Report: OpenAI Faces New Complaint Regarding GDPR Compliance

OpenAI is reportedly facing a complaint filed with the Polish data protection authority that raises concerns about the company’s compliance with the European Union’s General Data Protection Regulation (GDPR).

The complaint alleges that the ChatGPT creator is in breach of several dimensions of the GDPR, including lawful basis, transparency, fairness, data access rights and privacy by design, TechCrunch reported Wednesday (Aug. 30).

OpenAI did not immediately reply to PYMNTS’ request for comment.

The complaint argues that OpenAI’s approach to developing and operating ChatGPT is a systematic violation of the GDPR, according to the report. It suggests that the company failed to conduct a proactive assessment and engage with local regulators before launching the AI chatbot in Europe.

The complaint filed with the Polish data protection authority is the work of Lukasz Olejnik, a security and privacy researcher, who became concerned after using ChatGPT to generate a biography of himself and finding inaccuracies in the text, the report said.

Olejnik contacted OpenAI to point out the errors and request the correction of the inaccurate information. While OpenAI provided some information in response to the request, the complaint argues that the company failed to produce all the required information, including details about its processing of personal data for AI model training.

Under the GDPR, data controllers must have a valid legal basis for processing personal data and must communicate this basis transparently, per the report. The complaint asserts that OpenAI processed personal data unlawfully, unfairly and in a non-transparent manner.

Another aspect of the complaint charges that OpenAI failed to rectify inaccuracies generated by ChatGPT when asked, according to the report. The GDPR grants individuals the right to correct their personal data, but the complaint argues that OpenAI ignored this and was unable to correct the processed data.

The complaint also alleges that OpenAI violated the GDPR’s principle of data protection by design and default, the report said. It argues that the design of ChatGPT, along with the previously mentioned violations, contradicts the principle of data protection by design.

The Polish data protection authority is expected to investigate the complaint, which could take several months to years, per the report.

OpenAI was briefly outlawed in Italy, beginning in March, after that country’s data protection authority announced a probe of the chatbot’s alleged breach of the GDPR privacy rules and age-verification practices. A month later, in April, OpenAI said ChatGPT was again available in Italy after the company had fulfilled the data protection authority’s demands.