小程序
传感搜
传感圈

OpenAI given ‘to-do list’ by Italian data watchdog

2023-04-15
关注


Italy’s data protection authority, Garante, has given OpenAI a “to-do list” of tasks it has to complete to be compliant with GDPR in the country and has until 30 April to get it completed. This includes publishing information on the logic of data processing required to make ChatGPT work, ensuring users are over the age of 18, and creating tools where non-users can object to processing of personal data. It comes the same week the Biden Administration in the US announced plans for general AI regulations.

OpenAI was forced to block ChatGPT in Italy after the data watchdog issued a GDPR breach notice (Photo: Ascannio / Shutterstock.com)

OpenAI was forced to block ChatGPT in Italy after the data watchdog issued a GDPR breach notice. (Photo by Ascannio / Shutterstock.com)


Garante first took action to block ChatGPT in Italy at the end of last month after issuing an order against OpenAI, suspecting the chatbot of being in breach of the EU’s GDPR legislation. It barred the company from processing local data. It was seen by some experts as a “test case” that could be followed by other data regulators throughout the EU.

Sam Altman, OpenAI CEO, tweeted at the time that it would cease offering the service in Italy but added that “I think we are following all privacy laws”. OpenAI placed a geoblocking exclusion on Italian IP addresses and stopped offering its Plus subscription. OpenAI has since published its “safety measures” in training the tool.

                                                                                                                                                                                                                       




To comply with the order, which could be mirrored across the EU and lead to extensive fines against OpenAI‘s global turnover for failing to comply, the company will have to become very open about its data collection and processing practices.


“OpenAI will have to draft and make available, on its website, an information notice describing the arrangements and logic of the data processing required for the operation of ChatGPT along with the rights afforded to data subjects (users and non-users),” the regulator declared. “The information notice will have to be easily accessible and placed in such a way as to be read before signing up for the service.”

As well as being shown this notice when signing up for the first time, users will have to be presented with it at the time of accessing the service once it is reactivated.

There will also need to be age-gating technology deployed to ensure no Italian users are under the age of 18, or at least have parental consent if aged 13 to 18. This will first be done with a notice asking users to declare their age before accessing the service, but also filter out any users already signed up who are under the age of 13, or who are between the ages of 13 and 18 but with no parental authority. They have until 31 May to submit a plan for implementing such a system and have to have it in place by the end of September.

The wider legal basis

The bigger issue comes from the legal basis OpenAI has for processing user data in terms of training the models that are used to run ChatGPT, namely GPT-3 and GPT-4. These are made up of trillions of pieces of data from sources such as Wikipedia and book repositories, but also from internet scraping. The final aspect could see personal information caught up in the data set and potentially exposed during a “conversation” with the AI.


Content from our partners

The war in Ukraine has changed the cybercrime landscape. SMEs must beware


The war in Ukraine has changed the cybercrime landscape. SMEs must beware




Why F&B must leverage digital to unlock innovation


Why F&B must leverage digital to unlock innovation




Resilience: The power of automating cloud disaster recovery


Resilience: The power of automating cloud disaster recovery






“Regarding the legal basis of the processing of users’ data for training algorithms, the Italian SA ordered OpenAI to remove all references to contractual performance and to rely – in line with the accountability principle – on either consent or legitimate interest as the applicable legal basis,” the regulator said. “This will be without prejudice to the exercise the SA’s investigatory and enforcement powers in this respect.”



   View all newsletters
   Sign up to our newsletters
   Data, insights and analysis delivered to you
   By The Tech Monitor team
   
   Sign up here


OpenAI will also have to enable a mechanism where users and non-users whose data is inside the system, either through the training data or stored by OpenAI, can have that information corrected if it is shown to be wrong, or have it erased completely. “OpenAI will have to make available easily accessible tools to allow non-users to exercise their right to object to the processing of their personal data as relied upon for the operation of the algorithm,” the watchdog declared.




We of course defer to the Italian government and have ceased offering ChatGPT in Italy (though we think we are following all privacy laws).Italy is one of my favorite countries and I look forward to visiting again soon!




Even if OpenAI is able to comply with the entire checklist it doesn’t mean they are “off the hook”. It is simply what is required to be allowed to process Italian user data and reactivate the service. Garante says it is continuing its investigation “to establish possible infringements of the legislation” which could lead to fines or further action or additional measures.

Claire Tratchet, cybersecurity expert and CFO of bug bounty program YesWeHack told Tech Monitor there is a global debate around regulation of generative AI that swings between stimulating innovation and mitigating privacy concerns. “Because of this, we’re seeing various countries approach the situation differently,” she said. “For instance, Italy has prioritised the latter, they are so focused on safeguarding that they have implemented an entire ban on ChatGPT.

“Whereas the US are introducing various forms of legislation and regulation. And then the UK has introduced a framework which has been regarded as ‘light touch’ compared to other countries, with the hope that this increases investment in the sector at a time when the economy needs it. While all these views are reasonable in their own way, realistic regulation cannot be made overnight.”

She said CEOs and governments need to ensure safeguarding principles are in place before deploying the technology. “The biggest risk of generative AI is that is so fast-paced, that it becomes so difficult to keep up with the innovation. This is why implementing some form of risk management and security in a coordinated manner is so important. Both the government and the CEOs of AI companies need to track the safeguarding of AI to ensure that users do not run into problems with the software.”



