Last month, Italy became the first western country to temporarily ban ChatGPT within its borders.
Triggered by a data breach on March 20, the Italian data protection authority known as Garante accused OpenAI of “unlawful” collection of personal data — violating the EU General Data Protection Regulation (GDPR) — and the lack of an age verification system for minors.
Accordingly, it instructed the US-based company to shut down access to ChatGPT in the country.
Garante has now announced nine measures that OpenAI must meet in order for the ban to be lifted. These can be summarized in five main requirements:
Visit us at the TNW conference on June 15th and 16th in Amsterdam
Get a 20% discount on your ticket now! Limited time offer.
OpenAI shall publish an information notice detailing ChatGPT’s data processing (necessary for either the operation or training of its algorithms) and the rights granted to data subjects, including users and non-users.
The information sheet must be easily accessible and placed in such a way that it is immediately visible to users immediately upon accessing the service and before registering.
Exercise of Data Rights
The Italian regulator is also calling for a range of new tools that will allow both users and non-users to be in control of how their data is treated.
Not only can you object to the processing of your personal data by OpenAI for training purposes, you can also request the correction of incorrect personal data. If the latter is not technically feasible, there is the possibility of data deletion.
Regarding the legal basis for the data processing of ChatGPT for algorithm training, Garante has limited the available options to two: Obtaining consent or showing legitimate interests.
This means that the agency removes all references to the performance of a contract, which in practice allows the processing of personal data in exchange for access to OpenAI’s service.
Protection of minors
According to Garante’s instructions, all new and existing users must pass an age barrier when accessing ChatGPT so that the AI system can filter out underage users.
OpenAI must also develop age verification tools that deny access to users under the age of 13 and users between the ages of 13 and 18 who cannot provide parental consent.
OpenAI aims to promote a “non-marketing” campaign across all major mass media outlets in the country to inform Italians that their personal data may have been used for ChatGPT training, while raising awareness of the new information policy and related data rights to sharpen.
Along the road
Garante has given OpenAI until April 30th to meet most of its demands. However, the US-based company has been granted a more generous campaign advertising timeline — until May 15. It also has to submit a plan for the age verification system by May 31, which should be in place by September 30.
If these measures are sufficiently implemented, the Italian agency will lift the ban on ChatGPT, but it may decide to “take additional or different measures if it proves necessary”.
With other privacy regulators — including France, Ireland and Spain — closely monitoring developments, Italy could set a European precedent in not just regulating ChatGPT, but the general use of the increasingly widespread major language models.