EDPB’s ChatGPT Taskforce Publishes Preliminary Report

On May 23, 2024, The European Data Protection Board (EDPB) released a new report on its ongoing investigations into ChatGPT, the popular AI chatbot developed by OpenAI. In the report, the EDPB outlined the efforts of the special taskforce to ensure that ChatGPT complies with the General Data Protection Regulation (GDPR).

ChatGPT, which is a large language model (LLM), uses vast amounts of data, including personal information, to generate human-like text. Since its launch, European authorities have been scrutinizing its data practices to ensure they adhere to GDPR standards. Below we include a brief overview of the investigation and finding outlined in the report: 

• Lawfulness: The taskforce examined how OpenAI collects and processes data for training ChatGPT, which included data scraped from the web and user prompts. They focused on whether OpenAI has a legitimate basis for using this data and if it balances its interests with users' privacy rights. The EDPB concluded with an emphasis on the fact that OpenAI must have a legitimate basis for collecting and processing personal data, including data scraped from the web and user inputs. They must balance their interests with users' privacy rights and implement safeguards to ensure compliance with GDPR.
• Fairness: Concerns were highlighted about how fairly ChatGPT handles personal data. OpenAI needs to ensure that its data processing practices are fair and do not unfairly shift responsibility to users. The EDPB is reviewing measures taken by OpenAI to address these fairness issues, emphasizing that OpenAI must remain responsible for GDPR compliance.
• Transparency: OpenAI needs to clearly inform users about how their data is used, especially when it comes to training the AI. The taskforce is checking if users are adequately informed about the use of their inputs.
• Data Accuracy: While ChatGPT's responses may not always be accurate, the EDPB highlighted the need for OpenAI to inform users about the potential inaccuracies and limitations of the AI's outputs. Ensuring data accuracy is crucial, and users must be aware of the probabilistic nature of the AI’s generated text.
• User Rights: The EDPB emphasized the importance of making it easy for users to exercise their GDPR rights, such as accessing, correcting, and deleting their data. OpenAI is expected to continue improving these processes to facilitate users' ability to exercise their rights effectively. OpenAI is working on improving this.

Next Steps

This preliminary report serves as an assessment with the taskforce continuing to monitor and evaluate OpenAI's compliance with GDPR.

The EDPB taskforce will continue its investigations, coordinating with various national authorities. Additionally, a detailed questionnaire has been included in the Annex of the report, aimed at helping Supervisory Authorities to obtain more information from OpenAI about its data practices.