According to Italian data protection authority, ChatGPT does not comply with GDPR
OpenAI now has 30 days to present its defense.
On January 29, 2024, the GPDP (“Garante per la protezione dei dati personali”), Italy’s data protection authority, stated it had informed OpenAI of a “challenge” to ChatGPT. A preliminary investigation allegedly shows that the LLM fails to comply with the GDPR in several regards, particularly for its unauthorized use of personal data during training.
The GPDP investigation follows a provisional decree against ChatGPT dated March 30, 2023, which banned the use of the LLM in Italy. OpenAI had responded by guaranteeing it would give users the option to refuse the use of personal data in model training. As a result, ChatGPT became available again on April 28, 2023.
The GPDP will continue its investigation in order to confirm a GDPR breach. To this end, the authority will rely on the work of the European Data Protection Board, the European Union body made up of national data protection agencies.
As for OpenAI, the company has 30 days to present “a statement of defense against breach allegations.” The company could be fined to the tune of 20 million euros or 4% of its global yearly sales. More importantly, ChatGPT could be banned from Italy.
- Digital transition
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty