A newly formed EU taskforce is coordinating national investigations into OpenAI’s ChatGPT, emphasising data protection and privacy issues. Photo: Shutterstock

A newly formed EU taskforce is coordinating national investigations into OpenAI’s ChatGPT, emphasising data protection and privacy issues. Photo: Shutterstock

European authorities are scrutinising OpenAI’s data practices in ChatGPT, focusing on GDPR compliance and the handling of personal data.

The European Data Protection Board (EDPB) has issued its first interim report through its “ChatGPT Taskforce,” dedicated to “possible enforcement actions on the processing of personal data in the context of ChatGPT.” The report confirmed ongoing confidential investigations by supervisory authorities, without explicitly naming them.

The taskforce

Following the launch of the consumer-facing generative artificial intelligence model, ChatGPT, by US-based OpenAI on 30 November 2022, several supervisory authorities in the European Union initiated investigations into OpenAI’s compliance with the GDPR. These investigations focused on OpenAI’s role as the data controller for ChatGPT’s operations. The EU watchdog emphasised that the GDPR does not allow “technical impossibility” to justify non-compliance, particularly with the principle of data protection by design as outlined in article 25(1).

However, until 15 February 2024, OpenAI did not have an official presence in the EU. Consequently, the application of the one-stop-shop mechanism under the GDPR was not possible. This lack of an official representation prompted the EDPB to establish the “ChatGPT taskforce” to enhance cooperation and exchange information among supervisory authorities on possible enforcement actions related to ChatGPT's data processing.

Dublin office

Sam Altman, CEO of OpenAI, the intention to establish an office in Dublin, Ireland, on 13 September 2023. Meanwhile, during the EDPB’s plenary meeting on 16 January 2024, it was to extend the taskforce’s mandate and publish a report outlining the interim findings. This report was on Thursday 23 May 2024. The taskforce aimed to facilitate the exchange of information among national supervisory authorities regarding OpenAI’s ongoing enforcement activities, coordinate external communications, and promptly identify issues requiring a unified approach in enforcement actions against ChatGPT.

However, the EDPB noted in its report that the establishment of OpenAI’s EU office enables the implementation of the one-stop-shop framework for cross-border processing activities in the EU.

Although the “lead” supervisory authority, which has not been named by the EDPB, assumed responsibility for exercising corrective powers--when necessary--under article 56 of GDPR for activities after 15 February 2024. However, ongoing national investigations into activities before 15 February are still being coordinated within the ChatGPT taskforce.

Investigation activities

The taskforce’s activities include developing a common questionnaire, which multiple supervisory authorities used as a foundation for their investigations into OpenAI. These investigations primarily focused on OpenAI’s before 15 February 2024, which underwent updates on 15 December 2023, slated to take effect by 15 February 2024.

One notable instance involves the Italian supervisory authority imposing a on ChatGPT, which was lifted on 11 April 2023 following compliance adjustments made by OpenAI to adhere to GDPR requirements. However, the Italian supervisory authority  that it would carry on its fact-finding activities.

Concerns and compliance

The initial phases of ChatGPT training involve gathering and preprocessing vast amounts of data, including personal data, through web scraping. OpenAI article 6(1)(f) GDPR as the legal basis for this activity, which requires a legitimate interest, necessity and a careful balance of interests. Implementing safeguards, such as technical measures to filter or anonymise personal data, is crucial to mitigate risks to data subjects’ rights, noted EDPB.

When dealing with special categories of personal data, processing must also adhere to one of the exceptions outlined in article 9(2) of GDPR. The mere public availability of data does not meet the “the data subject has manifestly made such data public” requirement of article 9(2)(e), necessitating explicit affirmative action by the data subject, clarified the EDPB.

The principle of accountability under article 5(2) GDPR and article 24 GDPR and the principle of fairness under article 5(1)(a) GDPR highlights that data processing should not unfairly transfer risks to data subjects. Transparency and data accuracy are essential, with OpenAI responsible for GDPR compliance, even if users inadvertently input personal data into ChatGPT, noted the EDPB in the report.

Moreover, article 14 GDPR applies to data collected via web scraping, while article 13 of GDPR governs data collected during direct interactions with ChatGPT. OpenAI must inform users about the potential use of their input for training purposes and ensure the accuracy of both input and output data, said the EDPB, despite the probabilistic nature of ChatGPT’s responses. OpenAI must also facilitate data subjects’ rights, including access, deletion, rectification and restriction of processing. Mechanisms for data subjects to interact with their data must be continually improved, with data erasure suggested in cases where rectification is not feasible.

As investigations continue, the findings remain preliminary, noted the EDPB, with further analysis required to fully assess OpenAI’s compliance measures and their effectiveness in protecting data subjects’ rights.

In addition to its head office in San Francisco, California, OpenAI has offices in Dublin, and .

Delano contacted OpenAI for a statement but had not received a response by the time of publication.

Related articles