Italy’s data protection watchdog has prepared a to-do list for OpenAI in order to lift its suspension ban issued at the end of last month. If you recall, at that time – Italy said it suspected the AI chatbot service was in breach of the EU’s General Data Protection Regulation (GDPR) and so it ordered OpenAI to stop processing locals’ data.
Since the EU’s GDPR applies whenever personal data is processed, there are few doubts that large language models such as OpenAI’s GPT have hoovered up vast amounts of the stuff off the internet in order to train their generative AI models.
OpenAI quickly blocked access to ChatGPT from Italy, with the company’s CEO adding that it “think[s] we are following all privacy laws.”
The Italian Data Protection Authority (DPA) agreed to disagree and is now demanding the following:
- OpenAI should publish an information notice detailing its data processing;
- It must immediately adopt robust age verification to prevent minors from accessing the tech;
- It needs to clarify the legal basis it’s claiming for processing people’s data for training its AI;
- It has to provide ways for users (and non-users) to exercise rights over their personal data, including asking for corrections of disinformation generated about them by ChatGPT (or else have their data deleted);
- It must provide users with the ability to object to OpenAI’s processing of their data for training its algorithms; and
- It must conduct a local awareness campaign to inform Italians that it is processing its information to train its AIs.
The DPA has given OpenAI time until April 30 to get most of that done, with the local awareness campaign having a slightly more generous deadline of May 15.
Also, there is a little more time for the additional requirement to migrate from the immediately required age-gating child safety tech — for that, OpenAI has been given until May 31 to submit a plan for implementing age verification tech to filter out users below age 13 as well as users aged 13 to 18 who had not obtained parental consent. The ultimate deadline for that more robust system is set at September 30.
OpenAI will have to comply by 30 April with the measures set out by the Italian SA concerning transparency, the right of data subjects – including users and non-users – and the legal basis of the processing for algorithmic training relying on users’ data. Only in that case will the Italian SA lift its order that placed a temporary limitation on the processing of Italian users’ data, there being no longer the urgency underpinning the order, so that ChatGPT will be available once again from Italy.
If everything goes as planned, users from Italy will be presented with the notice of their data usage prior to signing up for the service and also confirm they are over 18. As for those who have already registered, they will see the notice when they access the reactivated service and must also be pushed through an age-gate to filter out underage users.
When it comes to the mentioned legal basis for the processing people’s data for training OpenAI’s algorithms, the DAP has narrowed the available options down to two: consent or legitimate interests — suggesting that it must immediately remove all references to the performance of a contract “in line with the [GDPR] accountability principle.”
Moreover, since the GDPR provides data subjects with a suite of access rights, the Italian regulator has also demanded that OpenAI implements tools so that data subjects can exercise their rights and get falsities the chatbot generates about them rectified.
All of the measures the DPA has announced are contingencies based on its preliminary concerns. Its inquiries will only continue from here, and they may even decide to take “additional or different measures if this proves necessary upon completion of the fact-finding exercise under way.”
Our take: We like what Italy is doing to protect the privacy of their constituents but are also hoping that this won’t kill ChatGPT now that we’ve learned to like it.
As a reminder, if you’re in Italy and want to access ChatGPT – you can always get a VPN for that purpose.