Garante per la protezione dei dati personali (Italy) - 9870832

From GDPRhub
Garante per la protezione dei dati personali - 9870832
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 8 GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.03.2023
Published: 30.03.2023
Fine: n/a
Parties: OpenAI
National Case Number/Name: 9870832
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor: mg

The Italian DPA imposed a temporary limitation on the processing of personal data by the AI software ChatGPT.

English Summary

Facts

The Italian DPA after receiving complaint from Inder Kahlon on 24th February 2023 (Numero protocollo: 0033835) opened an investigation concerning ChatGPT, an AI service offered by the American company OpenAI. The investigation focused on three main areas.

First, the controller did not provide the data subjects whose personal data had been collected through the Internet with appropriate information about the processing.

Second, the DPA found that ChatGPT final outcome – its “answers” – despite based also on personal data and thus often containing personal data, did not always represent reality in an accurate way.

Finally, the investigation showed that OpenAI did not adopt any measure to check that users were above the minimum age requirement of 13 years.

Holding

The Italian DPA held that the controller did not comply with its obligation to provide data subjects with a privacy policy pursuant to Article 13 GDPR.

Moreover, the collection of personal data and their use in the training of ChatGPT algorithms were undertaken in lack of a proper legal basis,in violation of Article 5 and 6 GDPR.

Concerning specifically data of people other than the users, namely those data subjects whose data were collected on the internet, the DPA found that the algorithms behind the functioning of ChatGPT did not guarantee the principle of accuracy as enshrined in Article 5(1)(d).

Finally, the DPA also considered that the lack of any mechanism to check the age of the users entailed a violation of Article 8 GDPR.

In light of the above and in the context of an urgency procedure, the DPA imposed on OpenAI a temporary limitation of processing pursuant to Article 58(2)(f) GDPR. Such limitation concerns all processing operations involving data subjects on the Italian territory.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Press release of March 31, 2023



[doc. web no. 9870832]

Provision of March 30, 2023

Register of measures
no. 112 of 30 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD also to the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003);

NOTING the numerous interventions by the media regarding the functioning of the ChatGPT service;

DETECTED, from a check carried out in this regard, that no information is provided to users, nor to interested parties whose data has been collected by OpenAI, L.L.C. and processed through the ChatGPT service;

NOTING the absence of an appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the functioning of ChatGPT;

NOTING that the processing of personal data of the interested parties is inaccurate as the information provided by ChatGPT does not always correspond to the real data;

DETECTED, moreover, the absence of any verification of the age of users in relation to the ChatGPT service which, according to the terms published by OpenAI L.L.C., is reserved for individuals who are at least 13 years old;

CONSIDERING that the absence of filters for minors under the age of 13 exposes them to absolutely unsuitable responses with respect to their degree of development and self-awareness;

CONSIDERING therefore that in the situation outlined above, the processing of personal data of users, including minors, and of interested parties whose data is used by the service is in violation of articles 5, 6, 8, 13 and 25 of the Regulation;

RECOGNIZING, therefore, the need to have, pursuant to art. 58, par. 2, lit. f), of the Regulation - as a matter of urgency and pending the completion of the necessary investigation with respect to what has emerged so far against OpenAI L.L.C., a US company that develops and manages ChatGPT, the extent of the temporary limitation of the treatment;

CONSIDERING that, in the absence of any mechanism for verifying the age of the users, as well as, in any case, of the complex of violations detected, said temporary limitation must extend to all personal data of the interested parties established in the Italian territory;

CONSIDERED it necessary to order the aforementioned limitation with immediate effect from the date of receipt of this provision, reserving any other determination to the outcome of the definition of the preliminary investigation started on the case;

RECALLING that, in the event of non-compliance with the measure established by the Guarantor, the criminal sanction pursuant to art. 170 of the Code and the administrative sanctions provided for by art. 83, par. 5, letter. e), of the Regulation;

CONSIDERING, on the basis of the foregoing, that the prerequisites for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, which provides that «In cases of particular urgency and in which the Guarantor cannot be convened in good time, the president can adopt the measures pertaining to the body , which cease to have effect from the moment of their adoption if they are not ratified by the Guarantor in the first useful meeting, to be convened no later than the thirtieth day";

HAVING REGARD to the documentation in the deeds;

ALL THE ABOVE CONSIDERING THE GUARANTOR:

a) pursuant to art. 58, par. 2, lit. f), of the Regulation, urgently establishes, against OpenAI L.L.C., a US company that develops and manages ChatGPT, as owner of the processing of personal data carried out through this application, the measure of the temporary limitation of the processing of personal data of data subjects established in the Italian territory;

b) the aforementioned limitation has immediate effect from the date of receipt of this provision, subject to any other determination following the outcome of the definition of the investigation started on the case.

