Italy's watchdog clashes with ChatGPT, Google's Bard raises eyebrows & UK's ICO wields AI to hunt rogue cookies

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• OpenAI faces further trouble with the Italian regulator over ChatGPT’s GDPR compliance.
• Google’s plans to scan Android messages via its Bard AI model raise privacy concerns.
• The UK’s ICO plans to use AI to scan for non-compliant cookie banners.
• What we’re reading: Recommended privacy content for the week.

Italian Regulators Says ChatGPT ‘Breaches GDPR’ (Again)

The Italian Data Protection Authority (DPA) (known as the “Garante) has accused OpenAI of violating the GDPR via the generative AI platform ChatGPT.

• The Garante ordered OpenAI to stop processing personal data about people in Italy last March after a reported data breach provoked a wider investigation into ChaGPT.
• Following the investigation, OpenAI temporarily stopped offering its services in Italy as it worked to comply with the Garante’s emergency order.?
• The company resumed its Italian operations one month later, promising to address certain issues around age verification and transparency later.
• The Garante does not state which elements of OpenAI’s GDPR compliance have led the regulator to reopen its investigation. OpenAI has 30 days to respond to the Garante’s allegations.

-> What’s the backstory of this enforcement action?

Here’s a timeline of the issues between OpenAI and the Garante:

• March 30, 2023: The Garante issues an emergency order to stop OpenAI from processing personal data about people in Italy via ChatGPT. The regulator gives OpenAI 20 days to meet a set of GDPR compliance requirements.
• March 31, 2023: OpenAI CEO Sam Altman says he “defers to the Italian government” (note: the Garante is not the government) and has therefore “ceased offering ChatGPT in Italy.
• April 12, 2023: With a week to go until the deadline, the Garante gives OpenAI a further 18 days to comply with the emergency order.
• April 28, 2023: OpenAI presents a list of GDPR compliance changes, and the Garante lifts the temporary ban on ChatGPT’s processing activities.
• January 29, 2024: The Garante states that OpenAI appears to be violating the GDPR and gives OpenAI 30 days to respond.

-> What were the initial alleged GDPR violations?

Last March, the Garante ordered OpenAI to do the following things (among others):

• Publish a new privacy notice explaining the “logic involved” in ChatGPT and the data protection rights of both users and non-users.
• Find a new “legal basis” for processing personal data—either consent or legitimate interests.
• Allow people to submit rectification, erase, and objection requests.
• Stop children under 13 from using ChatGPT and eventually filter out child users who are either under 13, or who are aged between 13 and 18 but have not obtained parental consent.
• Conduct a media awareness-raising campaign to educate people about AI training and personal data.

-> So did OpenAI do all those things?

The Garante lifted its ban after OpenAI satisfied most of those conditions.?

But some unanswered questions remained regarding age verification, the erasure of data in training sets, and the awareness-raising campaign that OpenAI promised to conduct.

The Garante has not stated which GDPR violations OpenAI is alleged to have committed this time around, but it is likely to be in one of these unresolved areas.

Google’s Bard Will ‘Read and Analyze’ Android Users’ Messages

Google has announced plans to introduce a “conversational AI” based on its Bard model into Android phones, raising concerns about the privacy of users’ communications.

• Google will integrate Bard directly into its Messages app on Android devices to provide prompts when composing messages.
• According to Forbes, Bard will “read and analyze your private message history”, possibly with the consent of the user.
• Privacy campaigner Alexender Hanff alleges that the plans would violate the ePrivacy Directive, which protects people across the European Economic Area (EEA) and the UK from “interception or surveillance of communications”.

-> Why is Google planning to do this?

Google wants more people to use its Messages app. Android users might be familiar with the company’s insistence on making Messages the default messaging app on Android phones.

The company is also in an AI race against other tech firms, and its Bard chatbot has not yet reached ChatGPT levels of popularity.

Integrating Bard into Messages might be intended to tempt Android users away from Meta-owned WhatsApp—or perhaps even convert a few iPhone users currently loyal to Apple’s iMessage.

-> What’s the privacy issue here?

We don’t yet have the full details of how Bard’s integration into Android will work, but there are arguably some privacy red flags—even if the feature is optional.

Forbes reports (after apparently having “asked” Bard directly) that the bot “may ask to analyze your messages” in order to “understand the context of your conversations, your tone, and your interests.”?

Bard may also “analyze your message history with different contacts to understand your relationship dynamics… to personalize responses based on who you're talking to.” On the basis of this analysis, Bard will “tailor its responses to your mood and vibe.”?

-> But if Google gets consent, what’s the problem?

Even if Google gets consent from the Android user, it presumably won’t be obtaining consent from other people with whom the user has been communicating.

In a complaint to the Irish Data Protection Commission (DPC) published on LinkedIn, published by campaigner Alexander Hanff alleges that the plans would violate Article 5(1) of the ePrivacy Directive, which states that EU countries must:

“prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned…”

This provision, or rather the associated rules implemented in national laws, arguably requires Google to obtain consent from everyone involved in a conversation before Bard “reads and analyzes” the contents of the messages.

Google’s European rollout of the Bard chatbot was delayed last June as the company sought to reassure the Irish DPC about its GDPR compliance. These allegations around Bard’s deeper integration into Android could represent another AI roadblock for Google.

UK Regulator Developing ‘AI Solution’ to Detect Cookies Violations

The UK DPA, the Information Commissioner’s Office (ICO), has announced that it is “developing an AI solution to help identify websites using non-compliant cookie banners.”

• The ICO wrote to the owners of 53 of the UK’s 100 most-visited websites in November to request that they bring their cookie banners in line with UK law.
• On Wednesday, the regulator reported that 38 of those 53 website owners had changed their cookie banners. The ICO said it was “already preparing to write to the next 100 (most popular UK websites)—and the 100 after that.”
• The ICO said it was “developing an AI solution to help identify websites using non-compliant cookie banners” and planned to run “a ‘hackathon’ event early in 2024 to explore what this AI solution might look like in practice.”

-> So 38 of the 53 targeted websites complied with the ICO’s cookie letter?

Yes, according to the ICO, just over 70% of the website operators that received its November letter made changes to the cookie banners.

The regulator reports that four further websites have promised to become compliant within a month and that “several others” are “working towards” new advertising models, such as contextual advertising.

The ICO’s letter was not an enforcement action per se but included a warning that non-compliant websites would be “named and shamed” in January.

-> It’s February. Did the ICO publish the names of the non-compliant websites?

No, the ICO has not published the names of the 15 website owners who failed to make the requested changes to their cookie banners.

Nonetheless, the ICO says it will now proceed with contacting the next set of popular UK websites whose cookie banners do not meet the regulator’s interpretation of the law.

-> What about this “AI tool”?

The ICO hasn’t provided any details of the AI tool it is reportedly developing to help sniff off non-compliant cookie banners, nor the “hackathon” it plans to host in the coming months.

We might also see some pushback among website publishers who disagree with the ICO’s relatively strict stance on cookie compliance.

If your website is accessible in the UK, you can read the paper published by the ICO and the Competition and Markets Authority (CMA) last year, which sets out the regulators’ joint position on cookies.

What We’re Reading

• The Shifting Privacy Left Podcast: This week, Debra Farber discussed how to “shift left” from being a practicing attorney to privacy engineer with Jay Averitt from Microsoft.
• The DPO Handbook: Check out this guidance on succeeding as a DPO by Douwe Korff and Marie Georges
• Attorney General Bonta, Assemblymember Wicks, Senator Skinner Introduce Legislation to Protect Youth Online: This press release from the California Attorney General explains some important new bills on kids’ privacy.