Italy's personal data protection authority has notified OpenAI of GDPR violation, potentially imposing a fine of up to 4% of global annual sales or 3.2 billion yen

Italy's Personal Data Protection Authority (DPA) has notified OpenAI, which develops services such as ChatGPT, of a violation of the General Data Protection Regulation (GDPR). OpenAI could be fined up to 4% of its global annual sales or 20 million euros (approximately 3.2 billion yen).

ChatGPT: Garante privacy, notificato a OpenAI l'atto di contestazione... - Garante Privacy
https://gpdp.it/home/docweb/-/docweb-display/docweb/9978020

ChatGPT is violating Europe's privacy laws, Italian DPA tells OpenAI | TechCrunch
https://techcrunch.com/2024/01/29/chatgpt-italy-gdpr-notification/

On March 31, 2023, the Italian Personal Data Protection Authority announced to OpenAI that there were ``concerns that ChatGPT is illegally processing user data'' and ordered OpenAI to restrict access to ChatGPT from Italy. I have given the order to block you.

OpenAI blocks access to ChatGPT from Italy - GIGAZINE

After that, OpenAI introduced a personal information deletion form and user age verification as required by regulators, and resumed providing ChatGPT services in Italy at the end of April 2023.

ChatGPT revives from blocking measures in Italy, clarifies training data collection and usage methods, adds personal information deletion form, etc. - GIGAZINE

Although service provision has resumed, the investigation into the GDPR violation continues, and on January 29, 2024, the Italian Personal Data Protection Authority told OpenAI, ``Based on the investigation results, the obtained evidence confirms the existence of a GDPR violation.'' ``We have concluded that it shows.''

Although specific findings have not been made public, OpenAI said in an interview with TechCrunch, ``We believe our practices comply with GDPR and other privacy laws, and we believe that people's data and privacy are We want our AI to learn about the world, not individuals. We're taking additional steps to reduce personal data when training systems like ChatGPT. 'We are proactive and will also refuse requests for personal or sensitive information about people. We will continue to work constructively with personal data protection authorities.'

Furthermore, the details of which GDPR items are being violated are not disclosed at the time of writing, but TechCrunch has stated that ``a large amount of data collected from the public internet used for ChatGPT training was not disclosed to EU citizens.'' 'The problem is that there is no legal basis necessary to process this data.'

ChatGPT's ``OpenAI'', which may have been trained without user consent, faces legal problems in the EU, which emphasizes strict privacy laws, and experts say ``complying with the rules is next to impossible'' - GIGAZINE

At the time of this 'Notification of GDPR Violation,' no formal violation has been established, and OpenAI can file a counterclaim within 30 days. A formal decision will be made after OpenAI responds, and if a GDPR violation is established, a fine of up to 4% of annual global sales or 20 million euros (approximately 3.2 billion yen), whichever is higher, will be imposed. may be.