Contents
Detailed complaint filed against OpenAI for GDPR violation
A detailed complaint was filed with the Polish data protection authority yesterday, raising questions about ChatGPT-maker OpenAI's ability to comply with European privacy rules. The complaint alleges that the US-based AI giant is violating the EU's General Data Protection Regulation (GDPR) in several areas such as legal basis, transparency, fairness, data access rights and privacy. It is also suggested that OpenAI did not consult local regulators before launching ChatGPT in Europe, which would have avoided violating EU privacy rules.
Concerns about RGPD compliance
This isn't the first time concerns have been raised about ChatGPT's compliance with the RGPD. The Italian data protection authority, the Garante, ordered OpenAI to stop processing data locally and identified several issues in areas such as legal basis, information disclosures, user controls and child safety. Other EU data protection authorities are also investigating ChatGPT.
Complaint of illegal data processing for AI training purposes
The complaint filed with the Polish data protection authority is the work of Lukasz Olejnik, a security and privacy researcher, who is represented by a Warsaw-based law firm. Olejnik complained about errors in the biography generated by ChatGPT about him and asked OpenAI to correct these errors as well as to provide the information required by the GDPR. The complaint claims that OpenAI has failed to provide all the information required by law, particularly with regard to the processing of personal data for training AI models.
Right to rectify personal data ignored
The complaint also highlights OpenAI's refusal to correct the errors generated by ChatGPT in Mr. Olejnik's biography, even though he has the right to rectify his personal data under the GDPR. The complaint states that OpenAI does not have an adequate mechanism to correct the inaccurate data generated by ChatGPT.
Incompatible data protection by design
The complaint also highlights ChatGPT's total violation of the RGPD's data protection by design and default principles. It claims that ChatGPT's design, which tested the tool using personal data in the production environment rather than in the design phase, contradicts the principles of data protection by design.
We contacted OpenAI for answers to the allegations in the complaint and to find out whether it carried out a data protection impact assessment before launching ChatGPT. We also asked why OpenAI did not seek prior consultation with EU regulators to develop high-risk technology in a way that mitigates RGPD risks.
We also contacted the Polish data protection authority, UODO, who confirmed that they had received the complaint and were analyzing it to decide what action to take. UODO also confirmed that this was the first complaint of its kind regarding ChatGPT and that it had not had any prior correspondence with OpenAI regarding ChatGPT's compliance with the GDPR.
The process of examining the complaint by the Polish authority could take from six months to two years. If the breach of the GDPR is confirmed, the authority could order OpenAI to respect Mr. Olejnik's rights and initiate a prior consultation process with EU regulators. The complaint also asks the Polish authority to require OpenAI to submit a data protection impact assessment (DPIA) detailing the processing of personal data related to ChatGPT.
Olejnik hopes to be able to exercise his rights under the RGPD and is confident that the RGPD process works.
French (France) 
French (Canada) 
French (Belgium) 
English 
German 
Spanish