How Data Protection Authorities are De Facto Regulating Generative AI

September 12, 2023

Gabriela Zanfir-Fortuna

Vice President for Global Privacy

The Istanbul Bar Association IT Law Commission published Dr. Gabriela Zanfir-Fortuna’s article, “How Data Protection Authorities are De Facto Regulating Generative AI,” in their August monthly AI Working Group Bulletin, “Law in the Age of Artificial Intelligence” (Yapay Zekâ Çağinda Hukuk).

Generative AI took the world by storm in the past year, with services like ChatGPT becoming “the fastest growing consumer application in history.” For generative AI applications to be trained and function immense amounts of data, including personal data, are necessary. It should be no surprise that Data Protection Authorities (‘DPAs’) were the first regulators around the world to take action, from opening investigations to actually issuing orders imposing suspension of the services where they found breaches of data protection law.

Their concerns span from the lack of a justification (a lawful ground) for processing personal data used for training the AI models, lack of transparency about the personal data used for training, and about how the personal data collected while users are interacting with the AI service is used, lack of avenues to exercise data subject rights such as access, erasure, and objection, impossibility to exercise the right of correcting inaccurate personal data when it comes to the output generated by such AI services, insufficient data security measures, unlawfully processing sensitive personal data and children’s data, to not applying data protection by design and by default.

Global Overview of DPA Investigations into Generative AI

Defined broadly, DPAs are supervisory authorities vested with the power to enforce comprehensive data protection law in their jurisdictions. In the past six months, as the popularity of generative AI was growing among consumers and businesses around the world, DPAs started opening investigations into how the providers of such services are complying with legal obligations related to how personal data are collected and used, as provided in their respective national data protection law. Their efforts are focusing currently on OpenAI as the provider of ChatGPT. Only two of the investigations have resulted until now in official enforcement action, be it preliminary, in Italy and South Korea. Here is a list of known open investigations, their timeline, and key concerns:

The Italian DPA (Garante) issued an emergency order on 30 March 2023, to block OpenAI from processing personal data of people in Italy. The Garante laid out several potential violations of provisions of the General Data Protection Regulation (‘GDPR’), including lawfulness, transparency, rights of the data subject, processing personal data of children, and data protection by design and by default. It lifted the prohibition a month later, after OpenAI announced changes as required by the DPA. An investigation on substance is still ongoing.
In the aftermath of the Italian order, the European Data Protection Board created a task force to “foster cooperation and exchange information” in relation to handling complaints and investigations into OpenAI and ChatGPT at EU level, on 13 April 2023.
The Federal Office of the Privacy Commissioner (OPC) of Canada announced on 4 April 2023, that it has launched an investigation into ChatGPT following a complaint that the service is processing personal data without consent. On 25 May, the OPC announced that it will investigate ChatGPT jointly with the provincial privacy authorities of British Columbia, Quebec, and Alberta, expanding the investigation to also look into whether OpenAI has respected obligations related to openness and transparency, access, accuracy, and accountability, as well as purpose limitation.
The Ibero-American Network of DPAs, reuniting supervisory authorities from 21 Spanish and Portuguese-speaking countries in Latin America and Europe, announced on 8 May 2023 that it initiated a coordinated action in relation to ChatGPT.
Japan’s Personal Information Protection Commission (PPC) published a warning issued to OpenAI on 1June 2023 which highlighted it should not collect sensitive personal data from users of ChatGPT or other persons without obtaining consent, and it should give notice in Japanese about the purpose for which it collects personal data from users and non-users.
The Brazilian DPA announced on 27 July 2023 that it has started an investigation into how ChatGPT is complying with the Lei Geral de Proteção de Dados (LGPD) after receiving a complaint, and after reports in the media arguing that the service as provided is not compliant with the country’s comprehensive data protection law.
The US Federal Trade Commission (FTC) has opened an investigation into ChatGPT in July 2023 to see whether its provider has engaged in “unfair or deceptive privacy or data security practices or engaged in unfair or deceptive practices relating to risks of harm to consumers” in violation of Section 5 of the FTC Act.
The South Korean Personal Information Protection Commission (PIPC) announced on 27 July 2023 that it imposed an administrative fine of 3.6 million KRW (approximately 3,000 USD) against OpenAI for failure to notify a data breach in relation to its payment procedure. At the same time, the PIPC issued a list of instances of non-compliance with the country’s Personal Information Protection Act related to transparency, lawful grounds for processing (absence of consent), lack of clarity related to the controller-processor relationship, and issues related to the absence of parental consent for children younger than 14. The PIPC gave OpenAI a month and a half, until 15 September 2023, to bring the processing of personal data into compliance.

