Italy’s data protection watchdog, Garante, has set out a list of compliance requirements for OpenAI to lift the order against its AI chatbot service, ChatGPT.
Garante had ordered OpenAI to stop processing data of Italian citizens, suspecting a breach of the EU’s General Data Protection Regulation (GDPR) at the end of March. OpenAI responded by geoblocking ChatGPT in Italy and confirming its compliance with privacy laws.
However, Garante’s latest demands include that OpenAI publish an information notice detailing its data processing, immediately adopt age gating to prevent minors from accessing the service, clarify the legal basis for processing data, and provide users and non-users with ways to exercise their rights over their personal data. It must also allow users to object to the processing of their data and conduct an awareness campaign to inform Italians that their information is being processed to train AI.
The GDPR is applicable whenever personal data is processed, and large language models such as OpenAI’s GPT have accumulated vast amounts of data off the public internet to train their AI models. OpenAI has to comply with Garante’s demands before lifting the order against ChatGPT.
Garante’s demands are designed to improve OpenAI’s transparency and allow Italians to exercise their data privacy rights. OpenAI may also have to choose between consent or legitimate interests as the legal basis for processing data for training its AI, instead of relying on the performance of a contract. OpenAI has yet to respond to the demands, but it will likely have to publish an information notice and conduct a local awareness campaign to lift the order against ChatGPT.