Last week, OpenAI was able to pacify Italian data authorities and withdraw the country’s effective ban on ChatGPT, but its battle with European regulators is far from finished.
OpenAI’s popular and contentious ChatGPT chatbot hit a major legal hitch earlier this year: an effective prohibition in Italy. The Italian Data Protection Authority (GPDP) accused OpenAI of violating EU data protection standards, and the business agreed to limit service access in Italy while it worked to resolve the issue. On April 28th, ChatGPT returned to the country, with OpenAI addressing GPDP’s complaints lightly without making any changes to its service – an apparent success.
The GPDP has stated that it “welcomes” the adjustments made by ChatGPT. However, the firm’s legal issues — and those of other companies developing comparable chatbots — are most likely just getting started. Several countries’ regulators are looking into how these AI technologies collect and produce information, citing a variety of issues ranging from corporations’ collecting of unlicensed training data to chatbots’ proclivity to spout falsehoods. The EU is implementing the General Data Protection Regulation (GDPR), one of the world’s most stringent legislative privacy frameworks, the consequences of which will certainly extend far beyond Europe. Meanwhile, policymakers in the EU are working on a bill that will particularly target AI, ushering in a new era of regulation for systems like ChatGPT.
ChatGPT’s numerous concerns with misinformation, copyright, and data protection have made it a target.
ChatGPT is one of the most well-known examples of generative AI, which refers to tools that generate text, images, video, and audio based on user input. After attaining 100 million monthly active users just two months after starting in November 2022, the service purportedly became one of the fastest-growing consumer applications in history (OpenAI has never confirmed these claims). It is used to translate text into several languages, to produce college essays, and to generate code. However, detractors, including regulators, have cited ChatGPT’s unreliability, ambiguous copyright issues, and unclear data protection practises.
Italy was the first to take action. It highlighted four ways it believed OpenAI was violating GDPR on March 31st: allowing ChatGPT to provide inaccurate or misleading information, failing to notify users of its data collection practises, failing to meet any of the six possible legal justifications for processing personal data, and failing to adequately prevent children under 13 years old from using the service. It ordered OpenAI to stop utilising personal information obtained from Italian citizens in its ChatGPT training data immediately.
No other country has taken such drastic measures. However, at least three EU countries — Germany, France, and Spain — have initiated their own investigations into ChatGPT since March. Meanwhile, Canada is assessing privacy concerns under the Personal Information Protection and Electronic Documents Act, or PIPEDA. The European Data Protection Board (EDPB) has even formed a task group to assist in the coordination of investigations. And if these agencies demand adjustments from OpenAI, it may have an impact on how the service operates for users all across the world.
Regulators are concerned about two things: where ChatGPT’s training data comes from and how OpenAI delivers information to its customers.
ChatGPT employs OpenAI’s GPT-3.5 and GPT-4 large language models (LLMs), which have been trained on massive amounts of human-produced text. OpenAI is tight-lipped about the training text it employs, although it does indicate it uses “a variety of licenced, created, and publicly available data sources, which may include publicly available personal information.”
This could cause major issues under GDPR. The law was passed in 2018 and applies to any service that collects or processes data from EU individuals, regardless of where the organisation responsible is located. GDPR regulations require businesses to obtain explicit consent before collecting personal data, to have a legal rationale for collecting it, and to be clear about how it is used and maintained.
According to European authorities, the secrecy surrounding OpenAI’s training data makes it impossible to check whether the personal information swept into it was submitted with user consent in the first place, and the GPDP expressly asserted that OpenAI had “no legal basis” for collecting it in the first place. So far, OpenAI and others have escaped with little scrutiny, but
According to European authorities, the secrecy surrounding OpenAI’s training data makes it impossible to check whether the personal information swept into it was submitted with user consent in the first place, and the GPDP expressly asserted that OpenAI had “no legal basis” for collecting it in the first place. So far, OpenAI and others have gotten away with little scrutiny, but this assertion raises serious concerns about future data scraping efforts.OpenAI also collects data directly from consumers. It collects a variety of typical user data (e.g., name, contact information, card details, etc.) like any other online platform. But, more importantly, it logs user interactions with ChatGPT. According to a FAQ, this data can be inspected by OpenAI workers and utilised to train future models.
