On 30 March 2023, the Italian data protection authority (Garante), announced the temporary and immediate suspension in Italy of a popular generative AI chatbot, rendering the service inaccessible to web browsers using an Italian IP address pending the conclusion of an inquiry by the Garante.
Further to the inquiry initiated by the Garante, other European data protection authorities raised similar concerns, started investigations of their own and agreed to set up a pool of regulators launching a European task force focused on such generative AI, with the aim of supporting investigations and cooperation in the various jurisdictions.
Lack of information, inaccurate data and age verification
The initial concerns raised by the Garante – and acknowledged by other regulators – were mainly focused on the alleged lack of measures to ensure adequate information to users as well as non-users whose data are collected through the generative AI platform.
Additionally, the Garante claimed a supposed lack of legal basis underpinning the massive collection and processing of personal data in order to train the algorithm used to ensure the functioning of the chatbot. Furthermore, according to the Garante the information generated through the chatbot proved inaccurate resulting in an incorrect processing of personal data. Finally, the Garante flagged the lack of any age verification mechanism exposing minors to the risk of receiving responses that are inappropriate for their age and awareness, even though the service is allegedly addressed to users aged above 13 according to the relevant terms of service.
The San Francisco based company that owns the AI chatbot immediately declared its willingness to cooperate with the Garante. Whilst they claimed to have never misused data collected through the generative AI chatbot, they confirmed their availability to ensure compliance with the GDPR principles.
On 11th April 2023, the Garante issued a further decision to lift the temporary limitation previously ordered if they had succeeded in implementing a list of technical measures including:
(i) change by the 30 April 2023 of the legal basis for the processing of personal data for the purposes of algorithm training by removing any reference to the execution of the contract and replacing it with either legitimate interest or consent;
(ii) adoption by the 30 April 2023 of a set of measures to enable data subjects to obtain rectification of their personal data when incorrect or to have those personal data deleted if rectification is not feasible;
(iii) submission by 30 May 2023 of a plan to ensure an adequate age verification system to be implemented by 30 September 2023 to filter out users aged under 13 as well as users aged 13 to 18 with no consent from their parents to use the chatbot; and
(iv) promotion by 15 May 2023 of an awareness campaign through the main Italian media including radio, newspaper and the Internet to inform individuals about how their personal data might have been processed for training algorithms and the subsequent right to opt-out from such treatment.
Compliance measures
On 25 April 2023, the company owning the chatbot service sent a letter to the Garante to illustrate the measures implemented in order to comply with the requirements set by the Garante . The steps taken include:
- Publication on the company’s website of an information notice addressed to all individuals in the European Economic Area (EEA), UK and/or Switzerland including to non-users, describing what personal data are collected, how these are processed for the purpose of training algorithms and providing clarifications on how to exercise one’s right to object to such treatment in compliance with the applicable privacy laws.
- Publication of an ad-hoc online form easily accessible for all individuals in EEA, UK and/or Switzerland including non-users, to easily exercise their right to obtain the removal of their personal data collected for training of algorithms (ie right to opt-out).
- Amendment of the privacy policy to clarify that the legal basis of the data processing is the legitimate interest and relocation of such privacy policy to make it easily accessible prior to signing up to the service.
- Insertion of a new ‘Welcome Back, Italy!’ page in case of service resumption for those who had already registered, with a direct link to the amended privacy policy and to the information notice on how the personal data processing works for the purposes of training algorithms.
- Publication of an ad-hoc form to enable registered users to opt-out from processing of their personal data by turning off the chat history in the chatbot and thus preventing the processing of their personal data for training algorithms.
- Publication of clear and easily accessible instructions to enable individuals, including non-users, to obtain erasure of inaccurate information generated by the AI chatbot. In this respect, the company stated that is not possible, at least for now, to prevent the generation of incorrect or misleading information and/or produce offensive contents.
- Amendment in the privacy policy to clarify that while some personal data are processed to enable the performance of the services on a contractual basis, some other personal data processed for training algorithms shall be kept on the basis of its legitimate interest, therefore without prejudice to users’ right to opt-out from such processing while still benefiting of the service.
- Insertion of an age verification and consent button on the new ‘Welcome back, Italy!’ page before gaining access to the service to enable Italian users to confirm that they are aged above 18, or else that they are aged 13 to 18 and have obtained consent to use the chatbot from those exercising their parental control over them.
- Insertion in the service sign-up page of the request to specify the birthdate to block access by users aged below 13 and for those aged 13 to 18 to request confirmation of the consent given by the parents.
The Garante welcomed the measures implemented by the US tech company, which represent a first step forward to ensure compliance with the GDPR requirements and expressly called upon to comply with the further additional requests. In particular, the Garante mentioned the request of implementing a more adequate age verification system and conducting the media coverage to inform Italian data subjects on the treatment.
As of today, the media campaign has not yet launched. We will continue to monitor how the tech company shall fulfil the further enforcement measures within the deadlines set out by the Garante. For more information, please connect with your local Freshfields contact.