It was only a matter of time before the Guarantor for the protection of personal data intervened. In the end, the investigation started in March 2023 ended with a provision as clear as it was severe: a fine of 15 million euros For OpenAIresponsible for the management of ChatGPTand the obligation to carry out an information campaign lasting six months.
But let’s take a step back. It all stems from a fundamental problem: the non-transparent use of personal data by the famous generative artificial intelligence chatbot.
According to the GuarantorOpenAI did not notify a data breach occurred in March 2023, a basic operation according to the GDPR regulation. Not only that: personal data was used to train the chatbot without a solid legal basis and without properly informing users. Icing on the cake? The absence of systems to verify the age of users has also exposed children under 13 to answers that may be inadequate in relation to their maturity.
The communication campaign: a step towards transparency
And now OpenAI will have to deal with something more than just a fine. The Guarantor, using for the first time the powers provided for by article 166, paragraph 7 of the Privacy Code, has imposed a six-month institutional communication campaign. A real awareness-raising operation, which will have to pass through radio, TV, newspapers and the internet.
The goal? Clearly inform the public about how ChatGPT handles personal data. Users, and even those who do not use the service, will need to know how data is collected, for what purpose and what rights they can exercise, such as rectification, cancellation and opposition to treatment.
It’s not just a matter of patching things up, but of rebuilding a relationship of trust with the public. As the Guarantor himself stated, this campaign is fundamental to guarantee that interested parties are truly able to oppose the use of their data in the training of generative artificial intelligence.
The maxi-fine and the transfer of the documents to Ireland
The fine, which amounts to 15 million eurosis certainly not a symbolic figure, but still takes into account the collaboration demonstrated by OpenAI during the investigation. However, there is another issue to take into account.
In the course of the investigation, OpenAI established its European headquarters in Irelandfor which the Guarantor had to transmit the documents of the proceedings to the Irish Authority for the protection of personal data (DPC), as required by the one-stop-shop principle. The DPC will now continue the investigation to verify whether there have been other violations of a continuous nature.