The European privacy regulators decided on Thursday (13 April) to launch a dedicated task force to address the privacy concerns related to the world’s most famous chatbot.

The decision was taken during a meeting of the European Data Protection Board, a body that gathers all European data protection authorities to coordinate and streamline the enforcement of the EU data protection rules.

Italian data protection authority bans ChatGPT citing privacy violations

The Italian privacy watchdog mandated a ban on the popular chatbot ChatGPT and launched an investigation on its provider OpenAI for suspected breaches of EU data protection rules.

The decision of the Italian privacy watchdog spurred reactions worldwide on the data protection implications of large language models like ChatGPT. European authorities like the CNIL in France initiated investigations into the Artificial Intelligence system following similar complaints.

Ahead of the Board’s meeting on Thursday, the Spanish data protection agency requested that the privacy concerns surrounding ChatGPT be put on the agenda to reach coordinated decisions at the European level.

To ensure harmonised application of the rules, the European data authorities agreed to set up a task force dedicated to cooperation and exchange of information on possible enforcement actions.

The Italian authority asked the technology company to make available its privacy notice explaining how users’ data are being used for the functioning of ChatGPT.

OpenAI will also need to explain on what legal basis it is processing personal data for training its algorithms, which might take the form of consent obtained from the users or legitimate interest.

Even more challenging, the AI company will have to make available tools for everyone, user or not, who wants to ask for correction on his or her personal data or even their cancellation if a correction is technically impossible.

Everyone should also be able to ask not to have their data fed into the AI model.

By 31 May, OpenAI will have to propose to the Italian regulator a plan on how to implement age verification of its users no later than 30 September to prevent access to children below the age of 13 years old and minors that do not have the consent of their parents.