OpenAI is currently dealing with a new privacy complaint in Europe, centered on its AI chatbot, ChatGPT, which is known for generating inaccurate information. This situation poses a challenge that regulators may find difficult to overlook.
The privacy rights advocacy group Noyb is backing a case in Norway, where an individual found that ChatGPT falsely claimed he had been convicted of murdering two children and attempting to kill a third. Previous privacy complaints against ChatGPT have involved errors such as incorrect birth dates or mistaken biographical details. A significant concern is that OpenAI does not provide a method for individuals to correct false information generated by the AI, although typically, OpenAI has offered to block responses to such prompts. Under the European Union’s General Data Protection Regulation (GDPR), Europeans have rights that include the correction of personal data.
The GDPR also mandates that data controllers ensure the accuracy of personal data they produce, which is a point Noyb emphasizes in its complaint. Joakim Söderberg, a data protection lawyer at Noyb, stated that GDPR requires personal data to be accurate and that users have the right to correct inaccuracies. He criticized the insufficiency of disclaimers warning users that the AI might make mistakes and emphasized that simply adding a disclaimer does not absolve OpenAI from its obligations under the GDPR.
Confirmed GDPR breaches can result in fines of up to 4% of global annual turnover, and enforcement could lead to changes in AI products. For instance, after an intervention by Italy’s data protection authority in early 2023, which temporarily blocked ChatGPT in the country, OpenAI adjusted the information it provides to users. As a consequence, OpenAI was fined €15 million for processing people’s data without a proper legal basis.
Since then, European privacy regulators have adopted a more cautious stance regarding Generative AI tools, striving to determine the appropriate application of the GDPR. Two years ago, Ireland’s Data Protection Commission advised against a hasty ban on Generative AI tools, signaling the importance of understanding how the law applies.
A privacy complaint against ChatGPT, under investigation by Poland’s data protection authority since September 2023, has not yet reached a decision. Noyb’s new complaint aims to alert privacy regulators to the dangers of AI-generated false information.
Noyb provided TechCrunch with a screenshot showing ChatGPT generating a fabricated story about Arve Hjalmar Holmen, claiming he was convicted of child murder. While the defamatory claim was entirely false, some factual elements were correctly identified by the AI, such as the number and genders of Holmen’s children and his hometown. A spokesperson for Noyb revealed that they could not determine why the AI created such a specific yet false narrative about Holmen.
Large language models like the one powering ChatGPT predict subsequent words on a large scale, potentially influenced by datasets containing stories of similar nature, which may have influenced ChatGPT’s incorrect response. Regardless of the reason, such outputs are considered unacceptable and possibly unlawful under EU data protection rules. Although OpenAI includes a disclaimer on ChatGPT, Noyb argues that this is insufficient to meet GDPR requirements.
Despite the specific case of Hjalmar Holmen undergoing changes following an update to ChatGPT’s underlying AI model, both Holmen and Noyb worry about the lingering presence of incorrect information within the AI model. Kleanthi Sardeli, another data protection lawyer at Noyb, emphasized that adding a disclaimer doesn’t negate compliance requirements, and AI companies cannot merely hide false information while still processing it internally.
Noyb lodged its complaint with Norway’s data protection authority, hoping it would assert jurisdiction, as the complaint targets OpenAI’s U.S. entity, claiming that its Ireland office is not solely accountable for decisions affecting Europeans. However, an earlier Noyb-supported GDPR complaint against OpenAI, filed in Austria, was transferred to Ireland’s Data Protection Commission due to OpenAI’s structural changes.
Currently, the complaint is being processed in Ireland, with no clear timeline for the investigation’s completion, as confirmed by Risteard Byrne from the DPC.
