The Italian data protection authority (GPDP) announced the launch of an inquiry against OpenAI for multiple user privacy law violations by ChatGPT.
ChatGPT is OpenAI’s large language model designed to interact with human users and emulate conversations, provide responses, answer questions, and many more.
The AI platform had a data breach incident on March 20, 2023, where a Redis server bug on the platform exposed the history of chat queries of other people to random users.
Additionally, many ChatGPT Plus subscribers reported seeing other people’s email addresses and payment details on their subscription pages, so the exposure also extended to sensitive data.
The Italian authorities accuse OpenAI of failing to personally inform impacted users of the data breach, as they are obliged according to the General Data Protection Regulation (GDPR) applicable in Europe.
The data protection office also raises the question of what data is collected from the users’ conversations to train its AI model or share with partners, which is unclear from OpenAI’s published terms.
The GDPR requires a legal basis for data collection, aka a convincing justification for data harvesting, processing, and storing, which ensures that the process is transparent and respects the rights of the data subjects. However, ChatGPT’s terms appear to lack this crucial component.
The third issue highlighted in GPDP’s announcement is the lack of age verification on the ChatGPT platform, which allows users below the age of 13, who are typically ineligible for using the service, to log in and chat with the AI bot.
The Italian SA emphasizes in its order that the lack of whatever age verification mechanism exposes children to receiving responses that are absolutely inappropriate to their age and awareness, even though the service is allegedly addressed to users aged above 13 according to OpenAI’s terms of service.-GPDP
Finally, the authority gives OpenAI 20 days to respond to the inquiry and share precisely what measures will be implemented to remediate the recognized issues. If the American company fails to do so, it is threatened with a fine of €20 million ($21.8M) or 4% of the total worldwide annual turnover.