The DPOInsider is back after a short hiatus. We will be covering the latest news and developments in data compliance and privacy every Friday. The DPO's favourite weekly read ☕️

OpenAI's ChatGPT: Navigating the Complex Waters of GDPR

OpenAI, renowned for its pioneering work in the artificial intelligence domain, is currently facing scrutiny over its flagship product, ChatGPT. A complaint lodged with the Polish data protection authority has brought to light potential discrepancies between the operation of ChatGPT and the stringent requirements of the European Union's General Data Protection Regulation (GDPR).

At the heart of the matter are concerns surrounding OpenAI's adherence to key GDPR principles. These include transparency in data processing, ensuring fairness in AI-generated outcomes, establishing a lawful basis for data collection and processing, upholding data access rights, and embedding privacy considerations into the design of the AI system. The overarching sentiment is that while ChatGPT is undeniably a technological marvel, its alignment with European data protection standards may need reevaluation.

One significant point of contention is the consultation—or lack thereof—with European regulatory bodies prior to ChatGPT's deployment in the region. Engaging with regulators in a proactive manner is not just a GDPR recommendation but a vital step in understanding and navigating the complex landscape of data protection in the EU. Such consultations could have offered OpenAI insights into potential pitfalls and areas of concern, ensuring a smoother and more compliant rollout of their product.

Furthermore, the accuracy and rectification of AI-generated data have come under the spotlight. The GDPR is clear about individuals' rights to have their personal data corrected, especially when inaccuracies arise. With instances of ChatGPT producing potentially erroneous biographical data, the need for robust mechanisms to address and rectify such inaccuracies becomes paramount. This is not just about compliance but also about maintaining trust with users who rely on the tool for information.

In addition, the broader implications of this situation cannot be ignored. As AI continues to permeate various sectors and industries, striking the right balance between innovation and privacy becomes increasingly crucial. OpenAI's current challenges serve as a poignant reminder for all AI-driven organizations: while pushing the boundaries of what's possible with technology, it's equally vital to ensure that user privacy and data protection remain at the forefront.

In the coming months, it will be interesting to see how OpenAI addresses these concerns and what measures are put in place to ensure that ChatGPT, and other AI tools, align seamlessly with global data protection standards. For data privacy professionals, this is a case to watch, offering valuable lessons and insights for future AI deployments.

Switzerland's Updated Data Protection Law Set for September 2023 Implementation

Starting September 1, 2023, businesses in Switzerland will need to align with the provisions of the updated Federal Act on Data Protection (FADP). This legislation, enacted in 2020, represents a significant overhaul of the country's initial Federal Data Protection Act from 1992, offering enhanced rights to Swiss residents.

Several pivotal modifications are introduced under the FADP. Notably, it focuses exclusively on the data of individuals, excluding corporate entities. The categorization of sensitive data has been expanded to encompass genetic and biometric information, necessitating explicit consent for its processing. While small and medium-sized enterprises (SMEs) with minimal data processing risks might enjoy certain exemptions, the mandate for maintaining a processing activities log is poised to become a standard for all Swiss firms. The FADP also champions the concepts of 'Privacy by Design' – emphasizing the integration of user privacy safeguards from the inception of product or service development – and 'Privacy by Default', ensuring optimal data security upon product launch. Additionally, any data breaches will now warrant notification to the Federal Data Protection and Information Commissioner.

Drawing parallels with the EU's GDPR, the FADP stipulates that international data transfers are permissible only under conditions of adequate data protection. A pivotal aspect of the FADP is its potential to facilitate uninterrupted data exchanges with the EU, safeguarding the competitive edge for Swiss businesses.

Other data privacy news

Japan’s cyber security agency suffers months-long breach

The organisation responsible for Japan’s national defences against cyber attacks has itself been infiltrated by hackers, who may have gained access to sensitive data for as much as nine months.

Geopolitics looms large on data privacy horizon

GDPR fines skyrocket past $4bn as 71% of countries worldwide adopt data privacy legislation.

X wants to collect biometric data: What about data privacy?

X announced an audio and calling feature shortly after updating its terms of use to include the collection of users' biometric data.

Post of the week