The Italian Data Protection Authority says stop to Chat GPT in Italy

This particularly sophisticated platform pursues the specific aim of enabling users to interact easily with GPT-3, the third Generative Pretrained Transformer (GPT) model of OpenAI released in 2020. 

In detail, Chat GPT, based on an artificial intelligence system using deep learning, is able to process and create human-like material and textual documents, and manage further activities. 

Underlying the operation of Chat GPT is a technology directed at natural language processing, Natural Language Processing (NLP), which focuses on programming computers to create and analyze large amounts of natural language data. 

Consequently, through the use of specific algorithms called “machine learning”, NLP technology enables Chat GPT to understand every nuance of human language and to produce, classify and organize documents.

On 20 March 2023, the Italian Authority announced that Chat GPT had been the victim of a data breach “involving access to users conversations and payment information of paid service subscribers”.  

Following the first investigations carried out by the Italian Data Protection Authority against Chat GPT, several privacy-related failings emerged, such as the failure to provide users and data subjects with a specific privacy notice and the collection and processing, in large quantities, of personal data for the purpose of feeding the algorithms that allow the platform to function in the absence of a suitable legal basis. 

In addition, the verifications carried out revealed that the processing of personal data of the data subjects was inaccurate, as the information provided by Chat GPT often did not correspond to the actual data.

Finally, contrary to the terms and conditions published by OpenAI L.L.C., despite the fact that the service is only available to users who are 13 years of age or older, no tools and filters aimed at verifying age have been employed by the company.

Based on the above, the Italian Authority found a violation of Articles 5, 6, 8, 13 and 25 of the GDPR and ordered the provisional restriction of the processing of personal data, pursuant to Article 58, par. 2, lett. f) of the GDPR. 

On 4 April 2023, the Italian Data Protection Authority announced a meeting, via videoconference, with representatives of OpenAI L.L.C. On 6 and 7 April 2023, OpenAI L.L.C. broadly confirmed to the Italian Authority its willingness to cooperate in order to remedy the critical aspects found against Chat GPT. 

Having acquired the information and the availability of OpenAI L.L.C., the Italian Authority pointed out that, although technological innovation is an indispensable element of our civil society, respect for the rights and freedoms of all European subjects is a pillar of fundamental importance, which cannot be disregarded.

As things stand, the Italian Data Protection Authority has ruled that OpenAI L.L.C. will have until 30 April 2023 to comply with the requirements imposed on the company and, in the event that the reasons for urgency no longer apply, the Italian Authority has agreed to suspend the temporary data processing restriction ordered on Chat GPT. 

Consequently, by the aforementioned date, OpenAI L.L.C. will be called upon to adopt a series of concrete and corrective measures.