The headline-making ChatGPT artificial intelligence (AI) chatbot has been banned in Italy (temporarily) while regulators assess its privacy implications.
AI works via "machine learning," whereby the chat engine gets smarter with each user inquiry and also by amassing information from other sources; the idea is that it can then produce better answers to user questions. Regulators are concerned by this feature of the AI chat engine, which has been populated with data by scraping the web (and thus could fall foul of several provisions of the EU privacy regulations allowing users to correct or delete information about themselves). In addition, ChatGPT suffered a data breach in March, leading to the loss of user information such as log-in and payment details. The service might also interact with minors, who receive special protection under EU (and US) privacy laws. It also collects and stores huge amounts of information, which could trigger the limitations built into EU privacy rules on collecting disproportionate amounts of data in relation to a permitted purpose.
The big issue with AI, and ChatGPT, however, is whether the service has a "legal basis" to process personal data about individuals. Under EU law, it is illegal to collect, use, store, or otherwise process any personal data about individuals without a specific legal basis. Only limited situations, such as performing a contract, or having an individual's consent, qualify as a legal basis.
Why It Matters
ChatGPT is the first consumer-grade AI engine to receive widespread user testing. Like all AI, it is based on the free collection and analysis of information. This built-in requirement of AI has the potential to bump up against privacy concerns, which are paramount to online regulators in the EU. In addition, ChatGPT represents a significant number of unknowns to privacy regulators -- about how it uses the data being gathered, where it gathers those data, how long it will retain and keep using those data, how users can exercise control over their data, and more. It will be interesting to see how the EU and other leading privacy jurisdictions resolve their questions about AI and how they will regulate it.