Italy’s Data Protection Watchdog Lays Out Compliance Demands for OpenAI
Italy’s data protection authority, the Garante, has issued a set of compliance demands for OpenAI to lift the temporary suspension of its AI chatbot service, ChatGPT, in the country. The regulator had issued an order at the end of last month suspecting the service of violating the EU’s General Data Protection Regulation (GDPR) and had ordered the US-based company to stop processing personal data of Italian users. OpenAI had quickly complied by geoblocking access to ChatGPT and confirming it had ceased offering the service in Italy, while stating that it thought it was following all privacy laws.
However, Italy’s Garante has outlined a list of measures that OpenAI must undertake to be compliant with GDPR and lift the suspension on ChatGPT’s data processing. The steps taken involve the issuance of an information notice that comprehensively outlines the manner in which data is processed.
Additionally, measures have been implemented to ensure that minors are prohibited from accessing the service. The legal foundation for the processing of personal data is now more explicitly defined, and users have been provided with means to exercise their rights over personal data. Furthermore, a local awareness campaign has been conducted to increase Italian citizens’ knowledge regarding the utilization of their data in training artificial intelligence.
Compliance Deadline and Specific Measures
The Garante has given OpenAI a deadline of April 30 to comply with most of the measures, while the awareness campaign has until May 15 to be actioned. The additional requirement to migrate from weak age gating to a more robust age verification system has a deadline of May 31 for OpenAI to submit a plan for implementation and September 30 for the implementation of the new system. Once OpenAI has completed these measures, the Garante will lift the temporary suspension on ChatGPT’s data processing.
The Specific Measures Required by the Garante
OpenAI must publish an information notice describing the arrangements and logic of data processing for ChatGPT and the rights of users and non-users. The notice must be easily accessible and placed in such a way that it is read before signing up for the service. Users from Italy must confirm they are over 18 and be presented with the notice prior to signing up. Users who registered prior to the suspension order will also be shown the notice when they access the reactivated service and must pass an age gate to filter out underage users.
The Garante has narrowed the legal basis for OpenAI’s processing of personal data down to two options: consent or legitimate interests. OpenAI must remove all references to performance of a contract in its privacy policy, which currently cites all three grounds but appears to rely most heavily on performance of a contract. The Garante has demanded that OpenAI implements tools to allow users and non-users to exercise their right to corrections or deletion of their personal data generated by ChatGPT.
OpenAI must also provide tools to allow non-users to object to the processing of their personal data, as well as the same right for users if legitimate interests are the legal basis for processing their data. The Garante has stated that it reserves the right to exercise its investigation and enforcement powers in this respect and will withhold judgment on whether the remaining legal grounds can be used lawfully for OpenAI’s purposes.
Conclusion
OpenAI must comply with the Garante’s demands by the end of April to lift the suspension on ChatGPT’s data processing in Italy. The measures required by the Garante aim to protect the privacy and data rights of Italian users and non-users, and OpenAI must implement them if it wishes to continue offering the service in the country.
