OpenAI’s chatbot, ChatGPT, is facing regulatory scrutiny in Italy and Poland over its compliance with the General Data Protection Regulation (GDPR). The Italian Data Protection Authority (Garante) has launched an investigation into ChatGPT’s processing of personal data after it was reported that the chatbot had produced inaccurate information about a person.
The Garante has issued an order to suspend ChatGPT’s services in Italy until OpenAI takes corrective measures. However, OpenAI has resumed its services in Italy by adding privacy disclosures and controls.
OpenAI is also facing scrutiny over its GDPR compliance in Poland, where it is being investigated for producing inaccurate information about a person. The Polish investigation is ongoing.
To address the regulatory risks, OpenAI has established a physical base in Ireland and announced that it would be using this entity as the service provider for EU users’ data going forward. This move aims to gain so-called ‘main establishment’ status in Ireland and switch to having assessment of its GDPR compliance led by Ireland’s Data Protection Commission.
However, OpenAI has yet to obtain this status, and the Italian probe will continue regardless of any changes to its processing structure. The European Data Protection Board (EDPB) has also set up a taskforce to consider how the GDPR applies to ChatGPT, which may lead to more harmonized outcomes across discrete investigations.
Overall, OpenAI’s compliance with GDPR regulations remains a significant concern, and it will be interesting to see how these ongoing investigations unfold.