On May 23, the European Data Protection Board (EDPB) released a comprehensive report detailing the work undertaken by its ChatGPT Taskforce, which was established to address data protection concerns related to the popular AI service, ChatGPT. The report outlines ongoing investigations, preliminary views on compliance, and strategic recommendations for ensuring adherence to the General Data Protection Regulation (GDPR).

In recent years, large language models (LLMs) such as OpenAI’s GPT series have become increasingly prevalent in various fields. These models, which include ChatGPT, are trained using vast amounts of data, often including personal information, necessitating strict compliance with GDPR provisions. The ChatGPT Taskforce was created by the EDPB in April 2023 to coordinate investigations and enforcement actions across EU member states. This move was necessary because OpenAI, the company behind ChatGPT, did not have an establishment in the EU until February 2024, preventing the application of the One-Stop-Shop (OSS) mechanism under GDPR​​.

The taskforce has been actively coordinating national investigations into OpenAI’s data processing practices. These investigations, initiated by various Supervisory Authorities (SAs), focus on potential violations related to the collection and use of personal data by ChatGPT. The report notes that investigations cover different stages of data processing, including data collection through web scraping, pre-processing, training, and the use of input prompts and outputs generated by ChatGPT​​. Since establishing an EU presence in February 2024, OpenAI’s cross-border processing activities have come under the purview of the OSS framework. The lead SA is now responsible for exercising corrective powers where necessary, while coordination continues for ongoing national investigations related to activities before this date​​.

The report presents preliminary views on the lawfulness of OpenAI’s data processing practices, emphasizing the need for compliance with Articles 6 and 9 of the GDPR. Key concerns include the collection of training data through web scraping, which poses significant risks to individuals’ fundamental rights. Although OpenAI has cited legitimate interest under Article 6(1)(f) GDPR as the legal basis, the taskforce stresses the necessity for adequate safeguards to balance interests and protect data subjects. Additionally, when data subjects interact with ChatGPT by inputting prompts and receiving outputs that may include personal data, OpenAI must ensure clear and demonstrable consent for using this data for training purposes, as required by Article 6(1)(f) GDPR.

The taskforce emphasizes that fairness, transparency, and data accuracy are crucial for compliance. Personal data should not be processed in ways that are unjustifiably detrimental, discriminatory, or misleading, and OpenAI must ensure that users are not unfairly burdened with compliance responsibilities. Transparency requires OpenAI to provide clear information on data collection practices, particularly when data is scraped from publicly accessible sources, to comply with Articles 13 and 14 of the GDPR and ensure users are informed about how their data is used. Given the probabilistic nature of AI outputs, ensuring data accuracy is challenging but necessary, and OpenAI must implement measures to minimize the risk of inaccurate or biased outputs being generated and relied upon by users.

The GDPR grants data subjects several rights, including access, rectification, erasure, and the right to object to processing. The taskforce underscores the importance of making these rights easily exercisable. OpenAI’s privacy policy provides information on how to exercise these rights, but the company is urged to improve its mechanisms to facilitate user access and control over their data​​.

The EDPB report concludes with recommendations for ongoing and future actions. These include continued coordination among SAs, further development of guidelines for AI data processing, and ensuring robust safeguards are in place to protect data subjects’ rights. The taskforce will also facilitate communication between SAs and OpenAI to ensure transparency and compliance with GDPR standards​​.

Need Help?

If you’re wondering how the EDPB, the GDPR and any other government regulations on AI could impact you, reach out to BABL AI. Their Audit Experts are ready to help you with your concerns and questions while providing valuable assistance.