以下は、DeepLによる自動翻訳です。脚注は﨑村によります。原文はこちらを御覧ください

Register of Measures
No 112 of 30 March 2023

THE SUPERVISOR FOR THE PROTECTION OF PERSONAL DATA

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “Regulation”)1;

HAVING ALSO CONSIDERED the Personal Data Protection Code (Legislative Decree No 196 of 30 June 2003)2;

TAKEN NOTE of the numerous media reports on the operation of the ChatGPT service;

NOTED, from a verification carried out in this regard, that no information is provided to users, nor to the data subjects whose data was collected by OpenAI, L.L.C. and processed through the ChatGPT service

NOTING that there is no appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operation of ChatGPT;

NOTED that the processing of personal data of data subjects is inaccurate in that the information provided by ChatGPT does not always correspond to the actual data;

NOTED, furthermore, the absence of any verification of the age of users in relation to the ChatGPT service which, according to the terms published by OpenAI L.L.C., is reserved for individuals who are at least 13 years of age

CONSIDERING that the absence of filters for children under the age of 13 exposes them to responses that are totally unsuitable in relation to their level of development and self-awareness

CONSIDERING, therefore, that in the situation outlined above, the processing of the personal data of users, including minors, and of those whose data are used by the service is in breach of Articles 53, 64, 85, 136 and 257 of the Regulation

CONSIDERING, therefore, the need to order, pursuant to Article 58(2)(f)8 of the Regulation – as a matter of urgency and pending the completion of the necessary preliminary investigation into the matters that have emerged to date in respect of OpenAI L.L.C., the US company which develops and operates ChatGPT, the measure of provisional restriction of processing

CONSIDERING that, in the absence of any mechanism for verifying the age of the users and, in any event, all the infringements detected, this provisional restriction should be extended to all the personal data of the data subjects established on Italian territory

CONSIDERING it necessary to order the aforesaid restriction with immediate effect as from the date of receipt of this measure, reserving the right to make any other determination upon the outcome of the preliminary investigation opened in the case

RECALLING that, in the event of failure to comply with the measure ordered by the Garante, the criminal sanctions provided for in Article 1709 of the Code and the administrative sanctions provided for in Article 83(5)(e)10 of the Regulation shall apply

CONSIDERING, on the basis of the foregoing, that the conditions for the application of Article 5(8) of Regulation no. 1/2000 on the organisation and operation of the office of the Garante11, which provides that “In cases of particular urgency and urgency that do not permit the Garante to be convened in good time, the chairman may adopt the measures falling within the authority of the body, which shall cease to have effect from the time of their adoption if they are not ratified by the Garante at the first useful meeting, to be convened no later than the thirtieth day”;

HAVING REGARD TO the documents in the file;

WHEREAS THE SUPERVISOR:

(a) Pursuant to Article 58(2)(f)12 of the Regulation, orders, as a matter of urgency, against OpenAI L.L.C., a U.S. company that develops and operates ChatGPT, in its capacity as the owner of the processing of personal data carried out through that application, the measure of provisional limitation of the processing of personal data of data subjects established in the Italian territory;

b) the aforesaid restriction shall take immediate effect as of the date of receipt of this order, subject to any further determination upon the outcome of the preliminary investigation into the case.

The Garante, pursuant to Article 58(1)13 of Regulation (EU) 2016/67914, also invites the data controller to whom the measure is addressed, within 20 days from the date of receipt of the measure, to communicate what steps have been taken in order to implement the measure and to provide any element deemed useful to justify the violations highlighted above. Please note that failure to reply to the request pursuant to Article 5815 is punishable by the administrative sanction set out in Article 83(5)(e)16 of Regulation (EU) 2016/67917.

Pursuant to Article 7819 and Article 10 of Legislative Decree no. 150 of 1 September 201120, an objection to this measure may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place where the data controller resides, within thirty days from the date of communication of the measure itself, or sixty days if the applicant resides abroad.

In Rome, 30 March 2023

THE PRESIDENT
Stanzione

脚注

  1. GDPR
  2. Italian Data Protection Law<http://www.privacy.it/archivio/privacycode-en.html>(2023-04-01取得)
  3. Principles relating to processing of personal data
  4. Lawfulness of processing
  5. Conditions applicable to child’s consent in relation to information society services
  6. Information to be provided where personal data are collected from the data subject
  7. Data protection by design and by default
  8. to impose a temporary or definitive limitation including a ban on processing;
  9. Section 170(Failure to Comply with Provisions Issued by the Garante) 1. Whoever fails to comply with a provision issued by the Garante pursuant to Sections 26(2), 90, 150(1) and (2) and 143(1), letter c), in breach of the relevant obligations, shall be punished by imprisonment for between three months and two years.
  10. non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
  11. In cases of particular urgency and non-deferrability that do not permit the convening of the Supervisor in due time, the chairman may adopt the measures within the authority of the body, which shall cease to have effect from the moment of their adoption if they are not ratified by the Supervisor at the first useful meeting, to be convened no later than the thirtieth day. (source) GPDP Doc-Web 1098801 <https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1098801> (2023-04-01取得)
  12. to impose a temporary or definitive limitation including a ban on processing;
  13. Each supervisory authority shall have all of the following investigative powers:
  14. GDPR
  15. Powers
  16. non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
  17. GDPR
  18. Right to an effective judicial remedy against a supervisory authority[/note} of the Regulation, as well as Article 152 of the Code18Judicial Authorities <https://www.privacy.it/archivio/privacycode-en.html#sect152>
  19. Disputes concerning the application of provisions on the protection of personal data<https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2011-09-21&atto.codiceRedazionale=011G0192&atto.articolo.numero=10&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=10&qId=&tabID=0.40833022283574905&title=lbl.dettaglioAtto>