The last few months have seen a rapid proliferation of artificial intelligence capabilities and technological leaps. Conversational AI models like ChatGPT have been by far one of the most captivating results of these advancements.

However, as these models grow in popularity, regulatory bodies worldwide have begun to raise concerns about possible data privacy violations by ChatGPT. While ChatGPT continues to grow and expand in a highly dynamic environment, its regulatory troubles will likely be around for a while.

Considering the diverse ways in which ChatGPT is being utilized, it is vital to understand precisely what concerns global regulatory bodies have raised about its data collection practices and what actions they have or plan to take soon.

Canada

Invited to the IAPP Canada Privacy Symposium 2023, the Privacy Commissioner of Canada, Philippe Dufresne, was expected to elaborate on how his office would deal with reports of potential irregularities in OpenAI’s data collection practices. He announced that the Office of the Privacy Commissioner of Canada (OPC) would launch a comprehensive investigation in conjunction with other provincial data protection authorities.

This follows the OPC’s initial investigation into ChatGPT that began in April. The Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia, and Quebec’s Commission d’accès à l’information du Quebec will now join the investigation and evaluate whether OpenAI’s data collection practices are compliant with the various data privacy laws in Canada.

Additional aspects likely under investigation include whether OpenAI’s practices comply with the numerous consent, openness and transparency, access, accuracy, and accountability requirements of the Canadian data privacy regulations.

Since the investigation is still in its relatively early stages, the coming months will provide further clarity into how serious the potential violations by OpenAI are and which specific provisions it has violated.

The OPC’s comments at the IAPP Canada Privacy Symposium 2023 came merely days after the CEO of OpenAI, Sam Altman, testified before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law.

Dufresne referenced his testimony several times, elaborating on how he hopes the investigation will provide an appropriate foundation to address children’s privacy as well as other privacy issues related to generative AI in future privacy law reforms such as the proposed federal Bill C-27.

Spain

Spain’s Agency for Data Protection (AEPD) announced its own preliminary investigative actions against OpenAI owing to possible data privacy legal violations as part of their data collection and algorithmic training datasets.

As part of the investigation, the AEPD forwarded a request to the European Data Protection Committee (EDPB) to include OpenAI’s ChatGPT service as a topic for discussion at the April 2023 plenary meeting. The AEPD cited the highly dynamic nature of the service and its immediate impact on users’ data rights for the request.

The AEPD has further added that it stands firmly in support of the development and implementation of innovative tech as long as it respects and abides by the provisions of the current regulations.

Germany

The Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI), better known as the Baden-Württemberg Data Protection Authority, has formally asked OpenAI, the company behind ChatGPT to comment on its data collection, processing, and usage practices.

The State Commissioner for Data Protection and Freedom of Information has sent OpenAI a detailed and thorough questionnaire in an attempt to “check its compatibility with European data protection law.”

It is worth mentioning that the LfDI heads the AI Taskforce of the German DPAs. This task force recently developed a model letter shared by German data protection authorities with OpenAI, raising concerns about the legal bases for data collection by ChatGPT, data protection mechanisms explicitly adopted for children’s data, and OpenAI’s ability to adequately protect users’ data subject rights.

The State will also invite authorities, companies, and citizens to an AI event series in October to discuss citizen-friendly digital development and its social effects.

Italy

ChatGPT has been in the headlines since 2022. It continued to grow in its capabilities, leading to speculations of it being the official start of the Fourth Industrial Age. In April 2023, it was in the headlines again, this time for the wrong reasons; the Gerante, Italy’s data protection authority, had raised serious concerns about the platform’s data collection practices and had temporarily banned it within the country.

Citing serious privacy concerns, Gerante raised questions over ChatGPT’s compliance with the GDPR provisions related to legal bases for data collection, provision of information to data subjects, and verifying the age of users. If the same were not properly addressed, OpenAI could have faced a penalty of up to €20 million ($21.7m) or an amount equivalent to up to 4% of its annual revenues from the preceding financial year.

However, barely a month later, ChatGPT was cleared to resume operations in Italy by Gerante, citing OpenAI’s progress in ensuring appropriate measures were undertaken to alleviate some of the privacy concerns raised earlier.

These measures included an age verification system, making appropriate resources available to enable users to exercise their rights, and informing users in detail of what happens to their collected data and how any such collected data is used to train their algorithms.

Despite the resumption of ChatGPT in Italy, the probe into OpenAI’s operations remains ongoing, with a specific task force being set up by the European Data Protection Committee to foster cooperation and enable the exchange of information on possible enforcement actions conducted by data protection authorities in the EU.

Netherlands

The Dutch data protection authority (AP) also announced in June that it is requesting OpenAI to clarify how it handles personal data when using generative artificial intelligence and training ChatGPT. The AP also raised concerns that the content generated by ChatGPT may be inappropriate, inaccurate, or obsolete and may take on a life of its own, and how OpenAI would rectify or delete such data.

Central & South America

The Ibero-American Personal Data Protection Network (RIPD) recently announced that it would launch a coordinated enforcement action against OpenAI’s ChatGPT across 12 jurisdictions.

The Ibero-American Personal Data Protection Network is an association of Spanish-speaking countries in Central and South America, Brazil, Spain, and Portugal. A representative from the relevant regulatory body represents their country within the association.

In its announcement, the Ibero-American Personal Data Protection Network has raised serious issues related to how ChatGPT uses, stores, and protects the personal data it collects related to its users.

Additionally, other areas of concern highlighted include:

• Legal bases for the collection of personal data;
• The information provided to users about the processing of their personal data;
• How ChatGPT adheres to data subject rights;
• Transfers of collected personal data to third parties without appropriate consent;
• Lack of age control measures to prevent minors from accessing their technology;
• Lack of transparency related to security measures guaranteeing the confidentiality and protection of the collected personal data.

Lastly, the association has also called into question ChatGPT’s lack of appropriate measures in place to tackle misinformation. Since the responses generated by ChatGPT rely on pre-existing knowledge from available datasets, ChatGPT has failed to elaborate on how it ensures the accuracy of the responses it generates and whether there are any mechanisms to flag false information.

The RIPD has encouraged users to thoroughly go through ChatGPT’s privacy policy,  carefully consider what data they permit to be collected, and make use of the rights granted by data protection laws.

How Can Securiti Help

ChatGPT not only continues to grow but also changes owing to how it efficiently incorporates the insights it gains from the training data it is fed. However, the more it shapes our new digital landscape, the more thorough the potential scrutinies and investigations.

As numerous regulatory bodies have pointed out, OpenAI must balance innovation and user privacy. It is a paramount challenge, but one without which ChatGPT cannot achieve compliance with global data privacy regulations.

Securiti, a leader in providing enterprise data privacy, security, compliance, and governance solutions, has various dedicated modules and products to help organizations meet any regulatory obligations they may be subject to.

The PrivacyCenter.cloud is an elegant all-in-one solution that helps an organization comply with a myriad of complex and evolving global privacy regulations. It offers a centralized dashboard allowing complete oversight of an organization’s consent management, DSR requests, privacy & notice management, and real-time GPC Preferences.

As a result, organizations can identify and respond to any irregularities within their compliance protocols proactively while minimizing any chance of regulatory violations or neglect.

Request a demo today and learn more about how Securiti can help your organization achieve regulatory compliance today.