Privacy Insider Newsletter | Data Privacy News Delivered Weekly

Is the GDPR Ready to Handle AI?

Written by Arlo Gilbert | May 11, 2023 1:00:00 PM

Hello all, and happy Thursday!  

You may have heard that ChatGPT is back online in Italy after implementing a few minor privacy controls to address data protection authorities' immediate concerns over GDPR violations. However, the odds are good that ChatGPT will face additional data privacy challenges under the GDPR. But these challenges aren't unique to ChatGPT, OpenAI, and the GDPR; pretty much any large language model (LLM) will butt heads with any data privacy regulation.  

LLMs are trained on massive databases of textual information, which could include the text of Shakespeare, internet forum comments, or your personal information. It isn't feasible to manually sift through the entire corpus for personal information and ask for every data subject's consent, and it's dubious whether a business could secure another legal basis for processing that information under the GDPR.   

Finding personal information within the massive datasets used to train AI is another issue. How will data subjects request their personal information be deleted? 

Lastly, LLMs need to retain data indefinitely so that they can continuously refine and improve. That doesn't exactly mesh with the GDPR's data minimization and retention principles.    

The EU has been working on an AI regulation to contend with the unique challenges posed by AI, but ChatGPT's explosion in popularity threw a wrench in the gears. It became clear the proposed AI Act lacked the ability to effectively regulate LLMs, "foundation models," and "General Purpose AI Systems (GPAIs)." However, the AI Act is still a few years off; until then, AI businesses will need to figure out a way to live alongside data privacy regulations like the GDPR. 

Best, 

Arlo 

Top privacy stories of the week

 

Twitter Breaks Its Silence on Bug that Showed Private Tweets to a Wider Audience 

A bug related to Twitter’s Circle feature, which allows closed groups of contacts to tweet with one another, revealed private tweets outside of Twitter Circles. According to an email from Twitter, the bug has been fixed. 

Read more 

Court Dismisses FTC’s Suit Against Kochava… for Now 

Kochava—a data broker accused of selling location data that could be used to track individuals traveling to and from sensitive locations like healthcare clinics and domestic violence shelters—has successfully beat an FTC lawsuit. A federal judge dismissed the case, stating, that “the FTC has not adequately alleged a likelihood of substantial consumer injury.” 

Read more 

Pornhub Blocks Utah Users Ahead of Age Verification Law 

In response to a Utah law requiring pornographic companies to verify the age of users through a "digitised verification card,” Pornhub has opted to disable access to Utah residents. Instead, Utah residents visiting the website are greeted with a message arguing that the law puts their privacy at risk. 

Read more 

How to Ask OpenAI for Your Personal Data to Be Deleted or Not Used to Train Its AIs 

In order to comply with the GDPR, OpenAI has given EU users controls over whether or not their personal data is used to train ChatGPT and other AI technologies. While the new controls bring the company closer to compliance with local data privacy regulations, much remains to address the privacy issues of AI in general and ChatGPT specifically. 

Read more 

Indiana Governor Signs a Comprehensive Privacy Act into Law 

Right on the heels of Iowa, Indiana has become the seventh U.S. state to pass a comprehensive privacy law. While much of the law mirrors what other states have done in regard to data privacy, there are some significant departures. 

Read more 

OpenAI’s Regulatory Troubles Are Only Just Beginning 

On April 28th, ChatGPT resumed service in Italy after making minor adjustments to address GDPR concerns. However, more rigorous investigations by other data protection authorities are underway, and the EU is developing a law specifically designed to regulate AI, too. 

Read more 

CJEU Rules on GDPR Compensation 

The Court of Justice of the EU has ruled that mere infringement of the GDPR does not give rise to a right to compensation. Instead, an EU citizen is only entitled to compensation if the violation meets three conditions: infringement of the GDPR, material or non-material damage resulting from that infringement, and a causal link between the damage and the infringement. 

Read more 

The IAPP Launches Its New AI Governance Center 

The International Association of Privacy Professionals (IAPP) has launched a new AI Governance Center, whose purpose is to “provide privacy and AI governance professionals with the content, resources, networking, training and certification needed to respond to the complex risks in the AI field.” 

Read more 

Osano Blog: What is the Global Privacy Control (GPC)? 

To comply with the CPRA and other privacy laws, businesses have to accept consent preference signals from authorized third parties—not just through their consent banners. It can be tricky to understand what these universal consent preference signals are all about. In this blog, we dive into the most well-known of these signals: The Global Privacy Control, or GPC. 

Read more 

If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.