The Guarantor, pursuant to art. 58, par. 1, of Regulation (EU) 2016/679, invites the data controller who is the recipient of the provision, also, within 20 days from the date of receipt of the same, to communicate what initiatives have been undertaken in order to implement the provisions and to provide any element deemed useful to justify the violations highlighted above. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of Regulation (EU) 2016/679.

Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree lg. 1 September 2011, no. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller has his residence, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

In Rome, March 30, 2023

PRESIDENT
station



SEE ALSO Press release of March 31, 2023



[doc. web no. 9870832]

Provision of March 30, 2023

Register of measures
no. 112 of 30 March 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");

HAVING REGARD also to the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003);

NOTING the numerous interventions by the media regarding the functioning of the ChatGPT service;

DETECTED, from a check carried out in this regard, that no information is provided to users, nor to interested parties whose data has been collected by OpenAI, L.L.C. and processed through the ChatGPT service;

NOTING the absence of an appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the functioning of ChatGPT;

NOTING that the processing of personal data of the interested parties is inaccurate as the information provided by ChatGPT does not always correspond to the real data;

DETECTED, moreover, the absence of any verification of the age of users in relation to the ChatGPT service which, according to the terms published by OpenAI L.L.C., is reserved for individuals who are at least 13 years old;

CONSIDERING that the absence of filters for minors under the age of 13 exposes them to absolutely unsuitable responses with respect to their degree of development and self-awareness;

CONSIDERING therefore that in the situation outlined above, the processing of personal data of users, including minors, and of interested parties whose data is used by the service is in violation of articles 5, 6, 8, 13 and 25 of the Regulation;

RECOGNIZING, therefore, the need to have, pursuant to art. 58, par. 2, lit. f), of the Regulation - as a matter of urgency and pending the completion of the necessary investigation with respect to what has emerged so far against OpenAI L.L.C., a US company that develops and manages ChatGPT, the extent of the temporary limitation of the treatment;

CONSIDERING that, in the absence of any mechanism for verifying the age of the users, as well as, in any case, of the complex of violations detected, said temporary limitation must extend to all personal data of the interested parties established in the Italian territory;

CONSIDERED it necessary to order the aforementioned limitation with immediate effect from the date of receipt of this provision, reserving any other determination to the outcome of the definition of the preliminary investigation started on the case;

RECALLING that, in the event of non-compliance with the measure established by the Guarantor, the criminal sanction pursuant to art. 170 of the Code and the administrative sanctions provided for by art. 83, par. 5, letter. e), of the Regulation;

CONSIDERING, on the basis of the foregoing, that the prerequisites for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, which provides that «In cases of particular urgency and in which the Guarantor cannot be convened in good time, the president can adopt the measures pertaining to the body , which cease to have effect from the moment of their adoption if they are not ratified by the Guarantor in the first useful meeting, to be convened no later than the thirtieth day";

HAVING REGARD to the documentation in the deeds;

ALL THE ABOVE CONSIDERING THE GUARANTOR:

a) pursuant to art. 58, par. 2, lit. f), of the Regulation, urgently establishes, against OpenAI L.L.C., a US company that develops and manages ChatGPT, as owner of the processing of personal data carried out through this application, the measure of the temporary limitation of the processing of personal data of data subjects established in the Italian territory;

b) the aforementioned limitation has immediate effect from the date of receipt of this provision, subject to any other determination following the outcome of the definition of the investigation started on the case.

The Guarantor, pursuant to art. 58, par. 1, of Regulation (EU) 2016/679, invites the data controller who is the recipient of the provision, also, within 20 days from the date of receipt of the same, to communicate what initiatives have been undertaken in order to implement the provisions and to provide any element deemed useful to justify the violations highlighted above. Please note that failure to respond to the request pursuant to art. 58 is punished with the administrative sanction pursuant to art. 83, par. 5, letter. e), of Regulation (EU) 2016/679.

Pursuant to art. 78 of the Regulation, as well as the articles 152 of the Code and 10 of Legislative Decree lg. 1 September 2011, no. 150, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller has his residence, within the term of thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

In Rome, March 30, 2023

PRESIDENT
station