The State Commissioner for Data Protection and Freedom of Information for Rhineland-Palatinate, Prof. Dr. Dieter Kugelmann, has been leading a task force focused on artificial intelligence. Recently, he coordinated the development of a comprehensive questionnaire concerning ChatGPT, an AI language model operated by OpenAI. This questionnaire, containing 79 queries, is a follow-up to a previous request for information sent to OpenAI by the German data protection supervisory authorities. OpenAI’s response to the initial questionnaire was cooperative and thorough, but further analysis indicated a need for more detailed questioning.
Kugelmann’s primary role is to safeguard citizens’ right to informational self-determination. To ensure that ChatGPT’s data processing complies with the General Data Protection Regulation (GDPR), it’s crucial to understand what happens behind the scenes. Kugelmann insists on AI being comprehensible and explainable, as this is the only way to measure it against societal norms and values. This is why the task force is investing significant effort into scrutinizing ChatGPT and pushing for increased transparency.
The current set of questions aims to delve deeper into whether ChatGPT’s processing of personal data is lawful. The focus is on special data categories as per Art. 9 GDPR, which includes data with special protection such as information about religion, health, or sexual orientation. The task force is also critically examining how the rights of data subjects to information, as well as correction and deletion of personal data, are being upheld.
OpenAI, a US-based company, doesn’t have an office in the EU, so all European data protection supervisory authorities are responsible for ensuring GDPR compliance. Even if OpenAI establishes an office in Ireland, the LfDI’s review process won’t cease, as it concerns both the current and past status. German supervisory authorities will remain responsible for future status if ChatGPT is offered in Germany, but they will collaborate with the supervisory authority at the EU headquarters, possibly the Irish Data Protection Commission.