Open AI had not notified the authority of a data breach in March 2023 - the company was identified as having processed users' personal data to train ChatGPT without first identifying an appropriate legal basis and therefore violated the principle of transparency and the associated obligation to provide information to users.
Additionally, OpenAI had not provided age verification mechanisms, which could have led to the risk of exposing children under the age of 13 to inappropriate responses.
In order to, first and foremost, ensure effective transparency in the processing of personal data, the authority has ordered OpenAI to carry out a 6-month communication campaign on radio, television, newspapers and the internet. GPDP writes in its press release:
The content, to be agreed with the Authority, should promote public understanding and awareness of the functioning of ChatGPT, in particular on the collection of user and non-user data for the training of generative artificial intelligence and the rights exercised by data subjects, including the rights to object, rectify and delete their data.
Through this communication campaign, users and non-users of ChatGPT need to be made aware of how to oppose generative AI being trained with their personal data and accordingly be able to effectively exercise their rights under the GDPR.
The GPDP imposed a fine of EUR 15 million on OpenAI, which was allegedly calculated taking into account the company's cooperative attitude.
Given that the company established its European headquarters in Ireland during the course of the investigation, the GPDP, in accordance with the so-called one-stop shop mechanism, forwarded the documents to the Irish Data Protection Authority (DPC), which became the lead supervisory authority under the GDPR to continue investigating any ongoing breaches.
