChatGPT in the agenda in the next plenary meeting.

Impact on OpenAI Users

The standard issue raised by regulators across Europe relates to the training data used to build the GPT artificial intelligence models. Currently, users can not correct the model if they make a mistake or opt out of having their data included. However, under the GDPR, users are authorized to have their data modified to reflect validity or removed from the system altogether. Many OpenAI users, mainly those paying premium subscription fees for business or personal access to the company’s GPT API, are caught in the ongoing narrative.

Moreover, crypto traders and analysts building advanced bots on the API or using third-party apps built on the API to trade autonomously or predict the EU market could find themselves swept up in any binding litigation or sweeping bans. Moreover, if such a ban is enforced, it could force any individual or company using these bots for cryptocurrency analysis or trading, such as exchanges, blockchain firms, and news sites, to conduct their operations outside the EU.

Several countries are probing OpenAI for a response, but it still needs to be determined how the company intends to respond, as requests for commentary still need to be returned. However, German regulators have indicated that they expect OpenAI to respond to their inquiries by June 11, 2023.

Byline: Hannah Parker

Kyrie Mattos


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}