In today's age of artificial intelligence, OpenAI has become a significant player in the business world. Its creation, the ChatGPT API, allows businesses to harness the capabilities of AI and incorporate them into their own products or services. However, with its ever-growing use, businesses should carefully consider all the regulatory risks associated with this technology.
So, what are these risks? What are the steps that businesses can take to mitigate them? We utilize the perspective of the General Data Protection Regulation (GDPR), a pivotal privacy law that has become the benchmark for global data protection, to discuss and answer these questions in the article. We will also cover whether your business would need to comply with GDPR, should you choose to use ChatGPT API in your product or service.
As we await the activation of many AI-focused regulations like the EU AI Act, the GDPR continues to serve as the principal tool for managing AI regulation and protecting users who interact with AI.
ChatGPT API: an overview of key privacy risks
ChatGPT, an AI language model developed by OpenAI, has incredible capabilities. It crafts human-like text, responds to queries, translates languages, and even whips up original content. More and more businesses are embracing ChatGPT for its diverse applications, such as customer service chatbots, personalized product suggestions, productivity-boosting tools, virtual assistants and educational tools.
But, as with all technologies, it comes with its set of challenges. Unauthorized access, data leakage, or unlawful use of data, including for training purposes, can all lead to serious regulatory and business risks.
💡 Worth checking: How to Incorporate Privacy Protection in AI Product Design
How is GDPR related to ChatGPT API privacy compliance?
Unveiled in 2018, the GDPR is a foundational piece of legislation that shapes data protection across the EU and the UK. Since its enactment, it has become a staple law in the privacy world, and many privacy regimes have modeled their laws on the GDPR. It utilizes a principle-based approach, and provides comprehensive safeguards to ensure the protection of an individual's privacy. As such, these principles will inevitably apply to the wide array of the ChatGPT API application, where users may share their personal data.
Adhering to GDPR will provide a structured approach to prevent the issues we described above and maintain the confidentiality and integrity of data. Moreover, adhering to GDPR is not only about meeting regulatory requirements and formal compliance. It is also about establishing trust. When you incorporate AI into your products, it becomes especially vital to demonstrate your capability to handle data responsibly, ensuring a trust-based relationship with your users.
Does your ChatGPT-based app need to comply with GDPR?
Businesses need to understand that even if they aren't directly gathering data through the OpenAI´s API, they will still need to comply with the GDPR if they make the ChatGPT application available to its users.
This was solidified by a landmark ruling C-40/17 Fashion ID by the Court of Justice of the European Union (CJEU). In this ruling, the CJEU found that a business embedding third-party resources into its products or services can still be considered a data controller and be required to comply with the GDPR, even if no personal data is collected by the business. So, if you're embedding the ChatGPT API, you'll need to ensure GDPR compliance regardless of the fact if you are accessing the personal data that the users share with the application, or not.
Also important to note is that the GDPR's reach extends beyond the borders of its original jurisdiction. As such, outside businesses that target the EU and UK markets are equally required to adhere to its stipulations.
📚 Read more: The Ultimate Privacy Compliance Guide
What are the GDPR compliance requirements for embedding the ChatGPT API?
Integrating the ChatGPT API into your operations will introduce a new set of GDPR compliance considerations. To provide you with guidance, we have highlighted the following key areas to focus on:
- Establishing Lawful Basis. Before deploying ChatGPT API, ensure you have a lawful basis for processing personal data. If you envision the possibility of collecting sensitive data via your application, explicit consent may be the only way to provide the functionality to your users.
- Obtaining Valid Consent. When relying on consent, make sure it's obtained freely and with clear options for withdrawal. Interface design can play a crucial role here.
- Data Subject Rights. Fulfilling the rights of individuals regarding their data is a fundamental aspect of GDPR compliance, and this can present unique challenges when using OpenAI technology. For instance, the "right to erase" may be not so straightforward to implement due to the technical aspects of ChatGPT.
- Preventing Minor Access. Implement effective age verification measures and require parental consent to protect children from accessing your application. While age restriction may vary across states, opting for 16 years as a standard will be the safest option to take.
- Satisfying data transfer and OpenAI GDPR obligations. It's essential to protect the data being transferred to OpenAI in the US, and to make sure that OpenAI meets their obligations under the GDPR as well. For this, you should not forget to sign a Data Processing Agreement (DPA) and Standard Contractual Clauses with OpenAI.
Additionally, adherence to the general GDPR principles, such as purpose limitation and data minimization, will also be crucial in maintaining compliance. Here, a Data Protection Impact Assessment (DPIA) will be important to identify and mitigate any risks undermining the compliance with the principles, specifically when relying on innovative technologies such as ChatGPT.
Regulatory challenges and possible changes
While the aforementioned measures can significantly mitigate risks, this technology remains to be seen as privacy intrusive and requiring additional regulatory oversight. Recognizing this, many jurisdictions are rethinking their regulatory approach to AI with the aim of strengthening their privacy compliance framework.
A notable example is Italy, which recently has temporarily banned ChatGPT due to gaps in privacy areas that we discussed earlier. Though the ban was lifted in April 2023 after OpenAI mitigated the identified non-compliance, the incident demonstrates the vigilance of regulatory bodies towards this technology. Similarly, Spain, France and Germany have lately indicated their intent to probe ChatGPT's potential risks before deciding on any regulatory measures.
Furthermore, the European Data Protection Board set up a task force to foster cooperation on possible enforcement actions conducted by authorities with regard to ChatGPT in the EU.
Ensuring GDPR compliance with OpenAI's API
Regardless of the path forward, it's certain that data protection will remain the top concern, and compromises in this domain will not be substantial. Navigating the complex landscape of AI and data privacy can certainly be challenging.
In this regard, Legal Nodes offers data protection support that can assist your businesses in maintaining regulatory compliance. We will be able to provide professional guidance and will cover all areas of privacy compliance that your ChatGPT application may need.
With our robust understanding of privacy requirements and business-oriented approach, you will be able to mitigate privacy and security risks, protect your users, and benefit to the fullest from the application of the ChatGPT API. We can help you to monitor your compliance, conduct a DPIA, update your policies or interface to keep you compliant with the GDPR, and much more.
Start by booking a consultation with one of our privacy professionals to talk about the key privacy concerns and challenges you have.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Kostiantyn is a Data Protection Specialist at Legal Nodes and holds a certification as an Information Privacy Professional in Europe (CIPP/E). Fuelled by his passion for law and technology, he is committed to the protection of fundamental human rights, including data protection. He adds a musical touch to his repertoire as an enthusiastic jazz pianist in his spare time.