EDPB Task Force Issues Report on ChatGPT Compliance with GDPR

Introduction

On May 23, 2024, the European Data Protection Board (EDPB) issued a report on the work done by the ChatGPT Taskforce. While the report is not guidance in the form typically issued by the EDPB, it serves as de facto guidance for how AI programs might be evaluated for GDPR compliance going forward. The underlying question is whether ChatGPT is being unfairly scrutinized by authorities because of its popularity as a Large Language Model (LLM) AI.

ChatGPT Compliance Principles

LLM AI programs are trained using huge amounts of data, including personal data, some of which is obtained from web scraping. The Taskforce focused on ChatGPT’s compliance with the GDPR principles of (1) lawfulness of processing, (2) fairness, (3) transparency, and (4) data accuracy.

Lawfulness of Processing

The GDPR requires that all data processing must have a legal basis (e.g., contractual necessity, legitimate interest, etc.). Web scraping, which is the collection of personal data from publicly available sources on the internet, is no exception. Even though personal data is publicly available, the processing of that data by LLMs still requires a legal basis for such processing.

Fairness

The principle of fairness pursuant to Article 5(1)(a) of GDPR requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected, or misleading to the data subject. The requirement of satisfying the fairness principle lies with ChatGPT. The obligation of fairness cannot be transferred to the data subject simply by placing information in a Privacy Policy or Terms and Conditions.

Transparency

When collecting large amounts of data through web scraping, it is not practicable to inform each data subject about the web scraping. Therefore, the exemption pursuant to Article 14(5)(b) of GDPR could apply as long as all requirements are met. When personal data is collected directly from the data subject, Article 13 of GDPR applies. It is important that data subjects are informed that the information they provide may be used for training purposes.

Data Accuracy

The Taskforce made it a point to differentiate between the accuracy of data input and data output. The principle of data accuracy pursuant to Article 5(1)(d) of GDPR applies to both input and output. Although advising data subjects that generated text may be biased or made up is sufficient to address the transparency principle, it may not be sufficient to comply with the data accuracy principle.

Guidance

The report by the Taskforce includes an annex of numerous questions that the developers of ChatGPT should ask themselves to ensure compliance with GDPR. While the report is not formal guidance, it is certainly a good road map for any developer of LLM AI to comply with GDPR.

It is also worthwhile to keep in mind that while the report is applicable to ChatGPT as an AI developer, companies that deploy AI also have responsibilities for compliance with GDPR which should not be overlooked.

As events continue to develop, please do not hesitate to reach out to a member of our Data Privacy & Cybersecurity team with any questions.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.