In an effort to align with the European Union’s data privacy regulations, OpenAI, the creator of ChatGPT, recently updated its terms of service. This change came during the holiday season and seems strategically aimed at reducing the regulatory risks the AI company faces in the EU.
The company’s technology, particularly ChatGPT, has been under scrutiny in Europe for potential privacy issues. This scrutiny has led to investigations by data protection authorities in countries like Italy and Poland, focusing on how ChatGPT processes personal information. Italy’s intervention even led to a temporary suspension of ChatGPT until OpenAI revised the user information and control mechanisms.
In a significant move, OpenAI announced that its services in the European Economic Area (EEA) and Switzerland, including ChatGPT, would now be provided by OpenAI Ireland Limited. This change, communicated in an email to users on December 28, indicates a shift in data control responsibilities to the Dublin-based entity, effective from February 15, 2024.
OpenAI’s updated privacy policy for Europe now identifies OpenAI Ireland Limited as the controller responsible for processing personal data as described in the policy. This modification aligns with the General Data Protection Regulation (GDPR) in the EU and aims to streamline privacy oversight under a single lead data supervisory authority in an EU Member State.
This strategic relocation to Ireland could potentially centralize privacy oversight to the Irish Data Protection Commission (DPC), making it the primary regulatory body for OpenAI’s GDPR compliance. This change would follow the trend of other tech giants like Apple, Google, Meta, and TikTok, who have also established their EU bases in Dublin.
The DPC confirmed that OpenAI has engaged with them and other EU data protection authorities regarding this matter. As part of its expansion, OpenAI opened a Dublin office in September, primarily hiring for policy, legal, privacy, and back-office roles.
However, to achieve the main establishment status under the GDPR, OpenAI needs to demonstrate that its Dublin entity has substantive decision-making authority over data processing. This involves having appropriate expertise and legal structures in place.
The recent update also includes details on the legal bases claimed by OpenAI for processing personal data, suggesting a shift towards framing its activities as necessary for broader societal interests, in addition to its own commercial interests.
Any ongoing GDPR investigations into ChatGPT, like those in Italy and Poland, might still influence OpenAI’s operations in Europe. However, OpenAI’s establishment in Ireland and potential lead supervision by the DPC could affect the pace and direction of GDPR enforcement on its technology.
The DPC’s current commissioner, Helen Dixon, has previously advised caution in rushing to ban AI technologies over data concerns, suggesting a more deliberate approach to enforcing data protection laws on AI systems.
For UK users, OpenAI specifies that they fall under the jurisdiction of its US-based corporate entity in Delaware, as the EU’s GDPR no longer applies in the UK post-Brexit. However, the UK’s data protection regulations, historically based on the European framework, are undergoing changes with the new ‘data reform’ bill.
