The decision could have global repercussions and serve as a basis for similar decisions in other countries.
The Italian Privacy Guarantor (GDPD) has adopted a provisional restrictive measure, with immediate effect, following a security incident that occurred at the OpenAI company (owner of the ChatGPT platform) on March 20, 2023, which partially exposed conversations and some personal data of Italian users ― including email addresses and the last four digits of their credit cards.
It is essential to understand that although the ChatGPT platform has been the subject of political, sociological and technological discussions, the reasons for this decision are based on the European General Data Protection Regulation (GDPR) of 2016 and the Italian Regulation Code in matter of personal data protection. We are therefore not analyzing a decision with a political content, but a resolution that is the result of a “typical” instruction from a data protection authority.
Having said that, it is necessary to make some brief observations on the most relevant reasons for the decision and on the violations raised by the Italian authority.
Regulation must be transparent
Firstly, transparency is once again confirmed as a fundamental principle of privacy regulations at a global level. It is according to this principle that the decision shows that no information has been provided to users, nor to interested parties whose data is collected by OpenAI, LLC and processed through the ChatGPT service.
Furthermore, the authority highlights the absence of a legal basis that justifies the massive collection and storage of personal data with the aim of “training” the algorithms underlying the functioning of the platform. The criticism of the adequacy of the legal foundations defined by OpenAI is probably the most sensitive issue, as it should apply to many machine learning systems, not just generative AI.
Furthermore, the potentially unlimited use of electronic devices and the Internet makes children and adolescents deserving of greater protection. In this sense, the Italian authority highlights the absence of any verification of the users’ age in relation to the ChatGPT service, “exposing them to completely inadequate answers in relation to their degree of development and self-awareness”.
Age restrictions on social networks
As for the age limit, most social media platforms, including TikTok, Instagram and Facebook, allow users to create accounts if they are 13 or older (in some jurisdictions this age limit may be higher). . From a sociological point of view, the debate on the usefulness of this criterion is current and full of contributions.
Now, focusing on the data protection perspective, the biggest challenge for companies with smaller audiences is to create effective verification mechanisms. This perhaps doesn’t rule out the possibility of a child or teenager creating an account illegally, of course. However, it will have the benefit of limiting the misuse and enjoyment of the platforms.
The fact that the Italian authority highlighted, in the decision, the lack of verification systems in ChatGPT, underlines, once again, the need for an effective and strategic dialogue between those responsible for product creation and the company’s lawyers. In other words, it is essential that companies, starting from the implementation phase and before launching new products or services on the air, integrate technical mechanisms that guarantee compliance with the requirements of the applicable privacy legislation.
The provisional restriction measure affects the use of the platform by Italian users, as it is issued by a national, non-European or international authority. However, the similarities in principle presented by some global privacy regulations – for example, the GDPR and the LGPD – lead me to think that the decision may have global repercussions and serve as a basis for similar decisions or regulatory changes by policy makers.
For now, San Francisco-based OpenAI has 20 days to respond to the request, backed by the threat of fines if it fails to comply.
Marco Zorzi is an Italian lawyer and data protection consultant at Andersen Ballão Advocacia.
Source: Terra
Rose James is a Gossipify movie and series reviewer known for her in-depth analysis and unique perspective on the latest releases. With a background in film studies, she provides engaging and informative reviews, and keeps readers up to date with industry trends and emerging talents.