While OpenAI’s policy indicates that it “does not knowingly collect personal information from children under the age of 13,” there is no tight age verification gate, thus at least some of this data may have been gathered from minors. That conflicts with EU legislation, which prohibit collecting data from children under the age of 13 and (in some countries) need parental approval for kids under the age of 16. On the output side, the GPDP noted that the lack of age filters in ChatGPT exposes children to “absolutely unsuitable responses with respect to their degree of development and self-awareness.”
Some officials have expressed concern about OpenAI’s use of that data, and storing it poses a security risk. Companies such as Samsung and JPMorgan have prohibited staff from utilising generative AI technologies for fear of exposing sensitive data. Indeed, Italy announced its ban just after ChatGPT experienced a major data leak, revealing users’ chat histories and email addresses.
ChatGPT’s proclivity for supplying incorrect information could potentially be an issue. GDPR requirements require that all personal data be correct, which the GPDP emphasised in its announcement. Depending on how that is defined, it could be problematic for most AI text generators, which are prone to “hallucinations”: a cutesy industry word for factually wrong or irrelevant responses to a query. This has already had some real-world ramifications, with a regional Australian mayor threatening to sue OpenAI for slander after ChatGPT incorrectly stated he had done time in prison for bribes.
ChatGPT’s popularity and present market dominance make it an especially appealing target, but there’s no reason why its competitors and collaborators, like as Google with Bard or Microsoft with its OpenAI-powered Azure AI, won’t be scrutinised as well. Prior to ChatGPT, Italy prohibited the chatbot platform Replika from gathering information on children – and it has remained prohibited to this day.
While GDPR is a strong collection of regulations, it was not designed to solve AI-specific challenges. Rules that do, on the other hand, may be on the horizon.
The EU presented its first draught of the Artificial Intelligence Act (AIA) in 2021, legislation that will work in tandem with GDPR. The legislation oversees AI technologies based on their assessed danger, ranging from “minimal” (spam filters) to “high” (AI tools for law enforcement or education) or “unacceptable” and hence prohibited (such as a social credit system). Following the proliferation of large language models such as ChatGPT last year, lawmakers are now scrambling to establish rules for “foundation models” and “General Purpose AI Systems (GPAIs)” — two acronyms for large-scale AI systems that include LLMs — and potentially classifying them as “high risk” services.
The provisions of the AIA go beyond data protection. A recently proposed amendment would require businesses to disclose any copyrighted content utilised in the development of generative AI systems. This might expose previously confidential datasets and subject more corporations to infringement litigation, which are already affecting some services.
Laws governing artificial intelligence may not be implemented in Europe until late 2024.
However, passing it may take some time. On April 27th, EU parliamentarians struck a tentative agreement on the AI Act. On May 11th, a committee will vote on the draught, and the final plan is due by mid-June. The European Council, Parliament, and Commission must then address any outstanding issues before the law can be implemented. If all goes well, it might be implemented by the second half of 2024, putting it somewhat behind the official objective of Europe’s May 2024 elections.
For the time being, the spat between Italy and OpenAI provides an early indication of how authorities and AI businesses might negotiate. The GPDP recommended lifting the restriction provided OpenAI meets numerous proposed resolutions by April 30th. This includes educating users on how ChatGPT keeps and processes their data, requesting explicit agreement to use said data, facilitating requests to amend or remove inaccurate personal information provided by ChatGPT, and requiring Italian users to confirm their age when signing up for an account. OpenAI did not meet all of the requirements, but it done enough to satisfy Italian regulators and restore access to ChatGPT in Italy.
OpenAI still has goals to achieve. It has until September 30th to implement a stricter age-gate to keep youngsters under the age of 13 out and to seek parental authorization for older underage teens. If it fails, it may find itself barred once more. However, it has served as an example of what Europe considers acceptable behaviour for an AI business – at least until new rules are enacted.
Also Check Everything You Need To Know About Ransomware Malware