OpenAI is facing another privacy violation complaint in the European Union. The lawsuit, filed by the privacy rights nonprofit NOYB on behalf of individual complainants, targets the company's inability to correct false information it generates about individuals by its AI chatbot ChatGPT.
The propensity of GenAI tools to generate patently incorrect information is well documented. However, this technology also conflicts with the regional General Data Protection Regulation (GDPR), which governs how local users' personal data is processed.
Fines for non-compliance with GDPR can reach up to 4% of global annual revenue. That's even more important for a resource-rich giant like OpenAI. Enforcement of the GDPR could reshape how generative AI tools operate in the EU, as data protection regulators can order changes to how information is processed.
OpenAI had already been forced to make some changes after early intervention by Italian data protection authorities forced a temporary local shutdown of ChatGPT in 2023.
Now, noyb has filed the latest GDPR complaint against ChatGPT with the Austrian data protection authority on behalf of an anonymous complainant who discovered that the AI chatbot had generated an incorrect date of birth.
Under the GDPR, people in the EU have a series of rights regarding information about them, including the right to have incorrect data corrected. noyb claims that OpenAI does not comply with this obligation regarding chatbot output. The company said it denied the complainant's request to correct the incorrect date of birth, replying that it was technically impossible to do so.
Instead, they suggested filtering or blocking data on specific prompts, such as the complainant's name.
OpenAI's privacy policy states that users who become aware that an AI chatbot has generated “factually inaccurate information about you” may do so through privacy.openai.com or by email at dsar@openai.com states that you can submit a “revision request”. However, we flag this line with a warning: “Given the technical complexity of how the model works, it may not be possible to correct inaccuracies in all cases.”
In that case, OpenAI suggests that you request that your personal information be permanently removed from ChatGPT's output by filling out a web form.
The problem for AI giants is that GDPR rights are not à la carte. Europeans have the right to demand redress. You also have the right to request that your data be deleted. However, as noyb points out, OpenAI does not choose which of these rights are available.
Other elements of the complaint focus on GDPR transparency concerns, with noyb asking where the data OpenAI generates about individuals comes from and what data chatbots store about people. It claims that it cannot be made clear.
This is important. This is because the regulation gives individuals the right to request such information by making a so-called subject access request (SAR). According to noyb, OpenAI did not respond appropriately to Complainant's SAR and did not disclose any information about the processed data, its sources, or recipients.
Noyb's data protection lawyer Marcie de Graaf said in a statement about the complaint: “Inventing false information is itself quite problematic. But when it comes to false information about individuals, the consequences can be serious. It is clear that chatbots cannot be made compliant with EU law: if a system cannot produce accurate and transparent results, the technology cannot be used to generate data about individuals. You have to follow the requirements and not the other way around.”
The company said it is asking the Austrian DPA to investigate complaints about OpenAI's data processing, as well as imposing fines to ensure future compliance. However, he added that the matter was “likely” to be addressed through EU cooperation.
OpenAI faces similar complaints in Poland. Last September, local data protection authorities launched an investigation into ChatGPT following complaints from privacy and security researchers, who also asked OpenAI to correct incorrect information about them. It turned out that it was not possible. The complaint also accuses the AI giant of failing to comply with regulatory transparency requirements.
Meanwhile, Italian data protection authorities are still conducting a public investigation into ChatGPT. The company issued a draft decision in January stating that it believes OpenAI violates the GDPR in a number of ways, including in relation to chatbots' propensity to generate false information about people. The findings also relate to other important issues, such as the legality of processing.
Italian authorities gave OpenAI one month to respond to the findings. A final decision is pending.
New GDPR complaints have now been filed against chatbots, increasing the risk that OpenAI will face a wave of GDPR enforcement across various member states.
The company opened a regional office in Dublin last fall. This aims to reduce regulatory risk by funneling privacy complaints to the Irish Data Protection Commissioner, thanks to a mechanism in the GDPR aimed at streamlining the oversight of cross-border complaints. I think that the. by centralizing them in the authorities of a single Member State in which the companies are “mainly established”.