OpenAI, the artificial intelligence research laboratory, has started geoblocking its chatbot, ChatGPT, in Italy after receiving an order from the local data protection authority. The regulator issued the order on Friday, stating that OpenAI must stop processing the data of Italians for the ChatGPT service. In response, OpenAI issued a statement regretting to inform users that it has disabled access to ChatGPT in Italy at the request of the data protection authority, known as the Garante.
OpenAI will also issue refunds to all users in Italy who subscribed to the ChatGPT Plus service last month. The company is also temporarily pausing subscription renewals in Italy to ensure that users are not charged while the service is suspended. At this point, OpenAI is applying a simple geoblock, which can be circumvented by using a virtual private network (VPN) to switch to a non-Italian IP address. However, if a ChatGPT account was originally registered in Italy, it may no longer be accessible, and users wanting to bypass the geoblock may have to create a new account using a non-Italian IP address.
The Garante announced on Friday that it had opened an investigation into ChatGPT over suspected breaches of the European Union’s General Data Protection Regulation (GDPR). The regulator is concerned that OpenAI has unlawfully processed Italians’ data. OpenAI has not informed anyone whose online data it found and used to train the technology, such as by scraping information from Internet forums. It has also not been entirely transparent about the data it’s processing.
In its statement, the Garante also pointed out the lack of any system to prevent minors from accessing the tech, raising a child safety flag. Additionally, the regulator has raised concerns over the accuracy of the information the chatbot provides. ChatGPT and other generative AI chatbots are known to sometimes produce erroneous information about named individuals — a flaw AI makers refer to as “hallucinating”.
OpenAI has yet to respond to the Garante's investigation publicly. However, the company claims in its public statement to geoblocked users in Italy that it is committed to protecting people’s privacy and that it believes it offers ChatGPT in compliance with GDPR and other privacy laws. It also stated that it will engage with the Garante with the goal of restoring access to ChatGPT as soon as possible.
It is not clear how OpenAI can address the compliance issues raised by the Garante, given the wide scope of GDPR concerns it’s laid out as it kicks off a deeper investigation. The regulation calls for data protection by design and default — meaning privacy-centric processes and principles are supposed to be embedded into a system that processes people’s data from the start. Penalties for confirmed breaches of the GDPR can scale up to 4% of a data processor’s annual global turnover (or €20M, whichever is greater). Since OpenAI has no main establishment in the EU, any of the bloc’s data protection authorities are empowered to regulate ChatGPT. This means that all other EU member countries’ authorities could choose to step in and investigate and issue fines for any breaches they find.
In conclusion, OpenAI's decision to geoblock ChatGPT in Italy highlights the importance of complying with GDPR and other data protection laws. It serves as a wake-up call that AI systems must adhere to the same privacy principles and standards as other technologies.
