The Spanish Data Protection Agencythe AEPD, has announced the ex officio opening of a preliminary investigation into OpenAIthe company ChatGPT developer. As confirmed by the AEPD in a statement, the investigation has been initiated on suspicion that the chatbot violates the regulations stipulated in the GDPR of the European Union on data protection.
This investigation is in addition to the measures taken by Italy, which at the end of last month ordered Open AI to stop processing the data of the users that it had in the country on suspicion of violating various rules of the GDPR, which led to suspension of service in the country.
Among other things, the Italian data protection authority was concerned about the legality of the OpenAI reporting process, its transparency, the protection of minor users, and data access requirements. But the blocking of the service may not be definitive, since the Italian authorities have already communicated to the company the measures that it must implement if it wants the suspension order to be lifted. They have until the end of this month to activate them.
Meanwhile, in Spain the activity of ChatGPT has not been blocked, at least for now. But the AEPD has already asked the European Union to act with a view to taking joint measures on the chatbot, which has led to the opening of a working group at European Union level on it.
A few days ago the AEPD requested the European Data Protection Committee (EDPB), of which the AEPD is a part, to include ChatGPT as a topic to be addressed in its plenary meeting. He did it because they considered that «Global treatments that can have a significant impact on the rights of individuals require harmonized and coordinated actions at the European level in application of the General Data Protection Regulations».
Once said plenary meeting was held, the aforementioned working group was created to «encourage cooperation and exchange information on the actions carried out by the data protection authorities«. In this way, the AEPD «acts in parallel within the framework of its powers and competences as a national supervisory and control authority, as well as in coordination with its European counterparts through the Committee«.
Therefore, the European task force will act in parallel with investigations by local data protection authorities. In addition, it can help coordinate the reinforcement of the GDPR on generative Artificial Intelligence technologies in the region. However, countries that have already taken the first steps to investigate ChatGPT activity, such as Italy and Spain, are likely to conclude their investigations and take action before the task force, and thus the EDPB, are in a appropriate position to offer recommendations that harmonize positions at EU level.
The AEPD has recalled that «commitment to the development and implementation of innovative technologies, such as Artificial Intelligence«, but it has stressed that this development must comply with the legal framework on data protection of the European Union, as well as guarantee the rights and freedoms that the GDPR grants to individuals.