Italy’s GDPR case puts ChatGPT’s data practices in focus

Italy’s data protection authority has notified OpenAI that ChatGPT is suspected of violating European Union privacy rules after a multi-month investigation. OpenAI has 30 days to respond, while the case keeps attention on the legal basis for using personal data in AI model training.

WTF Index TERMINATOR
◄ Terminator 2 Idiocracy 1 ►

The story centers on privacy risks and possible misuse of personal data in AI training, with only a secondary concern about inaccurate outputs.

Italy’s GDPR case puts ChatGPT’s data practices in focus

OpenAI is facing a new stage in Italy’s privacy investigation into ChatGPT, after the country’s data protection authority notified the company that the chatbot is suspected of violating European Union privacy rules.

The Italian authority, the Garante, has not disclosed the full details of its draft findings. But it has given OpenAI 30 days to respond with its defence against the alleged violations.

What Italy’s authority has told OpenAI

The case follows a multi-month investigation into ChatGPT by Italy’s data protection authority. The Garante said OpenAI has been notified of a violation under data protection regulations, after the authority reviewed the material gathered in its preliminary investigation.

The notification is not a final ruling. The authority said it will wait for OpenAI’s defence before taking its final decision.

The stakes are significant because confirmed breaches of the GDPR can bring fines of up to €20 million, or up to 4% of global annual turnover. For an AI company, the larger practical risk may be an order requiring changes to how personal data is processed.

That could force a company to alter how a service operates in a market. In a more difficult scenario, a service could be pulled from EU Member States where authorities require changes the company does not accept.

Why model training is central to the dispute

The investigation is closely tied to how ChatGPT was developed and how personal data is used for AI model training. The Garante had already raised concerns last year, when it ordered a temporary ban on ChatGPT’s local data processing. That order led to the chatbot being temporarily suspended in Italy.

In its March 30 provision to OpenAI, described as a “register of measures,” the authority pointed to several areas of concern. These included the lack of a suitable legal basis for collecting and processing personal data to train the algorithms behind ChatGPT, the tool’s tendency to produce inaccurate information about individuals, and child safety.

At that stage, the Garante said it suspected ChatGPT of breaching Articles 5, 6, 8, 13 and 25 of the GDPR. OpenAI later resumed ChatGPT service in Italy after taking steps to address some issues raised by the authority, while the investigation continued.

The authority has not said which suspected breaches it believes are confirmed at this stage. But the legal basis for processing people’s data for model training remains part of what the Garante is examining.

The legal basis question

The source of pressure is the GDPR’s requirement that processing EU people’s data must rest on a valid legal basis. The article says ChatGPT was developed using masses of data scraped from the public Internet, including personal data.

The GDPR lists six possible legal bases. According to the source, most are not relevant in OpenAI’s context. Last April, the Garante told OpenAI to remove references to “performance of a contract” for ChatGPT model training, leaving consent and legitimate interests as the remaining possibilities discussed in the article.

Consent appears difficult in this context because OpenAI has not sought permission from the countless millions, or even billions, of web users whose information was ingested and processed for AI model building. After the Garante’s intervention last year, OpenAI appeared to rely instead on legitimate interests.

That route still carries obligations. A processor relying on legitimate interests must allow people to object and have processing of their information stop. The article notes that how OpenAI could do this for a chatbot remains an open question.

There is also a broader issue: whether legitimate interests can be valid for this kind of AI model training at all. The basis requires a balance between the processor’s interests and the rights and freedoms of the people whose data is processed. It also requires consideration of whether people would have expected that use of their data and whether the processing could cause unjustified harm.

OpenAI’s response and the wider EU picture

OpenAI said it believes its practices align with GDPR and other privacy laws, and that it takes additional steps to protect people’s data and privacy. The company also said it wants its AI to learn about the world, not about private individuals.

OpenAI added that it actively works to reduce personal data in training systems like ChatGPT, and that ChatGPT rejects requests for private or sensitive information about people. The company said it plans to continue working constructively with the Garante.

The Italian case is not the only GDPR scrutiny facing ChatGPT in Europe. OpenAI is also facing a separate probe in Poland, after a complaint last summer focused on the tool producing inaccurate information about a person and OpenAI’s response to that complainant.

OpenAI has also sought to establish a physical base in Ireland and announced in January that its Irish entity would be the service provider for EU users’ data going forward. The aim is to gain “main establishment” status in Ireland and have GDPR compliance assessed through the regulation’s one-stop-shop mechanism.

But OpenAI has not yet obtained that status. Even if it does, the Italian probe and enforcement will continue because the processing at issue predates the change to its processing structure.

What happens next

OpenAI now has 30 days to submit its defence briefs on the alleged violations. The Garante said it will also take into account the ongoing work of the special task force set up by the Board that brings together the EU Data Protection Authorities, known as the EDPB.

That coordination may lead to more harmonized outcomes across separate ChatGPT GDPR investigations, including those in Italy and Poland. Still, data protection authorities remain independent and can issue decisions in their own markets.

For now, the case keeps the focus on a core question for generative AI in Europe: whether the data practices used to build and operate tools like ChatGPT can satisfy the GDPR’s requirements, especially when personal data is used at large scale for model training.