It is an open secret that the Italian data protection authority is very interested in becoming the regulator for AI. They have started to appear in different areas, intervening as much as possible in the public debate. The OpenAI case is clearly part of this strategy by Andrea Monti – this is an abriged and edited version of a longer article publishe in Italian by Italian Tech – La Repubblica
On the merits, the authority has not yet released any public information. However, based on other public initiatives in related areas such as web scraping, it is likely that the authority will hold OpenAI responsible for collecting personal data in Italy, ‘exporting’ it to the US, and processing it for profit without a legal basis.
As I wrote when the authority first blocked OpenAI, I have serious doubts about the authority’s claims.
First, a procedural issue: an administrative authority cannot have direct jurisdiction over foreign companies. If a public prosecutor who wants to investigate a case abroad has to resort to mutual legal assistance treaties, and a court has to go through a review of its decision in the host country in order to have it enforced in, say, a family matter, how is it that a lower-level entity can be given free rein?
Secondly, ChatGPT is not supposed to give reliable results. Therefore, the claim that it processes personal data in an unreliable way is not correct. The level of reliability of the output is not an absolute value, but must be in line with the stated purpose. As ChatGPT is not a ‘truth machine’ and is not sold as such, it is difficult to argue that the reliability of the results is actually an issue.
Thirdly, if the purpose of the processing is not to provide reliable data, is it processing that should concern the GDPR? In other words, it is not OpenAI’s fault if people continue to use ChatGPT as a substitute for their (lack of) knowledge and then complain about the results.
The only point that might have some merit is the one about the lack of a legal basis for processing personal data, not so much in terms of GDPR, but in terms of ‘predatory’ data exploitation (i.e.: data monetisation).
It is fair to say that content published by individuals (including their personal data) should be consulted, not reused for profit purposes without at least compensating the rights holders or obtaining some kind of licence. In this respect, other players such as Meta and Google may have a different position, as their terms and conditions allow a wider latitude in processing user-generated content for purposes other than providing a specific service.
Morevoer, OpenAI (like other genAI providers) has scraped the entire internet to collect data in the pursuit of a business, not for ‘pure’ research purposes. The defence that genAI providers are using in the US trials is ‘fair use’, but fair use is related to copyright – the right of the author in Italy – and only works for creative (i.e. artistic) works. I find it difficult to say that data processing is equivalent to the Divina Commedia. But copyright’s fair use is somehow similar to the legitimate interest of GDPR. So if the matter is indeed subject to GDPR, the crucial point is to weigh a company’s business interest (which, let’s not forget, is a constitutionally protected right in Italy) against the freedom and fundamental rights of individuals.
The problem to be solved, then, is whether OpenAI’s data scraping and processing, at least in terms of threats, violates the fundamental rights of EU citizens. It is the duty of data protection authorities to provide solid evidence for such claims, as it would not be possible to stick to general musings about the ‘dangers of AI’ and infer some form of legal responsibility. It will be interesting to see how the DPA meets its burden of proof.
The bottom (and unspoken) line of the OpenAI case is the blurring of the line between law and policy. For a long time, GDPR has been weaponised in the ‘quiet’ battle between the EU and the US. Using law to pursue political goals in the management of international relations may not be the smartest idea, as regulation is a double-edged axe that is not meant to cut in only one direction.