OpenAI is facing a fresh privacy challenge in the European Union over a familiar problem: ChatGPT can generate information about people that is simply wrong. The latest complaint argues that when the chatbot produces false personal data, OpenAI cannot sidestep the GDPR right to have inaccurate information corrected.
What the new complaint says
The complaint was filed by privacy rights nonprofit noyb with the Austrian data protection authority. It was brought on behalf of an unnamed complainant described as a public figure.
According to the source article, ChatGPT generated an incorrect birth date for the complainant. The person then asked OpenAI to rectify the false information, but noyb says the company refused, saying it was technically impossible to correct.
OpenAI instead offered to filter or block the data on certain prompts, including the complainant's name. For noyb, that response is at the center of the dispute: the GDPR gives people more than one right, and the company should not decide that deletion or blocking is available while correction is not.
The issue is not only whether a chatbot can be wrong. It is whether a company that deploys the chatbot can process personal data in a way that respects the legal rights attached to that data.
Why accuracy becomes a privacy issue
Generative AI systems are widely known to produce incorrect outputs. In ordinary use, that may look like a reliability flaw. Under the GDPR, however, false information about a person can become a privacy and data protection problem.
The regulation gives people in the EU rights over information about them. Those rights include the right to have erroneous data corrected and the right to request deletion of data. The source article notes that GDPR rights are not à la carte: OpenAI cannot simply choose which right is easier to provide.
OpenAI's privacy policy, as described in the source, tells users who see ChatGPT generate “factually inaccurate information about you” that they can submit a “correction request” through privacy.openai.com or by emailing dsar@openai.com. The policy also warns: “Given the technical complexity of how our models work, we may not be able to correct the inaccuracy in every instance.”
If correction is not possible, OpenAI suggests that users request removal of their personal information from ChatGPT’s output by filling out a web form. The new complaint challenges that approach because the GDPR contains separate rights to rectification and deletion.
Transparency is also part of the case
The complaint also raises transparency concerns. noyb argues that OpenAI is unable to explain where the data ChatGPT generates about individuals comes from, or what data the chatbot stores about people.
That matters because people can make a subject access request, often called a SAR, to ask for information about data processed about them. Per noyb, OpenAI did not adequately respond to the complainant's SAR.
The alleged gaps include failing to disclose information about:
- the data processed about the complainant;
- the sources of that data;
- the recipients of the data.
In plain terms, the complaint says OpenAI failed on two connected fronts. First, it could not correct the incorrect personal data ChatGPT generated. Second, it did not provide enough transparency about how that personal data was processed.
The broader GDPR risk for OpenAI
The stakes are larger than one incorrect birth date. GDPR compliance failures can bring penalties of up to 4% of global annual turnover. For a company with significant resources, the source article notes that the more important risk may be regulatory orders that force changes in how information is processed.
That means GDPR enforcement could affect how generative AI tools operate in the EU. If regulators find that a system cannot handle personal data accurately and transparently, they may push for changes to the way such systems process or output information about individuals.
OpenAI has already faced regulatory pressure in Europe. Italy's data protection authority briefly forced a local shut down of ChatGPT back in 2023, and OpenAI was forced to make some changes after that intervention.
The Italian authority still has an open investigation into ChatGPT. In January it produced a draft decision saying it believes OpenAI has violated the GDPR in a number of ways, including in relation to the chatbot's tendency to produce misinformation about people. A final decision remains pending.
OpenAI is also facing a very similar complaint in Poland. Last September, the local data protection authority opened an investigation of ChatGPT following a complaint by a privacy and security researcher who said he could not get incorrect information about him corrected by OpenAI. That complaint also accuses OpenAI of failing to comply with transparency requirements.
Why this case matters for AI tools in Europe
The Austrian complaint adds to a growing set of European challenges over the same core question: can a generative AI chatbot that makes claims about people comply with data protection rules when those claims are wrong?
noyb is asking the Austrian DPA to investigate OpenAI's data processing and to impose a fine to ensure future compliance. The organization also said it is likely the case will be handled through EU cooperation.
OpenAI opened a regional office in Dublin last fall. The source article says that move appears aimed at reducing regulatory risk by using a GDPR mechanism that can funnel cross-border complaints to a single member state authority where the company is “main established.”
Even so, the latest complaint shows that ChatGPT's personal data problem remains active across multiple Member States. The legal question is not whether AI systems are complex. It is whether that complexity can excuse failures to correct false personal information, explain data sources and respond properly to access requests under the GDPR.