The tech industry was surprised to learn that on March 31, 2023, the Italian Personal Data Protection Authority (Garante per la Protezione dei Dati Personali), citing ongoing proceedings regarding GDPR violations, ordered OpenAI to immediately cease processing data on Italian citizens. As a result, users from that country were cut off from accessing the ChatGPT app. This case highlights the challenges of personal data protection faced by American companies offering their products and services to European consumers. It also raised concerns within the industry about the extent to which the European Union's legal system is supportive of the development of new technologies.
The Garante's decision was based on three allegations. The first was a leak on March 20, 2023, which resulted in the publication of user conversations and payment data. Furthermore, the Office was concerned that, despite the age restriction for users aged 13 and over included in its terms and conditions, the ChatGPT app lacked the tools to verify this information, thus collecting data from users who, under the law, are not permitted to provide consent. Furthermore, the bot had the ability to shape the awareness and views of children and adolescents using it. A direct competitor to OpenAI's product, Google's Bard app, offers its services only to verified users over the age of 18. The most significant accusation from the perspective of the future development of the industry seems to be the lack of a legal basis for "mass collection and storage of personal data for the purpose of training the algorithms behind the platform's operation." A finding during the proceedings that such action violates GDPR regulations could significantly limit the AI's ability to acquire data for program development and learn from user conversations. However, blocking access to ChatGPT in Italy is a temporary measure. OpenAI has 20 days to respond to the allegations. Otherwise, it faces a fine of up to €20,000,000 or 4% of its annual global revenue, whichever is greater.
Italy's decision was widely commented on by institutions in individual EU countries. The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, told the Hanselblatt daily that he was considering blocking access to ChatGPT in Germany as well. A similar comment was also issued by the same institution in Ireland. Should we therefore fear a repeat of this step in Poland? While such a possibility cannot be ruled out, it seems unlikely. Even within the European Union, reactions to the Garante's decision were not unequivocally positive. The Swedish data protection authority, IMY, stated that it was not in contact with the Italian authority and had no immediate plans to block access to ChatGPT. The Spanish AEPD, while not ruling out the possibility of initiating such an investigation in the future, also stated that it was not currently conducting proceedings against OpenAI. It is also worth mentioning that the Italian decision was very negatively commented on by the Polish Minister of Digital Affairs, Janusz Cieszyński, who wrote on Twitter that regulating the development of breakthrough technologies on a rymbał is an excellent way to ensure that technology develops everywhere, but not in Europe.
Nevertheless, the business community immediately took preventative measures to avoid the possibility of European Union bodies restricting user access to ChatGPT and similar products. The coalition of European startups, ONE23, appealed to the Swedish Presidency of the Council of the European Union for a less restrictive approach to artificial intelligence in terms of data protection, urging EU decision-makers to consider "preserving and even increasing the innovative capacity of EU companies" when creating legislation. This is particularly important in the context of the AI Act, being developed by Brussels from 2021, which aims to systemically regulate EU law on artificial intelligence. Concerns about tightening already very restrictive regulations are proportionally contributing to a slowdown in innovation – according to research conducted by ONE23, 16% of technology companies are considering suspending the development of AI projects or moving them outside of Europe.
With this in mind, the outrage over Italy's decision in the new technology industry certainly has some merit. Artificial intelligence, in particular, needs the broadest possible access to data, as this is precisely what helps it "learn" new information. Excessive restrictions in this regard could significantly hinder this. Nevertheless, it should be noted that difficulties in GDPR compliance by US companies are not a new phenomenon, let alone limited to the AI industry. As a result of the entry into force of EU data protection regulations, European users have been cut off from accessing a significant portion of American websites, including most local press. Furthermore, even corporate giants such as WeWork and McDonald's have already been fined for violating EU law. Therefore, restraint dictates that the assessment of this decision's justification, its reasons for doing so, as well as its future impact on the development of AI technology in the European Union, should be postponed until the conclusion of the ongoing proceedings in Italy.
This alert is for informational purposes only and does not constitute legal advice.
author:
