Maris Butans

Senior Manager, PwC Legal

Artificial intelligence (AI) has recently aroused interest in most people. Some are depicting end-of-the-world scenes with AI taking over people’s jobs and later ruling the whole world. Others believe there is no reason to fear AI tools. As always, the truth lies somewhere in between. One of the most popular AI tools today is ChatGPT, which everyone can try out and see what it’s capable of, as we wrote in our recent Flash News. But why are the data protection authorities of European countries beginning to raise the alarm?

What are the criticisms?

The first body to react to ChatGPT was the Italian data protection authority, which imposed a temporary ban in late March on OpenAI LP, the US-based company that is developing ChatGPT, to stop it processing personal data in Italy. The Italian authority’s main objections were as follows:

1. The age of ChatGPT users is not verified, so personal data of minors might be processed.
2. ChatGPT users are not receiving sufficient information about their personal data processing.
3. There are no lawful grounds for processing personal data to such an extent in order to teach the AI tool to generate answers.

After attracting some harsh criticism, the Italian data protection authority in mid-April offered ChatGPT a list of recommendations that OpenAI LP should implement to have ChatGPT running in Italy again. These include the recommendation that OpenAI LP should draw up an informational statement of user data processing and adopt measures allowing the data subjects to exercise the rights of data subjects prescribed by the General Data Protection Regulation, the call for using the consent of users as the legal basis for personal data processing, and the suggestion that OpenAI LP should set up a tool for checking the user’s age during registration. OpenAI LP has yet to answer whether it plans to adopt any of these measures.

The data protection authorities of other countries soon followed Italy’s example. The French data authority has launched an investigation after receiving several complaints from data subjects about incorrect processing of their personal data by ChatGPT. Spanish and Canadian data protection authorities are conducting a preliminary investigation into the lawfulness of ChatGPT’s user data processing. The authorities of several countries have been in touch with the Italian data authority to understand the next steps.

We would like to believe that the personal data processing aspect will not stand in the way of AI innovation and will not slow down the development in this space. Since ChatGPT is available not only in the countries that have raised the alarm about potential breaches of personal data processing, a joint response would be needed at EU level.

What action has Europe taken?

The European Data Protection Board has set up a working group to encourage communication between the EU data protection authorities about potential breaches in ChatGPT’s user data processing. However, the European Data Protection Board has yet to announce any steps it plans to take in this regard.

Overall, the regulation of AI is not entirely neglected at EU level. In 2021 we wrote about a draft AI Regulation that will be the first enactment in Europe to govern AI matters. In late 2022 the European Commission presented a draft Regulation on AI non-contractual liability rules, which together with the draft AI Regulation and AI product security rules will represent a framework for distributing AI systems on the EU market. So, lawful solutions are now being sought to ensure that personal data processing and other aspects do not hinder the development of the AI products market.

How should businesses react?

These data processing risks do not mean that companies should stop using ChatGPT or other AI products. This use can certainly continue because it helps these generative AI products learn. Yet we recommend exercising caution in handling your and your clients’ personal data to protect confidentiality.

As ChatGPT is being developed by a US-based company, we can now predict certain risks if any of the personal data being processed by ChatGPT is sent to the US. Currently everything suggests that the European Data Protection Board will agree with the opinion that standard clauses are not enough when it comes to sending personal data to the US.

However, the purpose of regulating personal data processing has never been to slow down progress, so we recommend using AI products cautiously and believe that it’s possible to combine proper data processing with AI progress.