The EDPB’s ChatGPT Taskforce, established on 13 April 2023, released an interim report on 23 May 2024, detailing its investigations into OpenAI’s ChatGPT service. The taskforce was created to address data protection concerns and coordinate enforcement actions among EU data protection authorities due to the absence of OpenAI’s EU establishment before 15 February 2024. Post 15 February 2024, OpenAI’s single EU establishment in Ireland brought it under the GDPR’s One-Stop-Shop mechanism, centralizing the enforcement through a lead supervisory authority. Investigations focus on previous privacy policies and the measures implemented to comply with GDPR requirements, such as those resulting from the Italian DPA‘s temporary ban.
The taskforce’s preliminary views concern key GDPR principles:
- Lawfulness: The report deals with two aspects here: collection of data (focused on web scraping) and training of the algorithm, and prompts and outputs in ChatGPT. The boring stuff: data processing must meet conditions under Article 6(1) [lawful basis] and, where applicable, Article 9(2) [additional conditions for special category data]. OpenAI claims they use legitimate interest for web scraping, which the task force is still looking into. The interesting stuff: on Article 9(2) the EDPB stresses that “the mere fact that personal data is publicly accessible does not imply that “the data subject has manifestly made such data public” (something Advocate General Rantos also said recently in the opinion in case Case C-446/21 – see details in my blog The Privacy Explorer | Week 17 – The PrivacyCraft Blog).
- Fairness: responsibility for GDPR compliance cannot be transferred to data subjects, “for example by placing a clause in the Terms and Conditions that data subjects are responsible for their chat inputs”. Interestingly, EDPB says that “if ChatGPT is made available to the public, it should be assumed that individuals will sooner or later input personal data. If those inputs then become part of the data model and, for example, are shared with anyone asking a specific question, OpenAI remains responsible for complying with the GDPR and should not argue that the input of certain personal data was prohibited in first place”.
- Transparency and Information Obligations: Article 14 GDPR requires informing data subjects about web scraping, but the exemption in Art. 14.5.b could apply. By contrast, Article 13 applies to direct interactions and there it is essential that OpenAI informs users about prompts being used for training purposes.
- Data Accuracy: Distinction must be made between input and output. Because the output is not necessarily intended to be factually accurate, this needs to be made very clear to the users – “proper information on the probabilistic output creation mechanisms and on their limited level of reliability [must be] provided by the controller, including explicit reference to the fact that the generated text, although syntactically correct, may be biased or made up”. And here’s where it gets interesting: the EDPB says that “Although the measures taken in order to comply with the transparency principle are beneficial to avoid misinterpretation of the output of ChatGPT, they are not sufficient to comply with the data accuracy principle, as recalled above” – in other words, OpenAI has not done enough to make it clear that ChatGPT results may not be factually correct, at least not until 15 February 2024.
- Rights of the Data Subject: OpenAI must make sure data subjects can exercise their rights in an easily accessible manner. While the EDPB throws some shade on the fact that “at least for the time being, OpenAI suggests users to shift from rectification to erasure when rectification is not feasible due to the technical complexity of ChatGPT”, they are not really saying anything (neither good nor bad) about that.
Read the full thing here.
