A new European privacy complaint against OpenAI puts a sharp question in front of regulators: what happens when an AI chatbot produces false and damaging personal information about a real person?
The case, supported by privacy rights advocacy group Noyb, centers on a man in Norway named Arve Hjalmar Holmen. According to the complaint described by Noyb, ChatGPT generated a fictional account claiming he had been convicted of murdering two of his children and attempting to kill the third.
Why this complaint is different
ChatGPT has faced earlier privacy complaints in Europe over incorrect personal data. Those cases involved issues such as an incorrect birth date or inaccurate biographical details. This complaint is more severe because the alleged output was not merely wrong; it was reputationally destructive.
Noyb says the chatbot's answer included some true personal details alongside the false accusation. The individual does have three children, the genders of the children were correct, and his home town was correctly named. That mix of accurate and fabricated information is part of what makes the case so troubling.
The false claim at the center of the complaint was that Hjalmar Holmen had been convicted for child murder and sentenced to 21 years in prison. Noyb said it researched whether the chatbot might have confused him with another person, including by checking newspaper archives, but did not find an explanation for the fabricated history.
The GDPR issue behind AI hallucinations
The complaint is built around the European Union's General Data Protection Regulation, better known as GDPR. Under the GDPR, Europeans have data access rights, including a right to rectification of personal data. The law also requires data controllers to ensure that personal data they produce about individuals is accurate.
Noyb argues that this matters directly for generative AI systems when they generate information about identifiable people. If an AI tool produces false personal data, the issue is not only that the output is unreliable. The issue, in Noyb's view, is that the system may be producing unlawful personal data.
“The GDPR is clear. Personal data has to be accurate,” said Joakim Söderberg, data protection lawyer at Noyb, in a statement. “If it's not, users have the right to have it changed to reflect the truth. Showing ChatGPT users a tiny disclaimer that the chatbot can make mistakes clearly isn’t enough. You can’t just spread false information and in the end add a small disclaimer saying that everything you said may just not be true.”
OpenAI displays a disclaimer at the bottom of ChatGPT that says, “ChatGPT can make mistakes. Check important info,” according to the source article. Noyb's position is that such a warning cannot replace the obligation to avoid producing inaccurate personal data in the first place.
What OpenAI says about the complaint
OpenAI was contacted for a response. Its PR firm in Europe, Headland Consultancy, provided a statement attributed to an OpenAI spokesperson.
“We continue to research new ways to improve the accuracy of our models and reduce hallucinations. While we’re still reviewing this complaint, it relates to a version of ChatGPT which has since been enhanced with online search capabilities that improves accuracy.”
Noyb says ChatGPT stopped producing the dangerous falsehoods about Hjalmar Holmen after an update to the underlying AI model. The source article links that change to the tool now searching the internet for information about people when asked who they are.
Even so, Noyb and Hjalmar Holmen remain concerned that incorrect and defamatory information about him may still be retained within the AI model. That concern shifts the focus from what users see on screen to what the system may still process internally.
“Adding a disclaimer that you do not comply with the law does not make the law go away,” noted Kleanthi Sardeli, another data protection lawyer at Noyb, in a statement. “AI companies can also not just ‘hide’ false information from users while they internally still process false information.”
“AI companies should stop acting as if the GDPR does not apply to them, when it clearly does,” she added. “If hallucinations are not stopped, people can easily suffer reputational damage.”
Why regulators may face pressure to act
Confirmed GDPR breaches can lead to penalties of up to 4% of global annual turnover. Enforcement can also push product changes. In spring 2023, Italy's data protection watchdog temporarily blocked access to ChatGPT in the country, and OpenAI later made changes to the information it disclosed to users. The watchdog subsequently fined OpenAI €15 million for processing people's data without a proper legal basis.
Since then, privacy watchdogs around Europe have taken a more cautious approach to GenAI. Ireland's Data Protection Commission, which has a lead GDPR enforcement role on a previous Noyb ChatGPT complaint, urged against rushing to ban GenAI tools two years ago. A privacy complaint against ChatGPT under investigation by Poland's data protection watchdog since September 2023 still has not produced a decision.
Noyb has filed the new complaint with the Norwegian data protection authority. It is targeting OpenAI's U.S. entity and arguing that OpenAI's Ireland office is not solely responsible for product decisions affecting Europeans.
An earlier Noyb-backed GDPR complaint against OpenAI, filed in Austria in April 2024, was referred to Ireland's DPC after OpenAI named its Irish division as the provider of ChatGPT to regional users. Risteard Byrne, assistant principal officer communications for the DPC, told TechCrunch: “Having received the complaint from the Austrian Supervisory Authority in September 2024, the DPC commenced the formal handling of the complaint and it is still ongoing.”
The Norwegian complaint now adds a stark example to a broader debate. For AI companies, the problem is not only that large language models can hallucinate. When hallucinations attach false, legally compromising claims to real people, accuracy becomes a privacy, safety, and reputational issue at once.