Hallucinations

ChatGPT’s hallucinations draw EU privacy complaint

Activist demands regulators launch probe over ChatGPT’s wild guess on his date of birth.

BY MATHIEU POLLET

ChatGPT's "hallucinating" and making up of information breaches European Union privacy rules, according to a complaint filed by privacy group noyb to the Austrian data protection authority.

Noyb, a Vienna-based non-profit founded by activist Max Schrems, said its complaint was triggered by ChatGPT's failure to supply Schrems' correct birthday, making a wild guess instead. The chatbot doesn't tell users that it doesn't have the correct data to answer a request.

A person's date of birth is personal data under the GDPR which sets various requirements for how personal data should be handled.

Noyb claims that the chatbot's behavior violates the General Data Protection Regulation (GDPR) on privacy, the accuracy of information as well as the right to correct inaccurate information. It also argues that the AI firm refused to correct or delete wrong answers, and won't disclose any information about the data processed, its sources or recipients.

"It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals," said Maartje de Graaf, noyb's data protection lawyer.

"If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around," she said.

The New York Times previously reported that "chatbots invent information at least 3 percent of the time — and as high as 27 percent."

POLITICO also asked ChatGPT about Schrems' birthday and came up with three different answers: June 24, September 17 and October 17.

Schrems’ birthday is actually on October 1, noyb told POLITICO.

Noyb is now asking the Austrian authority to investigate OpenAI to check on the accuracy of the personal data it handles to fuel its large language models. They also ask the authority to ensure that the company complies with the complainant's request to access their own personal data.

The privacy group also calls for an "effective, proportionate, dissuasive, administrative fine."

"For now, OpenAI seems to not even pretend that it can comply with the EU’s GDPR," it said.

Violating the EU’s GDPR can lead to a penalty of up to 4 percent of a company’s global revenue.

Noyb said any regulatory investigation would likely be handled "via EU cooperation." OpenAI's EU base is in Ireland and Irish privacy regulators may be its primary supervisor.

The Austrian authority confirmed it received the complaint and said it will assess whether it needs to be forwarded to another national authority.

OpenAI wasn't immediately available to comment.

The AI pioneer is facing heat from other European regulators. Italy's data protection authority temporarily banned ChatGPT last year from operating in the country over the alleged breach of EU rules for handling personal data.

The European Data Protection Board (EDPB), which gathers the national privacy regulators, later set up a task force on ChatGPT to coordinate national efforts.