ChatGPT Faces Another EU Privacy Complaint After Failing to Correct Misinformation About People

ChatGPT
Unsplash/ Andrew Neel

OpenAI is confronted with another European Union privacy complaint, filed by the privacy rights organization Noyb, regarding ChatGPT's inability to rectify misinformation it generates about individuals.

Compliance with the General Data Protection Regulation

Generative AI tools' tendency to generate inaccurate information has been putting the technology at odds with the General Data Protection Regulation (GDPR) in the European Union, which regulates the processing of personal data of regional users. Non-compliance with GDPR can result in penalties of up to 4% of global annual turnover. Particularly significant for well-endowed entities like OpenAI is the authority of data protection regulators to mandate changes in information processing practices, which means that GDPR enforcement has the potential to redefine the operations of generative AI tools within the EU.

Noyb Lodging a Privacy Complaint Against ChatGPT

Following an earlier intervention by Italy's data protection authority in 2023, OpenAI implemented adjustments in response to concerns raised about ChatGPT. However, Noyb lodged the most recent GDPR complaint against ChatGPT with the Austrian data protection authority, made on behalf of an unnamed public figure complainant who discovered that the AI chatbot generated an inaccurate birth date for them.

According to the GDPR, individuals in the EU have rights regarding their personal information, including the right to correct inaccurate data. Noyb argues that OpenAI is not fulfilling this obligation regarding its chatbot's output by declining the complainant's request to rectify the incorrect birth date, stating that it was technically infeasible to do so. Instead, OpenAI proposed filtering or blocking data related to certain prompts, such as the complainant's name.

OpenAi's Privacy Policy

OpenAI's privacy policy allows users to submit correction requests through privacy.openai.com or by emailing dsar@openai.com. If they notice the AI chatbot has generated factually inaccurate information about them. However, OpenAI cautions that due to the technical complexity of its models, it may not be able to correct inaccuracies in every instance. In such cases, OpenAI recommends that users request the removal of their personal information from ChatGPT's output entirely by filling out a web form.

Increased Risk of EU Regulation

The issue for the AI giant is that GDPR rights are not optional. In Europe, people have the right to request corrections and deletion of their data. However, OpenAI cannot selectively decide which rights to honor, which raises transparency concerns, as OpenAI cannot disclose the sources of the data it generates or what data the chatbot stores about individuals.

Individuals have the right to request such information under the GDPR through a subject access request (SAR), which OpenAI did not sufficiently provide, according to Noyb, as it failed to disclose any information about the processed data, its origins, or who it was shared with.

In a statement about the complaint, Maartje de Graaf, a data protection lawyer at Noyb, emphasized the seriousness of generating false information about individuals and highlighted that companies face challenges in ensuring compliance with EU law when processing data about individuals through chatbots like ChatGPT. De Graaf said that a system should not be used to generate data about individuals if it cannot provide accurate and transparent results.

The company requests the Austrian Data Protection Authority (DPA) to investigate the complaint regarding OpenAI's data processing and also urges the authority to impose a fine to ensure future compliance. However, they noted that it is likely the case will be handled through EU cooperation.

ChatGPT's Similar Data Privacy Complaints

OpenAI is facing a similar complaint in Poland, where the local data protection authority opened an investigation into ChatGPT following a complaint by a privacy and security researcher last September who alleges that OpenAI failed to correct his incorrect information that it did not comply with transparency requirements under the GDPR.

Additionally, the Italian data protection authority still has an ongoing investigation into ChatGPT. In January, it issued a draft decision stating that OpenAI violated the GDPR in various ways, including the chatbot's tendency to generate misinformation about individuals and the lawfulness of processing. The authority gave OpenAI a month to respond; a final decision is pending.

OpenAI now faces another risk of facing enforcement actions across different EU Member States now that another GDPR complaint has been filed against its chatbot.

Tags
European Union
Real Time Analytics