…Researched and contributed by Solomon Thomas.
In March 2023, the Italian regulatory body responsible for data protection imposed an order on OpenAI to halt the processing of data belonging to individuals residing in the country due to suspected violations of the EU’s General Data Protection Regulation (GDPR).
The watchdog has now specified the actions that OpenAI must take to revoke the order.
Increased Transparency and Age-Gating Measures
The regulator’s press release mandates that OpenAI must increase its transparency and issue a comprehensive information notice outlining its data processing practices.
Furthermore, OpenAI must implement age-gating measures immediately to prevent minors from accessing its technology and adopt more stringent age verification methods.
Legal Grounds for Data Processing
OpenAI is obligated to specify the legal grounds it relies upon for processing individuals’ data to train its AI.
It cannot rely on contract performance and must choose between obtaining user consent or relying on legitimate interests.
Currently, OpenAI’s privacy policy references three legal bases but appears to give more weight to the performance of a contract when providing services such as ChatGPT.
User Rights and Objections
OpenAI must enable both users and non-users to exercise their rights regarding their personal data, including requesting corrections for any misinformation generated by ChatGPT or deleting their data.
Additionally, OpenAI must provide users with the option to object to the processing of their data for the purpose of training its algorithms.
Awareness Campaign and Deadlines
OpenAI is required to conduct an awareness campaign in Italy to inform individuals that their information is being processed to train its AIs.
The Italian Data Protection Agency (DPA) has set a deadline of April 30 for OpenAI to complete most of these tasks.
However, OpenAI has been granted some additional time to comply with the additional demand of migrating from the existing, age-gating child safety technology to a more resilient age verification system.
Plan and Deployment Deadlines for Age Verification
OpenAI has until May 31 to submit a plan outlining the implementation of age verification technology that screens out users under 13 years of age (and those aged 13 to 18 who have not obtained parental consent).
The deadline for deploying this more robust system is set for September 30.
ChatGPT Offline in Italy
Following concerns raised by the national data agency about possible privacy violations and failure to verify the age of users, Microsoft-backed OpenAI took ChatGPT offline in Italy on March 31.
Commentary
The regulatory body’s mandate outlines several measures that OpenAI must take to ensure compliance with the GDPR and protect individuals’ privacy rights.
These measures include increasing transparency, adopting more robust age-gating and age verification measures, specifying legal grounds for data processing, enabling user rights, providing an option to object to data processing, and conducting an awareness campaign in Italy.
OpenAI has been granted some additional time to comply with certain demands, such as implementing a more robust age verification system.
However, the company must act swiftly to complete the majority of the tasks by the end of April.