Will Open AI’s Massive GDPR Breach Irrevocably Damage the Brand?

First appeared in Down With Tyranny

By Aron Solomon

Open AI, the parent company for ChatGPT and GPT-4, has racked up nothing but wins.

Until last week, that is:

While “feeling awful” is an appropriate sentiment here, it doesn’t negate the fact that this breach violated many data protection laws, including the global queen of them all, the General Data Protection Regulation (GDPR).

I’m very familiar with the GDPR, having lived in Germany during the period of its final adoption and its implementation, having advised large legal and technology companies that would ultimately be firmly on regulators’ radar if they violated any part of it.

The GDPR is a regulation of the European Union (EU) that came into effect on May 25, 2018. The purpose of the GDPR is to strengthen data protection for EU residents by regulating how organizations collect, process, store, and share personal data. The GDPR applies to all organizations that process personal data of EU residents, regardless of where the organization is located. So, yes, it absolutely applies to Open AI today and will in the future.

The GDPR replaces the previous Data Protection Directive 95/46/EC and provides a comprehensive set of rules for data protection. It introduces several new rights for individuals and new obligations for organizations, including:

Consent: The GDPR requires organizations to obtain explicit and informed consent from individuals before collecting or processing their personal data. Consent must be freely given, specific, informed, and unambiguous.

Data subject rights: The GDPR gives individuals several new rights, including the right to access their personal data, the right to have their data erased, the right to object to processing, and the right to data portability.

Data protection officers: Organizations that process large amounts of personal data or sensitive personal data must appoint a Data Protection Officer (DPO) to oversee compliance with the GDPR.

Data breaches: Organizations must report data breaches to the supervisory authority within 72 hours of becoming aware of the breach. They must also inform affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

Accountability: Organizations must demonstrate compliance with the GDPR and be able to provide evidence of their compliance upon request.

Penalties: The GDPR introduces significant penalties for non-compliance, with fines of up to 4% of an organization’s global annual revenue or €20 million, whichever is greater.

Overall, the GDPR aims to give individuals more control over their personal data and to ensure that organizations are transparent and accountable in their data processing activities. The regulation has had a significant impact on organizations around the world, and compliance with the GDPR is essential (read: “not in any way optional”) for any organization that processes personal data of EU residents.

So I decided to go right to the source and ask Chat-GPT whether what its Medici, OpenAI, allowed to happen, was a GDPR violation:

Yes, it would be a GDPR violation if a website accidentally allowed users to see the chat history of other users.

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. This includes data such as names, addresses, email addresses, and in this case, chat history.

The website is considered a data controller under the GDPR, meaning they have a legal obligation to protect personal data and ensure it is processed lawfully, fairly, and transparently. If the website accidentally allowed users to see the chat history of other users, this would be a breach of the GDPR’s principle of confidentiality, which requires data controllers to ensure that personal data is not disclosed to unauthorized third parties.

The GDPR also requires data controllers to take appropriate technical and organizational measures to ensure the security of personal data, which includes measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. If the website failed to implement adequate security measures to protect the chat history of users, this would be a violation of the GDPR’s principle of integrity and confidentiality.

The GDPR imposes significant penalties for non-compliance, including fines of up to 4% of an organization’s global annual revenue or €20 million, whichever is greater. Therefore, it is important for websites and other organizations to ensure they have appropriate security measures in place to protect personal data, and to respond quickly and effectively in the event of a data breach or unauthorized disclosure.

I then pressed and asked:

If the company that owned and ran the website that allowed users to see the chat history of other users didn’t have a quality control team, this may not be a direct violation of the GDPR. However, it would still be considered a failure to implement appropriate technical and organizational measures to protect personal data, which is a requirement of the GDPR.

Under the GDPR, data controllers must implement appropriate technical and organizational measures to ensure the security of personal data. This includes measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures should be appropriate to the nature, scope, context, and purposes of the processing, and should take into account the state of the art, the costs of implementation, and the risks presented by the processing.

While having a quality control team is not specifically required by the GDPR, it is one way that a company could implement appropriate technical and organizational measures to ensure the security of personal data. A quality control team could help to identify and address potential security vulnerabilities, such as those that could lead to the accidental disclosure of chat history.

Therefore, if the company did not have a quality control team or any other appropriate measures in place to ensure the security of personal data, this would be a violation of the GDPR’s principle of integrity and confidentiality. The company could be subject to significant fines and other penalties for non-compliance with the GDPR.

Keep in mind the delicious irony here that ChatGPT’s historical disclaimer is that it doesn’t yet know anything about world events after 2021.

For example, the query:

…gets you this, which shows ChatGPT’s chronological limitations and propensity to spit bad facts, as Kansas City won Super Bowl LVII last month:

Super Bowl LVII has not yet been played as of my knowledge cutoff date of September 2021. It is scheduled to take place on February 4, 2024, so we will have to wait until then to find out who the winner will be.

Bad facts aside, Chat-GPT’s unintentional self-analysis of Open AI was right on.

As Attorney Krenar Camili observed:

“A significant data breach not only violates the laws of the jurisdiction where the user resides, it places the company under an uncomfortable legal spotlight if they don’t take remedial measures and actually fix the problem.”

We’ll give the final words to ChatGPT to take it from there:

Data breaches can have a significant impact on the trust of a new technology company, as they can cause customers and stakeholders to question the company’s ability to safeguard their personal information and data.

Data breaches can damage a company’s reputation, particularly if they are widely publicized. Customers may lose faith in the company’s ability to protect their data and may become reluctant to do business with them in the future. This loss of trust can have a significant impact on the company’s bottom line, as well as on its ability to attract and retain new customers.

About Aron Solomon

A Pulitzer Prize-nominated writer, Aron Solomon, JD, is the Chief Legal Analyst for Esquire Digital and the Editor-in-Chief for Today’s Esquire. He has taught entrepreneurship at McGill University and the University of Pennsylvania, and was elected to Fastcase 50, recognizing the top 50 legal innovators in the world. Aron has been featured in Forbes, CBS News, CNBC, USA Today, ESPN, TechCrunch, The Hill, BuzzFeed, Fortune, Venture Beat, The Independent, Fortune China, Yahoo!, ABA Journal, Law.com, The Boston Globe, YouTube, NewsBreak, and many other leading publications.