The GPDP (Garante Per la Protezcione dei Dati Personali) has ruled on OpenAI’s ChatGPT service.
Following the blocking of ChatGPT by the Italian Data Protection Authority, the Authority issued a ruling on 11 April 2023.
The Authority highlights the willingness shown by the Company (OpenAI) to implement a series of concrete measures to protect the rights and freedoms of data subjects in relation to the use of ChatGPT.
The GPDP alludes to the above by making it clear that these measures are established without prejudice to the continuation of the prior investigation initiated that will allow reassessing the existence of the conditions that have provided for the provisional prescription.
What measures must OpenAI comply with in Italy?
Here is a summary of the measures with which OpenAI must comply. They are as follows:
Develop and publish on its website a notice (ACTION 1) explaining to data subjects (including non-users of ChatGPT) whose data have been collected and processed for the purpose of training algorithms:
- The processing methods.
- The logic underlying the processing necessary for the operation of the service.
- Their rights as data subjects.
- Any other information required by article 12 of the GDPR.
Make available to data subjects connecting from Italy (including non-users of ChatGPT) on its website, a tool/s to:
- Exercise their right to object to the processing of their personal data, obtained from third parties, carried out by the company for algorithm training and service provision purposes (MEASURE 2).
- Request and obtain the rectification of personal data concerning them that has been processed inaccurately in the generation of content or, if this is impossible due to the state of the art, the deletion of their personal data (ACTION 3).
- Exercise the right to object to the processing of one’s own data acquired when using the algorithm training service if the legal basis chosen is legitimate interest – related to ACTION 5 – (ACTION 6).
Include a link to the information (ACTION 4) that is in a place where it can be read before the user registers and before the first access after possible reactivation of the service.
Modification of the basis of legitimacy of the processing (ACTION 5) of users’ personal data for algorithm training purposes. Any reference to the contract will be removed and CONSENT or LEGITIMATE INTEREST in relation to the company’s evaluations in an accountability logic will be assumed as the basis for legitimisation.
Include an age control (ACTION 7) that excludes minors for all users connecting from Italy, including those already registered. This should the service be reactivated.
Submit (by 31 May 2023) to the GPDP a plan for the adoption of age verification tools, (ACTION 8) excluding from the service minors under 13 years of age and minors in the absence of express consent of those exercising parental authority. The implementation of this plan will start no later than 30 September 2023.
Promote (by 15 May 2023) a (non-promotional) campaign in the main Italian media (radio, television, newspapers and internet), with a content agreed with the GPDP, to inform about the purposes of personal data collection and that on their (OpenIA’s) website they have detailed information and tools that allow them to exercise their data protection rights. (ACTION 9)
In relation to Actions 1 to 7, the deadline for compliance is 30 April 2023.
It is not the only Authority that is putting OpenIA between a rock and a hard place by questioning its data protection compliance. The Spanish Data Protection Authority (AEPD) published a press release yesterday informing of the ex officio initiation of preliminary investigation proceedings against the company OpenIA for possible non-compliance with the regulations.
Last week, the AEPD asked the European Data Protection Board (EDPB) to include the ChatGPT service as a topic to be discussed at its plenary meeting. The Committee has already decided to launch a task force to promote cooperation and exchange information on the actions taken by data protection authorities.
Article written by:
Adriana Ranchal
Lawyer specialising in Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!