Are ChatGPT and Co. incompatible with the GDPR?
The Italian data protection authority recently announced a nationwide ban of the AI application ChatGPT due to privacy concerns and German data protection authorities have initiated an investigation ant sent a questionnaire to OpenAI. The Italian data protection authority has since lifted the ban and, in Germany as well, measures of this kind appear to be off the table for now. Nevertheless, a fundamental tension is evident between AI and data protection.
ChatGPT and Co.: fundamental privacy concerns?
The concerns expressed by the data protection authorities relate particularly to the questions as to whether the processing of personal data in ChatGPT is compatible with the fundamental principles of the GDPR, whether this processing rests on a valid legal basis and whether data subjects are adequately informed. The concerns expressed by the authorities are not new and are also applicable to other AI solutions which process personal data. Upon closer examination, it quickly becomes clear that use of AI raises considerable challenges in terms of data protection law if one holds to a strict interpretation of the GDPR:
- Accuracy of data processing
False information may have grave consequences for data subjects. For this reason, the GDPR generally provides that only factually accurate personal data may be processed, and that inaccurate personal data must be deleted or corrected without delay. But as things stand, when systems like ChatGPT are asked to formulate statements about specific people, the AI will frequently add in inaccurate information. This tendency, known as “hallucination,” therefore conflicts with the principle of accuracy in data processing. The GDPR also gives data subjects a right to rectification in cases involving the processing of inaccurate data. - Legal basis: prohibition subject to approval
In accordance with the GDPR, all processing of personal data requires a legal basis. Accordingly, it is often asked whether personal data may be processed in connection with the training of AI systems. After all, this process involves “feeding” AI systems with large amounts of information which is publicly available online, such as websites, publications and journal articles, including the personal data they contain. Text and data mining is expressly permitted in accordance with § 44 b(1) of the German Copyright Act. But in the absence of the data subject’s consent, the only possible legal basis for this processing is that of a legitimate interest. Whether the controller’s interest in processing the data outweighs the data subject’s interest in preventing it must be examined on a case-by-case basis: the data protection authorities and the courts have yet to form a conclusive assessment on this question. - Transparent information
The GDPR requires those who process personal data to make the processing transparent for data subjects and notify them accordingly. This duty to notify data subjects applies in cases where personal data is collected from the data subject directly (Article 13 of the GDPR) as well as in cases where personal data is collected from third parties (Article 14 of the GDPR). The notification must be transparent and comprehensible and must be conveyed in clear and simple language. AI solutions like ChatGPT face several challenges in this regard. Use of AI is highly technical, so that providing transparent and easily understandable information is a challenge for this reason alone. Moreover, the duty of notification generally includes data subjects whose data was used to train the system, even if they never interacted with the system at all. After discussions with the Italian data protection authority, OpenAI now provides much more extensive information about the processing of personal data and the functioning of ChatGPT.
Conformance of AI with data protection law
There is a potential conflict between data protection law and the “nature” of AI systems; after all, the much-vaunted “intelligence” of AI is based on the extensive processing of (personal) data. But it is also clear that permanently banning AI systems would be both unrealistic and unwise unless Europe wants to completely abandon the development of AI systems. Resolving conflicts involving the use of AI systems requires an interpretation of the GDPR which is tech- and innovation-friendly. Companies using AI systems would be well-advised to conduct a data protection impact assessment (DPIA) in each individual case. In our experience, it is easier to show that use of AI conformed to data protection law if the specific risks associated with this use, as well as suitable measures to address those risks, are well-documented.
back