OpenAI issued list to lift Italian ChatGPT ban, EDPB launches task force

The ongoing news story about the legality of Open AI's ChatGPT in the European Union continues:

Wednesday, 5 April: 

• Le Monde reports that the French data protection authority (DPA), the CNIL, has received two complaints concerning personal data use by ChatGPT. 

Thursday, 6 April: 

• Reuters reports ChatGPT developer Open AI has confirmed it will propose remedies to the Italian DPA, the Garante, to assuage their concerns that led to a ban on the generative artificial intelligence (AI) tool. The proposal will include a justification of its legal basis for processing and outline its plan for greater transparency. 

Monday, 10 April: 

• Politico summarised the EU data protection issues ChatGPT is facing. In the article, Gabriela Zanfir-Fortuna, of the Future of Privacy Forum said: “Data protection regulators are slowly realizing that they are AI regulators."

Tuesday, 11 April: 

• Reuters confirmed that the Spanish DPA, the AEPD, has asked the European Data Protection Board (EDPB) to evaluate the technology's privacy concerns during its next plenary meeting. An emailed statement said: "The AEPD understands that global processing operations that may have a significant impact on the rights of individuals require coordinated decisions at European level." The EDPB responded by saying that it does share information about meetings.

Thursday, 13 April: 

• The Italian DPA issued a press release outlining a series of actions Open AI will need to do to lift the temporary ban imposed by the DPA. An extract from the press release says: "OpenAI will have until April 30th to fulfill the requirements imposed by the Guarantor for the protection of personal data regarding information, rights of interested parties, users and non-users, legal basis of the processing of personal data for the training of algorithms with data from users. Only then, failing the reasons for urgency, will the Authority suspend the provision for the temporary limitation of the processing of data of Italian users taken against the US company and ChatGPT will be able to become accessible from Italy again."
• A Twitter thread posted by Robert Bateman summarises and discusses the list of requirements. In the comments are links to two relevant articles: 
  • David Libeau linked to a blog article discussing how ChatGPT will probably never comply with GDPR. 
  • Aleksandr Tiulkanov posted a LinkedIn post outlining practical steps AI providers can take, which included implementing a notice and takedown procedure. "Providers of AI chatbots and similar generative AI systems should establish a policy and a working procedure to enable the collection and prompt execution of public requests for filtering out defamatory and other objectionable information from AI system outputs. Failure to establish or promptly follow such procedures is an actual legal and reputational risk."
• Meanwhile, the European Data Protection Board (EDPB) confirmed it discussed the Italian DPA's ChatGPT ban during its April plenary session and has launched a dedicated task force to "foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities."  
• In her weekly review of the privacy developments in Brussels, IAPP Managing Director, Europe, Isabelle Roccia, writes about the two significant topics on the EDPB's agenda this week, namely ChatGPT and Meta US data transfers. On the former, Roccia notes how DPAs have seized on ChatGPT to test the extent to which the "existing legal framework applicable to AI in Europe is robust enough to empower regulators."

(Translate to English: Google Chrome, Mozilla Firefox, or Microsoft Edge)