GNP Guia Naghi & Partners The Legal 500 – The Clients Guide to Law Firms
post-template-default,single,single-post,postid-23756,single-format-standard,theme-stockholm,qode-social-login-1.1.3,qode-restaurant-1.1.1,stockholm-core-1.1,woocommerce-no-js,select-theme-ver-5.1.8,ajax_fade,page_not_loaded,side_area_over_content,wpb-js-composer js-comp-ver-6.0.5,vc_responsive

Roxana Barica – EDPB’s report on chatGPT Taskforce

Until 15 February 2024, OpenAI did not have an establishment in the European Union. Insofar, as no cooperation procedures according to the One-Stop-Shop (hereinafter “OSS”) mechanism under the GDPR could apply, the EDPB decided to establish a taskforce to foster cooperation and exchange information on possible enforcement actions on the processing of personal data in the context of ChatGPT. In the Plenary meeting of the EDPB on 16 January 2024, the decision was made to specify the mandate of the task force and to publish a report, outlining the interim results of the ChatGPT.

Therefore, EDPB issued this Report which provides preliminary views on certain aspects discussed between SAs and does not prejudge the analysis that will be made by each SA in their respective, ongoing, investigation.


In brief, the Report analyses several aspects concerning common interpretation of the applicable GDPR provisions relevant for the various ongoing investigations, such as:

  • Lawfulness:

In general, it has to be recalled that each processing of personal data must meet at least one of the conditions specified in Article 6 para. (1) and, where applicable, the additional requirements laid out in Article 9 para. (2) GDPR.

When assessing the lawfulness, it is useful to distinguish the different stages of the processing of personal data. The stages can be categorized into:

  1. collection of training data (including the use of web scraping[1] data or reuse of datasets),
  2. pre-processing of the data (including filtering),
  3. training,
  4. prompts and ChatGPT output, as well as
  5. training ChatGPT with prompts.
  • Fairness: ensuring compliance with the GDPR is a responsibility of OpenAI and not of the data subjects, even when individuals input personal data.

It has to be recalled that the principle of fairness pursuant to Article 5 para. (1) letter (a) GDPR is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subjects.

  • Transparency and data accuracy: the controller should provide proper information on the probabilistic nature of ChatGPT’s output and refer explicitly to the fact that the generated text may be biased or made up.

When web scraping personal data from publicly accessible sources such as websites, the requirements of Article 14 GDPR apply. Considering large amounts of data is collected via web scraping, it is usually not practicable or possible to inform each data subject about the circumstances. Therefore, the exemption pursuant Article 14 para. (5) letter (b) GDPR could apply, as long as all requirements of this provision are fully met. 

In line with the principle of transparency pursuant to Article 5 para. (1) letter (a) GDPR, it is of importance that proper information on the probabilistic output creation mechanisms and on their limited level of reliability is provided by the controller, including explicit reference to the fact that the generated text, although syntactically correct, may be biased or made up. Although the measures taken in order to comply with the transparency principle are beneficial to avoid misinterpretation of the output of ChatGPT, they are not sufficient to comply with the data accuracy principle, as recalled above.

  • Data subjects’ rights and their effective exertion.

The GDPR defines a set of rights of data subjects, for example to access personal data and being informed on how it is processed, to delete, to rectify, or under certain conditions to transmit personal data to a third party, to restrict the processing of the data subject’s data or to file a complaint to an SA. 

OpenAI, as controller, provides information on how to exercise these rights in its privacy policy (European version). In light of the complex processing situation and the factual limits for data subjects to intervene, it is imperative that data subjects can exercise their rights in an easily accessible manner.

  • Annex (Questionnaire)

Taskforce members also developed a common questionnaire as a possible basis for their exchanges with Open AI, which is published as an annex to the Report. It has to be noted that SAs are independent and as such, each SA was free to modify the questionnaire or to add further questions[2].


The Report does not specifically highlight conclusions on all legal preliminary views mentioned in the Report, the lawfulness and fairness of OpenAI’s processing remain undecided.

Considering the high penalties for confirmed violations of the data privacy legislation (i.e. fines up to 4% of global annual turnover and orders to cease the non-compliant processing), OpenAI is still facing considerable regulatory risk in EU.

However, we shall see if OpenAI will continue its business as usual, despite the growing number of complaints that its technology violates various aspects of the GDPR.

No Comments

Post a Comment