The Italian data protection authority (DPA) has notified OpenAI, maker of ChatGPT, of alleged violations of privacy laws in the region.
“The available evidence highlighted the existence of violations of the provisions contained in the EU GDPR [General Data Protection Regulation],” the Guarantor for the protection of personal data (aka the Guarantor) said in a statement on Monday.
It further said that it “will take into account the ongoing work within the ad hoc task force established by the European Data Protection Framework (EDPB) in its final decision on the case.”
The development comes nearly 10 months after the regulator imposed a temporary ban on ChatGPT in the country, weeks after which OpenAI announced a series of privacy controls, including an opt-out form to remove one’s personal data from the processing by the large language model (LLM). Access to the tool was subsequently restored in late April 2023.
Italy’s data protection authority said the latest findings, which have not been made public, were the result of a several-month investigation that started at the same time. OpenAI was given 30 days to respond to the allegations.
The BBC reported that the transgressions are linked to the collection of personal data and age enforcement. OpenAI, on its help page, states that “ChatGPT is not intended for children under the age of 13, and we require that children between the ages of 13 and 18 obtain parental consent before using ChatGPT.”
But there are also fears that sensitive information could be exposed as well as younger users being exposed to inappropriate content generated by the chatbot.
In March 2023, OpenAI recognized a software glitch that had caused the chatbot to show headlines from other users’ conversation history to a small percentage of users, and in December, the company rolled out a patch to fix another issue that could have allowed a GPT malicious habit to exfiltrate chat data to an external server.
Then, in September 2023, Google’s Bard chatbot was discovered to have a bug in the sharing feature that allowed private chats to be indexed by Google search, inadvertently exposing sensitive information that may have been shared in conversations.
Similar adversarial prompt data injection and exfiltration attacks have also been demonstrated against Bing Chat, Anthropic Claude, and Amazon Q for Business over the past year.
Generative AI tools like ChatGPT, Bard, and Claude rely on feeding large amounts of data from multiple sources across the Internet.
In a statement shared with TechCrunch, OpenAI said that “its practices are aligned with GDPR and other privacy laws, and we take additional steps to protect people’s data and privacy.”
Apple warns against proposed UK law
The development comes as Apple said it was “deeply concerned” about proposed amendments to the UK’s Investigatory Powers Act (IPA) that could give the government unprecedented power to “covertly veto” privacy updates and on the safety of its products and services.
“This is an unprecedented government overreach and, if implemented, the UK could attempt to covertly veto new user protections globally by preventing us from offering them to customers,” the tech giant told the BBC.
The UK Home Office has said that the adoption of secure communications technologies, including end-to-end encryption, cannot be at the expense of public safety and the protection of the nation from pedophiles and terrorists.
The changes aim to improve the ability of intelligence services to “respond with greater agility and speed to existing and emerging threats to national security”.
Specifically, they require tech companies responding to government data requests to notify the UK government of any technical changes that could affect their “existing lawful access capabilities.”
“A key factor for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which in some circumstances may be all that is needed to maintain lawful access,” the government notes in a briefing note, adding “it does not give the Secretary of State the power to approve or reject technical changes.”
Apple, in July 2023, said it would rather stop offering iMessage and FaceTime services in the UK than compromise users’ privacy and security.