News
AI, ChatGPT and the EDPB: Regulatory Insights from Taskforce Report
Report on ChatGPT outlines European data protection regulator's preliminary views and early indicators about the direction of regulatory travel regarding the co-existence of GDPR and Artificial Intelligence / EU AI Act.
1. Introduction
On 23 May 2024, the European Data Protection Board ("EDPB") published a report ("Report") on the work undertaken by its ChatGPT Taskforce ("Taskforce"), comprising each EU supervisory authority ("SA"). The Report is the first official document from the EDPB setting out its 'preliminary views' regarding the interplay between the General Data Protection Regulation ("GDPR") and artificial intelligence ("AI"), including the EU AI Act.
While the Report focuses on the various (ongoing) SA GDPR investigations into OpenAI's ChatGPT large language model ("LLM"), it gives early indicators about the EDPB's direction of regulation regarding the co-existence of these two areas of law. It offers valuable insights for businesses acting as controllers of personal data, whether as a deployer or developer of an AI system.
The Report also includes a questionnaire which such controllers may consider useful when looking to ensure compliance with the GDPR (e.g. by way of a checklist).
2. Background to the Report
In November 2022, OpenAI OpCo, LLC ("OpenAI") launched its trailblazing ChatGPT LLM. ChatGPT rapidly grew, amassing a reported 1 million users in just 5 days from being made available and now has around 180.5 million users.
However, at the time of launching, ChatGPT did not meet the requirements of the GDPR. This led the Italian SA and several other SAs to initiate their own investigations under Article 58(1)(a) GDPR.
The Taskforce was established to: (a) foster coordination; (b) exchange information; and (c) establish a common approach to the SAs' investigations into ChatGPT. At the time, OpenAI had no establishment in the EU, meaning the GDPR's "one-stop-shop" consistency mechanism did not apply.
On 15 February 2024, OpenAI established OpenAI Ireland Limited, making the Data Protection Commission of Ireland its lead SA for cross-border investigations and complaints under the GDPR. Nonetheless, several SAs have open investigations (that pre-date February 2024), and which have yet to conclude.
The Report covers the period of investigations between November 2022 and February 2024.
3. What's in the Report? 'Preliminary views'
The Report outlines the EDPB's 'preliminary views' on key areas of the GDPR, namely: lawfulness, fairness, accuracy, transparency and data subject rights.
(1) Lawfulness
A fundamental aspect of the GDPR is that to process any personal data, a controller must have a legal basis to do so. This relates to the GDPR's principle of lawfulness to process personal data. In assessing the legal basis for processing, the Report breaks down the different stages of processing by ChatGPT's LLM during its lifecycle:
- Collection of training data; pre-processing of data; and training; and
- Input data/prompts and output data; and training ChatGPT with prompts.
Legitimate interests & appropriate safeguards
The Report focuses on OpenAI's reliance on the legal basis that processing is necessary for the purposes of its legitimate interests (Article 6(1)(f) GDPR) at the various stages above. The EDPB emphasises the associated compliance obligations on controllers to rely on this legal basis, reiterating the requirement to conduct a legitimate interest assessment documenting: (i) the identified legitimate interest(s); (ii) the necessity of pursuing the legitimate interest(s); and (iii) the balancing of individual rights with the interests of the controller.
Importantly, the Report outlines that adequate safeguards play a 'special role' in reducing the undue impact of processing on data subjects, thereby shifting the balancing test in favour of the controller.
The Report includes four examples of adequate safeguards, by way of privacy-enhancing techniques, for controllers to consider:
(i) defining precise collection criteria;
(ii) ensuring certain data categories are not collected;
(iii) ensuring certain sources are excluded from data collection (e.g. public social media profiles); and
(iv) measures to delete or anonymise personal data (including special category data) which have been collected via web-scraping before and after the training stage.
The Report acknowledges that, where large amounts of personal data are being collected, it is not possible to conduct a 'case-by-case examination' of each dataset. However, appropriate safeguards must be implemented to meet the requirements of the GDPR.
The Report notes that under the GDPR, the controller, here OpenAI, bears the burden of proof for demonstrating the effectiveness of the chosen measures.
(b) Data accuracy – hallucinations versus fact, users must understand the difference
The Report distinguishes between input data (prompts) and output data regarding the GDPR's data accuracy principle. It acknowledges that the purpose of processing for ChatGPT is not to provide accurate information but to train the LLM. For the EDPB, the concern is that output data generated by ChatGPT may be biased or "made up" (e.g., AI hallucinations and deep fakes), yet end users may mistakenly treat it as factual.
To address this risk of misinterpretation, the Report indicates that ChatGPT is held to a particularly high standard and must provide 'proper information' on the probabilistic nature of the output data and its limited level of reliability. This includes expressly informing individuals that output data may be biased or 'made up'. However, according to the EDPB, this is not sufficient to comply with the data accuracy principle under the GDPR.
(c) Fairness - responsibility for ensuring GDPR compliance should not be transferred to data subjects
The principle of fairness is another crucial aspect of GDPR compliance when it comes to the AI and data protection interplay. This is due to the potential for bias and discrimination. The Report emphasises that personal data must not be processed in a manner that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to individuals.
The EDPB outlines a 'crucial aspect' of compliance with this principle is the responsibility for ensuring compliance with the GDPR should not be transferred from a controller to end users. The Report essentially prohibits a controller from including a clause in the terms and conditions of use that data subjects are responsible for their chat inputs. While OpenAI has implemented measures to address this issue, the Report makes it clear that it is ultimately responsible for complying with the GDPR.
(d) Transparency – information obligations must be followed, potential exemption for indirect collection of personal data
The Report gives limited attention to the GDPR's principle of transparency. However, in the context of web-scraped data, it acknowledges that Article 14(5)(b) GDPR may be relied on by controllers subject to its requirements being met. This article is an exemption to providing transparency information (by way of a privacy notice) to individuals where personal data are indirectly collected from them, and the provision of transparency information 'proves impossible or would involve a disproportionate effort'.
The Report further provides that where personal data collected via prompts will be used to train the LLM, individuals must be informed of such processing in accordance with Article 13 of GDPR.
(e) Data Subject Rights – end users must be able to exercise their fundamental rights
The Report emphasises the importance of data subjects being able to exercise their rights under the GDPR. It acknowledges the methods by which a data subject can exercise their GDPR rights with OpenAI, but that it must continue to improve on these methods. For example, OpenAI encourages end users to exercise their right of erasure rather than rectification due to the technical challenges associated with the development and operation of its LLMs. However, the Report merely scratches the surface of this complex area of GDPR obligations.
4. Conclusion
Overall, the Report provides early indicators of the EDPB's approach and expected standards of compliance when it comes to the interplay between the GDPR and AI (namely, LLMs). As expected, full compliance with the GDPR is the regulatory approach the EDPB appears to be taking.
The overarching takeaway from the Report is that controllers such as OpenAI must comply with the GDPR and demonstrate compliance with its accountability legal framework. While there is no acknowledgement regarding the opportunities LLMs and other types of AI present to society, nor the GDPR's technology neutrality (Recital 15), expectations are high for these issues to be addressed in the EDPB's imminent guidance on the interplay between the GDPR and the AI Act.
The Report is not formal guidance but can be used as a starting framework for AI developers and deployers to comply with the GDPR and prepare to comply with the EU AI Act. The questionnaire in the Annex of the Report is of particular note in that regard.
The EDPB still needs to address many issues for businesses regarding the interplay between the GDPR, the EU AI Act, and the co-existence of these legal regimes.
Article provided by INPLP members: Leo Moore and Rachel Hayes (William Fry, Ireland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010