The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

A deep dive into generative AI and privacy

As we’ve covered in this newsletter already, tech leaders like Elon Musk and Steve Wozniak signed an open letter advocating for a halt in AI development, citing the need for establishing shared safety protocols and robust governance systems. This sentiment stems from the fact that AI technologies, such as OpenAI's ChatGPT, are facing regulatory challenges with regard to data privacy.

A recent example is Italy's data protection authority ordering OpenAI to cease processing locals' data due to potential GDPR breaches. OpenAI responded by geoblocking ChatGPT for Italian IP addresses but maintains that it complies with all privacy laws. The Italian regulator issued a list of tasks for OpenAI to complete, which included transparency about data processing, age gating and verification technology, and methods for Europeans to request corrections or data deletion.

For data privacy professionals, the unique challenges that generative AI models like ChatGPT face in ensuring GDPR compliance are noteworthy. AI developers must be transparent about their data processing practices, facilitate user data access rights, and address age-related concerns to create a safer digital environment for all.

The GDPR also raises concerns about Large Language Models (LLMs) making solely automated decisions that significantly impact individuals. If true, individuals would have the right to understand the logic behind these decisions and even request human review. Data protection authorities can scrutinize these safeguards, leading to the need for increased transparency and opportunities for individuals to contest automated processes.

The European Data Protection Board (EDPB) is poised to play a crucial role in shaping regulatory approaches to generative AI. Spain's data protection regulator has requested the inclusion of ChatGPT in the next plenary meeting to implement harmonized actions within the GDPR framework. A task force has been formed to support regulators on possible enforcements.

The EU's AI Act, which aims to regulate high-risk AI systems, may indirectly apply to generative AI tools via the Digital Services Act (DSA) and Digital Markets Act (DMA). For example, the DSA might require large online platforms to assess risks associated with algorithmic systems, including LLMs.

As the global landscape for AI regulation evolves, data privacy professionals must stay informed and adapt to new frameworks. The EU's risk-based approach to AI may set the standard for other regions, such as the United States, the United Kingdom, and India, which are all in varying stages of AI regulatory development. The United States is in the early stages of considering an accountability mechanism for "trustworthy AI", while the United Kingdom and India are moving towards lighter regulatory approaches.

Another critical aspect of AI regulation is the ongoing debate surrounding copyright disputes, as AI developers use content without licensing it for training purposes. Examples include class action suits against Microsoft, GitHub, OpenAI, Midjourney, and Stability AI. There are questions about how existing copyright law applies to these new tools that also support human creativity and productivity. Dr. Hayleigh Bosher, a senior lecturer in IP law, argues that copyright law needs updating to clarify its application in the era of generative AI.

The Writers Guild of America recently issued a draft set of rules seeking assurances from major movie studios that AI-generated text can't be covered by IP. This ongoing debate will determine whether artists and writers gain more protection for their labor compared to software engineers, who may have more demand for automation to scale productivity.

Looks like AI really will be the next privacy battleground.

Other data privacy news

Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen

Open source media player software provider Kodi has confirmed a data breach after threat actors stole the company's MyBB forum database containing user data and private messages.

Coles confirms its customers impacted by Latitude Financial data breach

Supermarket giant says it is disappointed after being informed that historical customer credit card details have been stolen by hackers

Hyundai data breach exposes owner details in France and Italy

Hyundai has disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data.

Spain opens an investigation into OpenAI's ChatGPT over a potential data breach

Spain announced on Thursday the opening of an investigation into ChatGPT, a chatbot driven by artificial intelligence (AI), on the same day that the European Union launched a working group to promote European cooperation on the subject.

Data protection authority criticises States department

An authority that regulates how personal information is handled has criticised a government department.

Post of the week