This survey of investigations into how a generative AI service provider is complying with data protection law in jurisdictions around the world reveals significant commonalities among their legal obligations and how they are applicable to processing of personal data through this new technology. There is also overlap among concerns that DPAs have about generative AI’s impact on the rights of people in relation to their personal data. This provides good ground for collaboration and coordination among supervisory authorities as regulators of generative AI.

G7 DPAs Issue Statement on Generative AI, Distilling Key Data Protection Concerns Across Jurisdictions

In this spirit, the DPAs of the G7 members adopted in Tokyo, on 21 June 2023, a Statement on generative AI which lays out their key areas of concern related to how the technology processes personal data. The Commissioners started their statement by acknowledging that “there are growing concerns that generative AI may present risks and potential harms to privacy, data protection, and other fundamental human rights if not properly developed and regulated.”

The key areas of concern highlighted in the Statement considered the use of personal data at various stages of developing and deploying AI systems, including a focus on datasets used to train, validate, and test generative AI models, the interactions of individuals with generative AI tools and also the content generated by them. For each of these stages, the issue of a lawful ground for processing was raised. Security safeguards against inverting a generative AI model to extract or reproduce personal data originally processed in data sets used to train the model were also added as a key area of concern, as well as putting in place mitigation and monitoring measures to ensure personal data generated through such tools are accurate, complete and up-to-date, free from discriminatory, unlawful, or otherwise unjustifiable effects.

Other areas of concern mentioned were transparency to promote openness and explainability; production of technical documentation across the AI development lifecycle; technical and organizational measures in the application of the rights of individuals such as access, erasure, correction, and the right not to be subject to solely automated decision-making that has a significant effect on the individual; accountability measures to ensure appropriate levels of responsibility across the AI supply chain; and limiting collection of personal data to what is necessary to fulfill a specified task.

A key recommendation spelled out in the Statement, but also emerging from the investigations above, is for developers and providers to embed privacy in the design, conception, operation, and management of new products and services that use generative AI technologies, and to document their choices in a Data Protection Impact Assessment.

Explore

Issues

authors

dates

Posts by Gabriela

ai,related,law,concept,shown,by,robot,hand,using,lawyer

How Data Protection Authorities are De Facto Regulating Generative AI

digital,service,act,concept:,lock,on,computer,keyboard,and,europe

EU’s Digital Services Act Just Became Applicable: Outlining Ten Key Areas of Interplay with the GDPR

india,flag,isolated,on,the,blue,sky,with,clipping,path.

The Digital Personal Data Protection Act of India, Explained

How Data Protection Authorities are De Facto Regulating Generative AI

Explore

The African Union’s Continental AI Strategy: Data Protection and Governance Laws Set to Play a Key Role in AI Regulation

U.S. Legislative Trends in AI-Generated Content: 2024 and Beyond

Processing of Personal Data for AI Training in Brazil: Takeaways from ANPD’s Preliminary Decisions in the Meta Case

Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate

Future of Privacy Forum Convenes Over 200 State Lawmakers in AI Policy Working Group Focused on 2025 Legislative Sessions

Synthetic Content: Exploring the Risks, Technical Approaches, and Regulatory Responses

Out, Not Outed: Privacy for Sexual Health, Orientations, and Gender Identities

FPF Analysis of New Requirements for Generative AI Use by Healthcare Entities in Patient Communications

FPF Submits Comments to Inform New York Children’s Privacy Rulemaking Processes