Chatgpt is back online today or tomorrow, as reported by Il Sole24Ore through an informed source of the facts. The agreement with the Privacy Guarantor has been completed. OpenAi – the company that makes this famous chatbot – has agreed to comply with the requests for compliance with European privacy legislation. A first signal arrived during the week when OpenAI granted all users worldwide the possibility of excluding their conversations from algorithm training.
However, the requests of the Italian Guarantor go much further.
For example, there must be useful tools in ChatGpt to allow interested parties, even non-users, to request the rectification of personal data concerning them generated inaccurately by the service or the cancellation of the same, if the rectification is not technically possible. Furthermore, OpenAI will have to allow interested non-users to exercise, in a simple and accessible way, the right to object to the processing of their personal data used for the exercise of the algorithms and recognize a similar right to users, if they identify the legitimate interest such as legal basis of the treatment. OpenAi will have to run an advertising campaign so that everyone, even non-users, knows they can be excluded from the chatbot. An exemplary case is that of an Australian mayor who according to the chatbot had been convicted of corruption; all false, so much so that he has ensured that ChatGpt does not respond to anyone who requests information about him. In short, if OpenAI is unable to rectify these errors – and it may be difficult or impossible, given how the algorithm works – at least it must allow anyone to be excluded from the system.
What’s new about age verification for minors
As regards the verification of the age of minors, in addition to the immediate implementation of an age request system for the purpose of registering for the service, the Authority has ordered OpenAI to submit an action plan by 31 May which includes , at the latest by 30 September 2023, an age verification system, capable of excluding access to users under the age of thirteen and minors for whom parental consent is missing. The President of the Guarantor, Pasquale Stanzione, a few days ago suggested the use of secure intermediaries (a solution, even if not mentioned, could be Spid) for platforms that are obliged to exclude access to minors under the age of 13 who are not authorized by their parents. OpenAI must also prepare and make available on its own site a transparent information, which illustrates the methods and logic underlying the processing of data necessary for the functioning of ChatGPT and the rights attributed to users and non-user interested parties.
Where will the information be found?
The disclosure must be easily accessible and placed in a position that allows it to be read before proceeding with any registration for the service. For users who connect from Italy, the information must be presented before completing the registration and, always before completing the registration, they must be asked to declare that they are of age. For already registered users, the information must be presented at the time of the first access following the reactivation of the service and, on the same occasion, they must be asked to pass an age gate which excludes, on the basis of the declared age, minor users.
The question of the legal basis
Then there is a complicated question, perhaps the most thorny for many jurists. That of the legal basis of the processing of personal data used for the training of the algorithms. We know that ChatGpt was born with the massive scraping of data taken from the internet, without the consent of the interested parties. In the United States it can be done; in Europe it is not so easy, hence the intervention of the Guarantor. The Privacy Guarantor has ordered OpenAI to eliminate any reference to the execution of a contract and to indicate, instead, based on the principle of accountability, consent or interest as a prerequisite for using such data, without prejudice to the exercise of one’s powers of verification and assessment subsequent to this choice. In recent days, even the German privacy authorities have taken steps asking OpenAI to provide information about compliance with privacy regulations and a task force of European privacy guarantors has been set up. What happens in Italy, with ChatGpt, is preparing to teach in Europe and perhaps not only in Europe.