UPDATE – FEBRUARY 2026:

Since the EDPB’s May 2024 report, the ChatGPT Taskforce’s work has expanded beyond a single investigation into a broader AI enforcement coordination effort across EU data protection authorities. In late 2024, the EDPB widened the initiative to support joint responses on urgent AI-related GDPR issues, reflecting growing concern about how large language models process personal data. National investigations into OpenAI’s data scraping, training practices, prompt handling, and output accuracy remain ongoing, with no final enforcement decisions publicly issued as of early 2026.

OpenAI’s establishment in the EU has improved regulatory coordination through the One-Stop-Shop mechanism, allowing a lead supervisory authority to manage cross-border compliance while local authorities continue related cases. The EDPB’s 2026–2027 work programme, adopted in February 2026, reinforces priorities around GDPR compliance support, cross-regulatory cooperation, and oversight of emerging digital technologies, including AI systems.

Overall, the original findings on lawfulness, fairness, transparency, and accuracy remain the primary reference point. Regulators continue to stress that organizations using or developing AI must ensure clear legal bases for data processing, stronger transparency around training data, and practical mechanisms for individuals to exercise GDPR rights. While no new binding guidance has replaced the Taskforce’s initial conclusions, enforcement coordination is becoming more structured as EU authorities prepare for broader AI oversight alongside the EU AI Act rollout.

ORIGINAL NEWS STORY:

EDPB Taskforce Report Highlights GDPR Compliance Issues for ChatGPT

On May 23, the European Data Protection Board (EDPB) released a comprehensive report detailing the work undertaken by its ChatGPT Taskforce, which was established to address data protection concerns related to the popular AI service, ChatGPT. The report outlines ongoing investigations, preliminary views on compliance, and strategic recommendations for ensuring adherence to the General Data Protection Regulation (GDPR).

In recent years, large language models (LLMs) such as OpenAI’s GPT series have become increasingly prevalent in various fields. These models, which include ChatGPT, are trained using vast amounts of data, often including personal information, necessitating strict compliance with GDPR provisions. The ChatGPT Taskforce was created by the EDPB in April 2023 to coordinate investigations and enforcement actions across EU member states. This move was necessary because OpenAI, the company behind ChatGPT, did not have an establishment in the EU until February 2024, preventing the application of the One-Stop-Shop (OSS) mechanism under GDPR​​.

Supervisory Authorities across Europe are examining how OpenAI collects and uses data. They are looking at web scraping, pre-processing, training, and the handling of prompts and outputs. The lead authority under the OSS now coordinates corrective action, while local authorities finish their own cases.

Preliminary Views on Lawfulness

The report stresses the need for compliance with GDPR Articles 6 and 9. Concerns focus on training data scraped from public sources, which may endanger fundamental rights. OpenAI has cited legitimate interest as its legal basis, but the taskforce argues that additional safeguards are essential. When users input prompts that include personal data, OpenAI must show clear consent if it uses this information for training. The taskforce warns that relying on broad claims of legitimate interest is not enough.

Crucial Components for Compliance

The EDPB highlights three pillars:

• Fairness: Data must not be used in ways that harm or discriminate against people.

• Transparency: OpenAI must explain how it collects data, especially when scraping from public sources, and comply with Articles 13 and 14.

• Accuracy: AI outputs are probabilistic and may be wrong. OpenAI must take steps to reduce the risk of false or biased results influencing users.

The GDPR also gives people rights to access, correct, delete, or block their data. The taskforce urges OpenAI to make these rights easier to exercise. Current privacy policies exist but need stronger mechanisms for user control.

Conclusion

The report recommends continued cooperation among national authorities, more detailed guidance on AI data processing, and stronger safeguards for individuals. The taskforce also plans to facilitate dialogue between OpenAI and regulators to improve transparency and accountability under GDPR.

Need Help?

If you’re wondering how the EDPB, the GDPR and any other government regulations on AI could impact you, reach out to BABL AI. Their Audit Experts are ready to help you with your concerns and questions while providing valuable assistance.