OpenAI, a leading American AI firm, is currently in the hot seat after a comprehensive complaint was lodged with Poland’s data protection agency. The claim accuses OpenAI of violating the European Union’s General Data Protection Regulation (GDPR) on multiple fronts. The bone of contention is OpenAI’s popular ChatGPT technology, which the complainant claims infringes EU privacy rules in several areas such as lawful basis, transparency, fairness, data access rights, and privacy by design.
The complaint presents the ChatGPT technology and OpenAI’s approach to its development and operation as essentially a systematic breach of the pan-EU regime. Particularly, it alleges that OpenAI overlooked the GDPR requirement to consult with regulators prior to deployment if risk assessment identifies high risks to people’s rights. However, OpenAI seemingly proceeded with the European launch of ChatGPT without engaging with local regulators.
This is not the first time OpenAI has faced GDPR concerns. Earlier this year, Italy’s privacy watchdog ordered OpenAI to stop processing data locally until it addressed issues in lawful basis, information disclosures, user controls, and child safety. While OpenAI quickly resumed services in Italy after making some adjustments, investigations are ongoing and it remains uncertain what conclusions will emerge regarding compliance.
OpenAI’s failure to engage with EU regulators and conduct a proactive assessment before launching ChatGPT could pose significant regulatory risk across the bloc. Confirmed violations of the GDPR can result in penalties as high as 4% of global annual turnover. As the Polish DPA analyzes the complaint and decides on further actions, all eyes will be on how this case shapes the future of AI regulation in Europe.