Italian regulators imposed a ban on generative AI tool ChatGPT. They gave its creator, OpenAI, 20 days to address concerns about the way data is collected and processed. If not addressed, Open AI could face fines of $21.7 million or up to 4% of annual revenues (whichever is greater).
There have been indications that other European regulators may follow suit. Reports suggest that France is conducting its own inquiry; Ireland has asked Italy for more details about the basis for the ban; and the German data commissioner has said that the same action could “in principle” be taken in Germany.
One fundamental challenge for large language models like ChatGPT is that under GDPR, there are only six lawful bases for processing personal data. The bases are:– Consent– Performance of a contract– Legitimate interest– Vital interest – Legal requirement– Public interest
To the extent a large language model is being trained on data obtained without explicit consent, it’s by no means clear that any of these bases are applicable — unless, perhaps, one makes the bold assumption that the availability of AI solutions is in the public interest.
Another challenge is whether ChatGPT supports the “right to be forgotten.” In certain circumstances, an individual can request their data be erased under GDPR.ChatGPT is being trained on very large sets of texts, and the question OpenAI might have to address is whether it knows what PII is in those sets it might be asked to erase.
Given the immense excitement created by the availability of ChatGPT and similar tools, it was perhaps too easy to overlook warnings emerging from the legal profession over the last few months that it could run afoul of European data regulations — regulations which, in many ways, have become a de facto global standard.