Open AI, owner of ChatGPT, accused of EU data protection violations

ChatGPT maker OpenAI has been accused of data protection breaches in a complaint filed by a privacy researcher, with reference to the General Data Protection Regulation (GDPR) of the European Union.

The complaint against OpenAI was filed with the Polish data protection authority, reports TechCrunch.

It alleged that the AI giant is in breach of the GDPR in infringing upon transparency, fairness, data access rights and privacy.

The complaint also accused OpenAI of acting in an “untrustworthy, dishonest, and perhaps unconscientious manner” by failing to comprehensively detail how it has processed people’s data.

'The 17-page complaint filed with the Polish DPA is the work of Lukasz Olejnik, a security and privacy researcher, who is being represented for the complaint by Warsaw-based law firm GP Partners,' the report mentioned.

According to Olejnik, he became concerned after he used ChatGPT to generate a biography of himself and found it produced a text that contained some errors.

'He sought to contact OpenAI… to point out the errors and ask for the inaccurate information about him(self) to be corrected. He also asked it to provide him with a bundle of information that the GDPR empowers individuals to get from entities processing their data when the information has been obtained from somewhere other than themselves, as was the case here,' the report noted.

However, although OpenAI responded by providing some information, it allegedly 'failed to produce all the information it must under the law —including, notably, omitting information about its processing of personal data for AI model training'.

While providing a copy of the data, OpenAI also did not include personal data processed for training language models, it added.

'Notably, OpenAI did not include the processing of personal data in connection with model training in the information on categories of personal data or categories of data recipients,' the complaint read.

'As it seems, the fact of processing personal data for model training OpenAI hides or at least camouflages intentionally. This is also apparent from OpenAI’s Privacy Policy, which omits in the substantive part the processes involved in processing personal data for training language models,' the complaint further alleged.

The complaint also highlighted what it views as a total violation of the GDPR’s principle of data protection by design and default.

In April, OpenAI restored access to the ChatGPT service in Italy after the country banned the AI chatbot in response to an order from the local data protection authority over user data concerns.