Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

OpenAI’s ChatGPT banned in Italy

April 18, 2023By Preiskel & Co

On 31 March 2023, the Italian Data Protection Authority (“DPA”) imposed a temporary ban and launched an investigation into the OpenAI-powered platform ChatGPT’s compliance with the General Data Protection Regulation (“GDPR”) following a data breach. The data breach took place on March 20th over a critical nine-hour period that left ChatGPT Plus (the subscription version of the chatbot) users’ chat history and payment-related information exposed and visible to other users. The breach was followed by an investigation carried out by the Italian DPA, which highlighted several issues with ChatGPT’s system which found that:

  • There is no legal basis for the “massive collection and processing of personal data in order to train the algorithms on which the platform relies”;
  • ChatGPT occasionally processes and generates inaccurate personal information about its data subjects; and
  • ChatGPT also has inadequate age verification mechanisms to determine whether users meet minimum age requirements.

The issues

The first issue surrounds the legal basis on which ChatGPT relies for the collection and processing of such large quantities of data. Under the GDPR, legal basis must be established by either; (i) obtaining consent to process data, or (ii) having one of the legitimate reasons under Article 6 to process personal data. It was determined by the Italian DPA that ChatGPT could not successfully establish such legal basis through either of these avenues, merely claiming that such collection and processing is necessary for the purpose of continuously training their algorithms.

The investigation further brought about concern that ChatGPT is using and generating inaccurate information. The Italian DPA acknowledged concerns surrounding the ability of AI to generate factually inaccurate information about real people, at a clear detriment to its users. This constitutes another example of non-compliance with the GDPR Article 5(1)(d) which stipulates that personal data shall be “accurate and, where necessary kept up to date”.

The investigation further revealed the inadequacies of ChatGPT’s age verification mechanisms or lack thereof, as the system failed to implement a process to verify that its users satisfy the minimum age requirement of 13, as set out in ChatGPT’s Terms of Use. The Italian DPA was gravely alarmed about the lack of verification which “exposes children to receiving responses that are absolutely inappropriate to their age and awareness”.

Next steps for ChatGPT and AI systems

In the absence of a legal entity in the EU, OpenAI’s European representative shall now have 20 days to report back to the Italian Supervisory Authority with the measures that have been implemented to rectify these issues. On 5 April OpenAI began such conversations with the Italian DPA with an optimistic attitude towards lifting their ban, although an official outcome is yet to be announced. If the Italian DPA determine that OpenAI have failed to implement adequate corrective measures, the platform may face fines of up to €20 million or 4% of their total worldwide annual turnover.

The increasing threats that AI continues to pose are likely to push the European Parliament even more so in the direction of getting their highly anticipated EU Artificial Act over the line in attempt to regulate such a data-sensitive industry. However, whilst developers should pre-empt new landmark AI laws and regulation, the ChatGPT ban should serve as a fundamental reminder that the existing GDPR should not be an afterthought, given that AI development shall always inevitably involve the processing of large pools of data.

Meanwhile in the UK, the Information Commissioner’s Office released a statement stressing that “there really can be no excuse for getting the privacy implications of generative AI wrong”. Their statement is supplemented with addition guidance for AI platform development to ensure that developers maintain ongoing adherence and have an adequate legal basis for their data processing activities within the scope of the UK GDPR.

Find the Italian DPA’s temporary ban here.

Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

 

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1r2 days ago
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB3 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm211 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy