[FR] ChatGPT scrutinised by data protection agencies

IRIS 2023-5:1/9

Amélie Blocman


On 13 April, the Commission Nationale de l’Informatique et des Libertés (French data protection authority – CNIL) announced that it had opened a “review procedure” to investigate five complaints concerning the artificial intelligence chatbot ChatGPT, including one lodged by MP Eric Bothorel alleging possible breaches of the General Data Protection Regulation (GDPR). Meanwhile, Jean-Noël Barrot, France’s digital minister, called for a more moderate approach, saying that blocking ChatGPT was not the answer and that it would be better “to regulate innovation to ensure it conforms to the principles we hold dear”.

On the same day, the Spanish Agency for Data Protection (AEPD) announced that it had “opened, on its own initiative, an investigation into the American company OpenAI for a possible breach of the regulations” on data protection.

Italy’s data privacy regulator went a step further, announcing on 12 April that the company risked court action unless it complied with a series of demands by 30 April, including the creation of a mechanism for requesting personal data rectification, an age verification system capable of blocking access to children under 13 and minors without parental consent, a review of the legal basis for processing users’ personal data to feed algorithms, and an indication that the use of personal data was conditional on the user’s consent or a legitimate interest.

At the same time, the European Data Protection Board (EDPB) announced that it had created a task force “to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities”. This decision could be a first step towards a common policy on setting privacy rules on artificial intelligence pending future Europe-wide regulation of AI.


This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.