OpenAI worked in the last few weeks to address rising concerns about its AI technology within the European Union. Focused on privacy issues, particularly under scrutiny in Italy and Poland, the company strategically adjusted its terms and Privacy Policy, aiming to navigate the complexities of the General Data Protection Regulation (GDPR).
The Dublin Solution Emerges
In a consequential email dispatched on December 28, OpenAI unveiled a crucial update to its terms. This alteration signified a pivotal shift, with the responsibility for services like ChatGPT for residents of the European Economic Area (EEA) and Switzerland now resting with OpenAI Ireland Limited. Situated in Dublin, this subsidiary would serve as the data controller for users in these regions.
Simultaneously, OpenAI meticulously updated its Privacy Policy for Europe. The revision explicitly outlined OpenAI Ireland Limited’s role as the data controller for personal data processing in the EEA and Switzerland. These alterations, outlined in detailed legal terms, were scheduled to come into effect on February 15, 2024.
Privacy Policy Precision
This strategic move aligned with the General Data Protection Regulation’s (GDPR) intricate one-stop-shop (OSS) mechanism. The OSS enables companies to streamline privacy oversight under a lead data supervisory authority in an EU Member State where they are considered “main established.” This intricate mechanism provides a balance between centralization and local regulatory intervention.
Active Engagement with Irish Authorities Beyond legal paperwork, OpenAI embarked on active engagement with the Irish Data Protection Commission (DPC) and other EU data protection authorities. The goal was clear – securing the coveted main establishment status for its Dublin-based entity under the GDPR’s OSS mechanism.
Dublin Office Dynamics
Since its inauguration in September, OpenAI’s Dublin office has been steadily growing its local team, hiring staff in policy, legal, privacy, and back-office roles. The company’s efforts to obtain main establishment status will likely hinge on its local hiring strategy and the influence it can exert over decision-making.
Obtaining main establishment status in Ireland would place OpenAI alongside major tech companies like Apple, Google, Meta, TikTok, and X, who have also chosen Dublin as their EU home.
GDPR Probes and Privacy Concerns
OpenAI’s GDPR status is crucial as it navigates ongoing privacy investigations in Italy and Poland. The probes focus on ChatGPT’s impact on privacy, including data processing concerns and the generation of individual data.
Legal Basis Update and Public Interest Argument OpenAI’s updated privacy policy introduces a nuanced legal basis, emphasizing the “legitimate interests” for AI model training as necessary not only for the company but also for broader societal interests. This move may signal OpenAI’s intent to defend its data practices by making a public interest argument alongside commercial interests.
Dublin’s Potential Influence
If the DPC becomes the lead supervisor for OpenAI, it could significantly influence the direction of GDPR enforcement on AI technologies in the EU, slowing down potential regulatory actions.
Already, last April in the wake of the Italian intervention on ChatGPT, the DPC’s current commissioner, Helen Dixon, warned against privacy watchdogs rushing to ban the tech over data concerns — saying regulators should take time to figure out how to enforce the bloc’s data protection law on AIs.
DELTA Data Protection & Compliance Academy & Consulting – info@delta-compliance.com