参考译文
意大利数据监管机构给OpenAI的“待办事项列表”

意大利数据保护机构Garante已经给了OpenAI一份“待办事项清单”,列出了它必须完成的任务,以符合该国的GDPR,并在4月30日之前完成该任务。这包括发布使ChatGPT工作所需的数据处理逻辑信息,确保用户年龄超过18岁,以及创建非用户可以反对处理个人数据的工具。就在同一周,美国拜登政府宣布了制定通用人工智能法规的计划。上个月底,Garante在意大利首次采取行动,在对OpenAI发布命令后,怀疑聊天机器人违反了欧盟的GDPR立法。它禁止该公司处理本地数据。一些专家认为,这是一个“测试案例”,欧盟其他数据监管机构可能会效仿。OpenAI首席执行官山姆·奥特曼(Sam Altman)当时在推特上表示,该公司将停止在意大利提供服务,但他补充说:“我认为我们遵守了所有的隐私法。”OpenAI对意大利IP地址进行了地理屏蔽,并停止提供Plus订阅服务。OpenAI随后发布了训练该工具的“安全措施”。为了遵守这一命令——该命令可能在整个欧盟范围内效仿,并导致OpenAI的全球营业额因未能遵守而面临巨额罚款——该公司将不得不对其数据收集和处理做法变得非常公开。该监管机构宣布:“OpenAI必须起草一份信息通知,并在其网站上提供,该信息通知描述ChatGPT运营所需的数据处理安排和逻辑,以及赋予数据主体(用户和非用户)的权利。”“信息通知必须易于获取,并放置在注册服务之前可以阅读的位置。”除了在首次注册时显示此通知外,一旦重新激活服务,用户在访问服务时也必须看到此通知。此外,还需要部署年龄限制技术,以确保意大利用户的年龄都在18岁以下,如果用户年龄在13岁至18岁之间,至少要得到父母的同意。首先,facebook会发出通知,要求用户在使用该服务前声明自己的年龄,但同时也会过滤掉已经注册的13岁以下用户,或者年龄在13岁至18岁之间但没有父母授权的用户。他们必须在5月31日之前提交一份实施该系统的计划,并必须在9月底之前到位。更大的问题来自于OpenAI在训练用于运行ChatGPT(即GPT-3和GPT-4)的模型时处理用户数据的法律基础。这些数据来自维基百科(Wikipedia)和图书存储库等来源,但也来自互联网抓取。最后一个方面可以看到数据集中的个人信息,并可能在与人工智能的“对话”中暴露。该监管机构表示:“关于为训练算法处理用户数据的法律依据,意大利SA命令OpenAI删除所有涉及合同履行的内容,并根据问责原则,将同意或合法利益作为适用的法律依据。”“这将不会影响警监局在这方面的调查和执法权力。”OpenAI还必须启用一种机制,使用户和非用户的数据在系统内,无论是通过训练数据还是由OpenAI存储,如果信息被证明是错误的,可以纠正这些信息,或者完全删除这些信息。该监管机构宣称:“OpenAI必须提供易于访问的工具,允许非用户行使他们的权利,反对算法操作所依赖的处理他们的个人数据。”
当然,我们尊重意大利政府的意见,已经停止在意大利提供ChatGPT服务(尽管我们认为我们遵守了所有的隐私法)。意大利是我最喜欢的国家之一,我期待着很快再次访问!即使OpenAI能够遵守整个检查表,也不意味着他们“摆脱了困境”。这仅仅是允许处理意大利用户数据并重新激活服务所需要的。Garante表示,该公司正在继续调查,“以确定可能存在的违法行为”,这可能导致罚款、进一步行动或其他措施。网络安全专家、漏洞赏金项目YesWeHack的首席财务官克莱尔·特拉切特(Claire Tratchet)告诉《科技观察报》(Tech Monitor),全球围绕生成式人工智能的监管展开了一场辩论,在刺激创新和缓解隐私担忧之间摇摆。她说:“正因为如此,我们看到各国采取了不同的应对方式。”“例如,意大利优先考虑了后者,他们如此专注于保护,以至于完全禁止了ChatGPT。”而美国正在引入各种形式的立法和监管。与其他国家相比,英国引入了一个被视为“轻触”的框架,希望在经济需要的时候增加对该行业的投资。尽管所有这些观点都有其自身的合理性,但现实的监管不可能一蹴而就。她说,首席执行官和政府在部署这项技术之前需要确保安全原则到位。“生成式人工智能的最大风险是节奏太快,很难跟上创新的步伐。这就是为什么以协调的方式实施某种形式的风险管理和安全是如此重要。政府和人工智能公司的首席执行官都需要跟踪人工智能的安全,以确保用户在使用软件时不会遇到问题。”

您觉得本篇内容如何
评分

评论

您需要登录才可以回复|注册

提交评论

techmonitor

这家伙很懒,什么描述也没留下

关注

点击进入下一篇

ChatGPT正在迎接一个繁荣的开发者市场

提取码
复制提取码
点击跳转至百度网盘