Your Privacy

[Updated] Italian Privacy Authority Orders ChatGPT to Immediately Restrict Processing of Italian Users' Data

Nat 2023-04-01 Comment

(Updated April 4nd at 2:16) On March 3th local (Rome) time, the Italian Personal Data Protection Supervisory Authority (GPDP)1(commonly known as Garante) has ordered provisional restrictive measures for the processing of personal data of users residing in Italy related to the ChatGPT service operated by the US company OpenAI LLC. The GPDP noted that the information collected by ChatGPT has not been provided to data subjects or users, and that there is no adequate legal basis for the collection and processing of personal data for the training of the algorithm. It also noted that there is no filter for children under 13 years of age, and that the processing of users' personal data, in particular the personal data of minors, violates several provisions of the EU's General Data Protection Regulation (GDPR). The provisional restrictive measures apply to the personal data of data subjects in general in Italy, and violation of the measures is subject to criminal and administrative penalties. The data controller was asked to provide within 20 days the steps taken to improve and any information that may be useful to justify this violation.

This is a summary of ChatGPT's Order No. 112.2?

Instruction Details

Now, let me go into the details. Order 112 consists of two parts: a preamble, or a section justifying the order, and the actual order itself.

preamble

The preamble begins by explaining that the order is based on the GDPR (2016), the Italian Personal Data Protection Act (2003), and recent media reports. It then goes on to state that the following has been taken into consideration:

  1. Lots of press about ChatGPT
    • This is the result of a data leak discovered on March 3th (a bug that allowed users to see other people's first conversations, and payment-related information of 20% of ChatGPT Plus users who were active in the nine hours between Sunday and Monday when the service was temporarily halted).3This is probably referring to the fact that it has been reported that theOpenAI's March 3th presentationmaterial4 reference))
  2. According to the investigation, no information was provided to users or those whose data was collected by OpenAI and processed by ChatGPT.
  3. Lawful basis for collecting and processing data for ChatGPT training5There is no.
  4. The processing of the personal data of the data subject is inaccurate, as manifested by the information provided by ChatGPT not necessarily matching the actual data.
  5. Despite the terms of use stating that the service is for people aged 13 and over, no age verification has been done.
  6. There is no filter for children under 13, exposing them to answers that are completely inappropriate for their developmental level and self-awareness.

In light of this, Article 5 of the GDPR regarding the processing of personal data of users, including children,6, Article 67, Article 88, Article 139, Article 2510has been found to have violated the

For this reason, Article 58 (2) (f) of the GDPR11Based on this, while the investigation is ongoing, a provisional data processing suspension order will be issued in light of the urgency of the matter. The target is the data of all Italian residents, including those under the age of 13. The reason why the data includes those under 13, even though the terms of use state that they must be 13 or older, is because the age restriction mechanism has not been implemented. This is because, at the time of the issuance of this notice of disposition,12The content of the punishment may change depending on the results of the investigation.

It then states that any violation of this order will be punishable by imprisonment of three months to two years (Article 3 of the Italian Personal Data Protection Law).

In addition, in view of the urgency of the matter, this Order was made pursuant to Article 5, paragraph 8 of the Act establishing the Italian Commission for the Protection of Personal Data.13It will be stated that the decision has been made by the chairman based on the above.

Main text

In this regard, the Personal Information Protection Commission has issued the following order:

  • a) Pursuant to Article 58 paragraph 2 (f) of the Regulation, to OpenAI LLC, the US company that develops and operates ChatGPT, as data controller of the processing of personal data carried out through said application, of data subjects located in the Italian territory14Urgently order measures to temporarily restrict the processing of personal data.
  • b) This order is effective immediately upon receipt and may result in further action.

in addition

  • Pursuant to Article 58 of the GDPR, the data controller must submit to the Commission within 20 days a justification for the processing of the data involved in this infringement.

The document also states that failure to comply with the inquiry requirements under Article 58 may result in administrative penalties under Article 83, paragraph 5, e.

Impression

It's going to be a tough challenge for OpenAI. I think it will be a good reference for Japanese companies doing this kind of thing.

First of all, no information has been provided to users or those whose data has been collected by OpenAI or processed by ChatGPT. The publicly available data contains a lot of personal information, and it seems necessary to provide information to the individual prior to processing. That's pretty tedious.

Secondly, there is no lawful basis for using the training data.

Article 6 of the GDPR states:

  • (a) Consent for a specific purpose;
  • (b) the performance of a contract or any pre-contractual procedure;
  • (c) Legal obligations;
  • (d) Protection of life;
  • (e) public interest;
  • (f) Legitimate interests (except for those under 13 and where such interests are overridden by the interests of the data subject not to be processed)

First of all, (a) is cited as a basis for legality. Since consent to use the data as training data was not obtained, it seems that "consent" cannot be used as a basis.

Furthermore, (b) is impossible because at the stage of using the data as training data, it is not clear whether or not a contract will be signed.

Needless to say, (c) and (d) are impossible. (e)'s public interest also seems difficult.

As for the last point (f), legitimate interests, the first thing they say is that you have to respond within 20 days. Normally, you would be asked to submit a PIA report that proves that no data of persons under the age of 13 is included and that the interests of data subjects will not be harmed.

Next is a violation of the "principle of accuracy." It returns nonsense. The principle of accuracy is often thought of as referring to the accuracy of data stored in databases, but it applies to the entire process, so it also applies to the information that comes out as a result of the process.

5 and 6 are about the lack of support for children. It seems that it is not enough to just write it in the terms and conditions, and age verification is required.

And if they don't stop the processing, they will be sentenced to 3 months to 2 years in prison. For the time being, ChatGPT still seems to be working from Japan, but I wonder if they made it impossible to access from Italy... No, that's not enough, they have to stop processing the data of data subjects on Italian territory, but how on earth? I wonder if they can remove that part from the model...

As for the main text, it is written succinctly. In addition, attention will be focused on whether the explanation can be submitted within 20 days.

That's all for today (April 4nd). For further updates, click here == ... News and thoughts on Italy's ChatGPT restrictions

[Reference material]

footnote

  1. Guarantor for the protection of personal data
  2. I translated the original Italian text into English using DeepL, had them create a summary of it, and then asked them to translate it into Japanese.
  3. first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date
  4. March 20 ChatGPT outage: Here's what happenedhttps://openai.com/blog/march-20-chatgpt-outage>
  5. GDPR Article 6: (a) consent for a specific purpose; (b) performance of a contract or pre-contractual procedures; (c) legal obligation; (d) protection of life; (e) public interest; (f) legitimate interests (except where overridden by the interests and fundamental rights and freedoms of the child and data subject)
  6. Basic principles related to the processing of personal data
  7. Lawfulness of processing
  8. Requirements applicable to the child's consent in relation to information society services
  9. Information provided when personal data are collected from the data subject
  10. Data protection by design and by default
  11. Impose temporary or permanent restrictions, including a ban on processing;
  12. In short, immediately
  13. Stipulates that in an emergency, the committee may not be convened and the chairman may make decisions at his own discretion.
  14. degli interest in English data subject

1 Reply to "Update: Italian Privacy Authority Orders ChatGPT to Immediately Restrict Processing of Italian Users' Data"

  1. Pingback: Comparison of privacy properties of ChatGPT and Google Bard - Characteristics of disseminating misinformation about living individuals - NAT.Consulting

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.