OpenAI is currently under investigation by Poland’s Personal Data Protection Office (UODO) in response to a complaint filed against ChatGPT. The complaint, whose source remains confidential, alleges that OpenAI has handled data in a manner deemed “unlawful and unreliable,” raising transparency concerns about data collection and processing.
Jan Nowak, the President of the Data Protection Office, pointed out that this isn’t the first time that ChatGPT’s compliance with European data protection and privacy principles has come into question.
Specifically, the complaint highlights allegations that ChatGPT generated false information about the complainant, and OpenAI did not adequately address their requests related to the European General Data Protection Regulation (GDPR). Nevertheless, the legal proceedings against OpenAI could pose challenges due to its status as a company based outside the European Union.
Nowak explained that the case involves multiple violations of personal data protection provisions, prompting UODO to seek answers from OpenAI to facilitate comprehensive administrative proceedings.
Jakub Groszkowski, Deputy President of UODO, expressed concerns about OpenAI’s adherence to European data protection principles, particularly the GDPR’s privacy by design principle. The investigation aims to address these doubts.
This isn’t the first time OpenAI has faced scrutiny related to GDPR compliance in Europe. In March, Italian data protection authorities temporarily halted the ChatGPT chatbot and initiated an investigation due to suspected data privacy breaches. Italian authorities also noted a lack of transparency regarding data collected by OpenAI.
In April, German regulators sought clarification regarding OpenAI’s commitment and capacity to comply with the stringent data privacy laws outlined in the EU’s GDPR. Additionally, the European Data Protection Board established a specialized working group focused on OpenAI during the same month. OpenAI’s practices are under increasing scrutiny in Europe as authorities seek to ensure compliance with the region’s data protection regulations.