European data protection advocacy group noyb has lodged a complaint against OpenAI concerning the company’s failure to rectify inaccurate information generated by ChatGPT, citing a potential violation of the General Data Protection Regulation (GDPR) in the European Union.
Maartje de Graaf, Data Protection Lawyer at noyb, expressed concerns about the repercussions of false information, particularly when it pertains to individuals. She emphasized the necessity for chatbots like ChatGPT to adhere to EU law when processing personal data, stressing that technology should conform to legal standards.
Under the GDPR, personal data must be accurate, and individuals have the right to rectify any inaccuracies and access information about the data processed. However, OpenAI has acknowledged its inability to rectify inaccurate information produced by ChatGPT or disclose the data sources used for model training.
OpenAI argued that ensuring factual accuracy in large language models remains an ongoing research challenge. Nevertheless, noyb cited a New York Times report revealing that chatbots like ChatGPT fabricate information in a significant percentage of interactions.
In one instance, ChatGPT consistently provided an incorrect date of birth for a complainant, despite requests for correction. OpenAI refused to rectify or erase the data, claiming it was impossible to correct.
Furthermore, OpenAI failed to adequately respond to access requests, a requirement under the GDPR. According to noyb, OpenAI’s approach implies a disregard for legal obligations and an assumption that innovative products are exempt from compliance.
European privacy watchdogs have previously scrutinized ChatGPT’s inaccuracies, leading to temporary restrictions on OpenAI’s data processing by authorities.
Noyb’s complaint urges the Austrian Data Protection Authority to investigate OpenAI’s data processing practices and take measures to ensure the accuracy of personal data processed by its language models. The advocacy group also seeks an order for OpenAI to comply with access requests, align its processing practices with the GDPR, and impose fines to ensure future compliance.
Leave a comment