OpenAI’s controversial and popular ChatGPT chatbot was hit with a major legal hurdle earlier this year: a ban in Italy. OpenAI was accused by the Italian Data Protection Authority of violating EU Data Protection rules. The company then agreed to limit access to the service while it worked to correct the issue. chatGPT returned to the country on April 28th. OpenAI did not make any major changes, but they were able to address GPDP concerns.
The GPDP said that it “welcomes the changes ChatGPT has made.” The firm’s legal problems — and those of other companies developing similar chatbots– are probably just getting started. Regulators from several countries are looking into how AI tools gather and produce information. They cite a variety of concerns, including the collection of non-licensed training data by companies to chatbots that spread misinformation. In the EU they are applying the General Data Protection Regulation, one of the strongest privacy laws in the world. The effects will probably reach beyond Europe. In the meantime, legislators in the EU are working on a law that addresses AI specifically — likely bringing in a new age of regulation for ChatGPT.
ChatGPT has been targeted for its misinformation, copyright and data protection issues.
ChatGPT, a popular example of generative AI, is a tool that generates text, images, videos, and audio from user input. OpenAI has not confirmed the figures. The service is said to have become one of ‘s fastest-growing consumer apps after it reached 100 million active monthly users in just two months. It can be used to write college essay and code. ChatGPT has been criticized by critics, including regulators, for its unreliable output.
Italy was the very first to take action. It highlighted four reasons why it thought OpenAI violated GDPR on March 31st: it allowed ChatGPT’s inaccurate or misleading data to be provided, failed to inform users about its data collection methods, did not meet any of the possible legal justifications to process personal data and failed to prevent children under the age of 13 from using the service. OpenAI was ordered to stop using the personal data collected from Italians in ChatGPT’s training data.
Other countries have not taken similar action. Since March, three EU nations – Germany France and Spain – have conducted their own investigations on ChatGPT. Canada, on the other hand, is evaluating privacy issues under its Personal Information Protection and Electronic Documents Act (PIPEDA). The European Data Protection Board has created a task force for the purpose of coordinating investigations. If these agencies insist on changes, it could have a negative impact on the way OpenAI operates for users around the world.
The regulators’ concerns can be divided into two broad categories: the source of ChatGPT training data and how OpenAI delivers information to its customers.
ChatGPT is based on OpenAI’s GPT-4 and GPT-3.5 large language models, which are trained using vast amounts of human-produced texts. OpenAI has been cagey in its training text, but does say that it uses “a variety licensed, created and publicly available data resources, which may include publicly accessible personal information”.
This could pose a serious problem under GDPR. This law, which was passed in 2018, covers all services that collect or process data about EU citizens. It doesn’t matter where an organization is located. GDPR requires companies to obtain explicit consent from individuals before collecting their personal data. They must also have a legal basis for the collection and be transparent in how they use and store it.
The GPDP argues that OpenAI has “no legal foundation” to collect the data. European regulators also claim that OpenAI is unable to verify if personal information collected by OpenAI was given with the user’s consent. OpenAI has gotten off with very little scrutiny, but the GPDP’s claim raises serious questions about future data scraping.
OpenAI collects data directly from its users. It collects standard user data, just like any other internet platform (e.g. name, contact information, card details). It also records the interactions that users have with ChatGPT. explained in an FAQ that this data is available for OpenAI employees to review and use as a training tool for future models. The company collects sensitive data due to the personal questions that people ask ChatGPT, such as when they use the bot for therapy or medical purposes.
OpenAI’s policy says that “it does not knowingly collect information about children under the age 13” but there is no age verification gate. This is in conflict with EU regulations, which prohibit the collection of data from minors below 13 years old and require parental consent (in certain countries) for those under 16 years old. The GPDP claims that’s ChatGPT lacks age filters, which exposes minors “to absolutely unsuitable responses in respect of their level of development and awareness.”
OpenAI has a wide range of options for using the data. This has caused concern among some regulators. Storing it also poses a risk to security. Some companies, such as Samsung or JPMorgan, have prohibited their employees from using AI-generated tools for fear that they will upload sensitive information. It is interesting to note that Italy banned ChatGPT after a major data leak exposed users’ chat histories and email addresses.
ChatGPT’s tendency to provide false information could also be a problem. The GPDP announced that GDPR regulations require all personal data to be accurate. Depending on how that’s defined, it could spell trouble for most AI text generators, which are prone to “hallucinations”, which is used to describe factually inaccurate or irrelevant answers to a question, has real-world repercussions. There have been some real-world consequences. A regional Australian mayor has threatened to sue OpenAI for defamation , after ChatGPT falsely stated that he served time in jail for bribery.
ChatGPT is a popular and dominant player in the AI industry. But that doesn’t mean its competitors, such as Google’s Bard and Microsoft’s OpenAI-powered Azure AI will not be scrutinized too. Italy banned the Replika chatbot platform for collecting data on minors before ChatGPT. It has remained banned ever since.
The GDPR was not designed to deal with AI-specific concerns. may be coming soon.
The EU will submit its first draft of Artificial Intelligence Act in 2021. This legislation will work with GDPR. The AI Act regulates AI tools based on their perceived risks, from “minimal”, (things such as spam filters), to “high”, (AI tools used for law enforcement and education) or even “unacceptable”, which is why they are banned (like social credit systems). After the explosion in large language models such as ChatGPT, lawmakers are racing to add new rules for “foundational models” and “General Purpose AI Systems” (GPAIs), two terms that refer to large-scale AI system which include LLMs.
The AIA goes beyond data protection. has recently proposed an amendment that would require companies to disclose all copyrighted materials used to create generative AI tools. This could lead to the disclosure of previously secret datasets and make more companies susceptible to infringement suits, which are already affecting some services.
In Europe, laws specifically designed to regulate AI might not be implemented until 2024.
It may take some time to pass it. On April 27th, EU lawmakers reached an agreement for a provisional AI Act . The draft will be voted on by a committee on May 11, and the final proposal should be ready in mid-June. The European Council, Parliament and Commission must settle any remaining disputes, before the law can be implemented. If all goes well, the law could be passed by the end of 2024. This is a bit behind the target for the May 2024 European elections.
The spat between Italy and OpenAI offers a glimpse of how AI companies and regulators might negotiate. The GPDP said it would lift its ban if OpenAI agreed to several resolutions before April 30th. This included informing users about how ChatGPT processes and stores their data, requesting explicit consent, facilitating requests for correction or removal of false personal information generated, and requiring Italians to confirm that they are over 18 years old when registering an account. OpenAI did not meet the entire list of stipulations but met enough for Italian regulators to be satisfied and to restore ChatGPT access in Italy.
OpenAI has still got targets to reach. It has until 30 September to implement a more restrictive age-gate that will keep minors below 13 out and require parental permission for teens older than 13. It could be blocked again if it fails. It’s a good example of how Europe views AI companies — until new laws come into effect.