How ChatGPT privacy rules remain unsettled in the EU

An EU data protection taskforce has issued preliminary conclusions on how GDPR applies to ChatGPT, but key questions remain unresolved. OpenAI still faces complaints, possible enforcement risk, and scrutiny over legal basis, fairness, transparency, accuracy, and user rights.

WTF Index TERMINATOR
◄ Terminator 2 Idiocracy 1 ►

The story centers on privacy, lawful processing, and regulatory control risks around ChatGPT rather than direct societal deskilling or quality decline.

How ChatGPT privacy rules remain unsettled in the EU

European privacy regulators have taken a first collective step toward explaining how GDPR should apply to ChatGPT. But the early signal is less a final answer than a map of the unresolved legal pressure around OpenAI’s chatbot.

The taskforce’s preliminary conclusions leave central questions open, including whether OpenAI’s processing is lawful and fair. That uncertainty matters because GDPR penalties can reach up to 4% of global annual turnover, and regulators can also order unlawful processing to stop.

Why ChatGPT is a GDPR test case

ChatGPT sits at the center of a hard privacy question: how should rules written for personal data apply to large language models that are trained on information collected at enormous scale?

According to the source, large language models such as OpenAI’s GPT collect and process personal data when they scrape the public internet for training material. That can include posts from social media platforms and other material that may contain details about people’s lives.

The GDPR applies whenever personal data is collected and processed. It also gives data protection authorities the power to stop non-compliant processing. In practical terms, that means privacy law could shape how OpenAI is allowed to operate ChatGPT in the EU if regulators decide to use those powers.

Complaints have already put the issue in motion. Poland’s data protection authority opened an investigation after a complaint that ChatGPT made up information about an individual and refused to correct the errors. A similar complaint was recently lodged in Austria.

The legal basis question is still open

The taskforce report says ChatGPT needs a valid legal basis for every stage of personal data processing. That includes the collection of training data, pre-processing such as filtering, training itself, prompts and ChatGPT outputs, and any training on ChatGPT prompts.

The source explains that Italy’s privacy watchdog previously told OpenAI it could not rely on contractual necessity to process people’s data for AI training. That left two possible routes: consent, or legitimate interests.

OpenAI appears to have shifted toward claiming legitimate interests for processing personal data used in model training. But that path is not automatic. To rely on legitimate interests, OpenAI must show that the processing is needed, that it is limited to what is necessary, and that a balancing test favors its interests over the rights and freedoms of the people whose data is involved.

The taskforce also pointed to particular risks in the collection, pre-processing, and training stages. Web scraping can bring in large volumes of personal data, including information about many areas of a person’s life. It may also capture special category data, such as health information, sexuality, or political views, which faces a higher legal bar under GDPR.

Regulators point to narrower data collection

One of the taskforce’s more practical suggestions is that OpenAI could change how it collects and prepares data. The report says safeguards such as technical measures, more precise collection criteria, and blocking certain data categories or sources, including social media profiles, could affect the legitimate interests balancing test.

The taskforce also suggests that measures should be in place to delete or anonymise personal data collected through web scraping before training begins. That would not settle the entire legal question, but it shows one direction regulators are considering: reducing privacy impact before the data reaches the model.

For ChatGPT user prompts, the taskforce emphasizes that users must be clearly and demonstrably informed if their content may be used for training. That notice would be one factor in the legitimate interests assessment.

If regulators ultimately decide OpenAI cannot rely on legitimate interests, the source says the company would be left with consent as its legal option in the EU. The source also notes that consent must be freely given and cannot be sold.

Fairness, transparency, and accuracy remain central

The taskforce also addresses GDPR’s fairness principle. It says privacy risk cannot simply be shifted to users through terms and conditions. In the report’s words, OpenAI remains responsible for GDPR compliance and should not argue that certain personal data was prohibited from being entered in the first place.

Transparency is another major issue. The taskforce appears to accept that OpenAI may use an exemption from notifying every individual whose data was collected through web scraping, given the scale involved. Even so, it stresses the importance of informing users that their inputs may be used for training purposes.

The report also discusses ChatGPT hallucinations. The GDPR principle of accuracy still applies, and the taskforce says OpenAI should provide proper information about the probabilistic output of the chatbot and its limited level of reliability.

It also suggests users should receive an explicit reference that generated text may be biased or made up.

Enforcement may move slowly

The ChatGPT taskforce was created in April 2023 after Italy’s privacy watchdog used emergency GDPR powers against OpenAI. That action led OpenAI to briefly shut down ChatGPT in Italy. The service returned after OpenAI made changes to the information and controls provided to users, but the Italian investigation continues.

The taskforce operates within the European Data Protection Board, while national data protection authorities remain independent and can enforce GDPR in their own jurisdictions. Still, the source suggests the taskforce’s work may already be slowing some decisions, as authorities wait for more coordinated guidance.

OpenAI has also changed its EU structure. It set up an EU operation in Ireland last fall, then in December named OpenAI Ireland Limited as the regional provider of services such as ChatGPT. The taskforce report suggests OpenAI was granted main establishment status as of February 15 this year.

That matters because GDPR’s One-Stop Shop mechanism can route cross-border complaints through a lead data protection authority. In OpenAI’s case, that would be Ireland’s Data Protection Commission for complaints arising since then.

The result is a complicated regulatory picture. The EU has not resolved whether ChatGPT’s data practices meet GDPR’s standards. But the preliminary report makes clear that legal basis, data minimization, user notice, accuracy, and practical access to rights are all part of the test OpenAI still has to face.