Microsoft-backed OpenAI is being targeted by a privacy complaint in Austria.

NOYB, the European Center for Digital Rights based in Vienna, has accused the company of not fixing incorrect information provided by its ChatGPT generative AI program in violation of EU privacy laws.

The organisation said that the complaint came from a public figure who had repeatedly been provided incorrect information on their personal information. When the figure asked ChatGPT what their birthday was, the chatbot repeatedly gave the wrong date instead of saying it had incorrect information.

NOYB described this as ‘unacceptable’, stating that EU law has required personal data to be accurate for almost 30 years and that individuals have a right to rectification under Article 16 GDPR if data is inaccurate, and can request that false information is deleted

The firm also said that OpenAI refused a request to rectify or erase the data, and that the request to correct data was impossible. NOYB also said that it failed to disclose information about the data processed, its sources or recipients.

NOYB has now filed an official complaint with the Austrian data protection authority (DSB), asking it to investigate OpenAI’s data processing and the measures taken to ensure the accuracy of personal data processed in the context of the company’s large language models

The organisation also asked the DSB order OpenAI to comply with the complainant’s access request and to bring its processing in line with the GDPR and to impose a fine to ensure future compliance.

Maartje de Graaf, data protection lawyer at NOYB, said: “Making up false information is quite problematic in itself. But when it comes to false information about individuals, there can be serious consequences. It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around.

“The obligation to comply with access requests applies to all companies. It is clearly possible to keep records of training data that was used at least have an idea about the sources of information. It seems that with each ‘innovation’, another group of companies thinks that its products don’t have to comply with the law.”

---