Chatbots and Personal Data: Benefits and Risks

Chatbots and Personal Data: Benefits and Risks

By EmilyGDPR | GDPR in Practice | 28 Nov 2023


Chatbots – the ultimate disruptor?

 

The topic of chatbots and artificial intelligence (AI) has been widely discussed on social media, the Internet, broadcasting platforms, and in traditional print media, particularly in relation to the GDPR principles. Let's begin by defining what a "chatbot" is. The most well-known bot currently is ChatGPT, which is described as a language model developed by OpenAI, a software startup supported by Microsoft. It has the ability to answer questions and generate text based on the information it has been trained on. Essentially, it is an AI program that provides responses to a wide range of questions, simulating a conversation with a highly knowledgeable individual.

You might not be familiar with ChatGPT specifically, but it is highly probable that you have come across content created using it (not including this blog, I assure you—I'm a real person, honest!), with considerations for complying with the GDPR principles.

 

However, categorizing chatbots (Google also has its own version called Bard) as simply the next iteration of conversational search engines would be underestimating their potential to revolutionize various sectors in which humans work. Sectors that are already keeping a watchful eye include law and other professional advisory services, education, journalism, and creative industries that rely on generating text, such as advertising. It may even extend to consultancy work, dare we say!

 

The game-changing unique selling point (USP) of chatbots is their ability to provide prompt, grammatically structured answers on your screen within seconds of submitting your question (although they may use US spelling). These responses are supposedly authoritative summaries drawn from vast datasets and other internet materials that the chatbot has been "trained" on. Consequently, the response can be as long as the user specifies, ranging from a job application letter to a 5,000-word essay. Furthermore, they claim to be accurate to a level that most humans cannot guarantee, particularly if the question is precise, which chatbots tend to appreciate.

 

These features naturally lend themselves to incorporating ChatGPT answers into reports, papers, analyses, and even school assignments and university homework—essentially, a potential haven for copy-and-paste plagiarism. However, OpenAI's terms of use for ChatGPT state that users may not falsely represent output from the service as human-generated, though enforcing this may prove challenging. Nonetheless, rather than delving into the potential copyright implications or the inherent bias found in all machine learning algorithms, this blog will focus on the privacy implications of utilizing this new AI "super tool."

 

By the way, in the name ChatGPT, the GPT acronym stands for "Generative Pretrained Transformer," which might sound like something out of a Philip K. Dick novel.

 

 

 

Data protection benefits

 

Chatbots have the potential to greatly assist both individuals and organizations in understanding the extensive impact of data protection (DP) laws, particularly since the implementation of the GDPR. One area where chatbots can be particularly helpful is in helping users grasp how to apply and adhere to DP laws. A significant portion, perhaps 80 or even 90%, of the value provided by solicitors to their clients lies in their ability to use their knowledge and experience to help formulate precise legal questions that align with the specific circumstances of each case. Once the appropriate question is identified, finding the answer often becomes the easier part. Therefore, when incorporating chatbots like ChatGPT into data protection compliance inquiries, they could prove immensely valuable in summarizing the questions that organizations can pose to their human advisors, such as consultants, in a logical and concise manner. This process would save client organizations time and money that would otherwise be spent clarifying their requirements, allowing the consultancy to provide tailored guidance and advice in response. Clients often find it challenging to know where to begin on their DP compliance journey—the right questions to ask in order to understand their needs for advice, documentation, or other resources. Anything that simplifies the process of clients effectively communicating their DP requirements to privacy professionals, thus enhancing their organizations' compliance efforts, is highly beneficial. And if this can be achieved without additional cost to the client (at least for now), it is even more advantageous.

 

Data protection risks

 

Chatbots, such as ChatGPT, are still in their early stages, with ChatGPT being launched in November 2022. However, there are already emerging concerns regarding potential privacy law issues associated with its use. These issues can be broadly categorized into three types of legal risks, all related to the terms of use agreement between the developer, OpenAI, and the user.

 

The first risk pertains to the training of the ChatGPT algorithm using large datasets, including text sourced from the internet. These datasets may contain personal data, including sensitive or "special category" information. The GDPR (including the UK GDPR) requires organizations that process personal data to have a lawful basis for doing so. While ChatGPT lacks the ability to verify the legality of processing personal data within its training data, OpenAI's terms of use place the responsibility on the user to ensure they have the right and lawful basis to process any included personal data. However, this overlooks the likelihood that OpenAI, in training ChatGPT, acts as a data controller for personal data in the training datasets. This means that OpenAI needs its own lawful basis for such processing, independent of the user's basis. Failing to address this could be costly for OpenAI, as demonstrated by the heavy fines imposed on another AI company, Clearview, by the UK's Information Commissioner's Office (ICO) and other regulators for harvesting personal data without a proper legal basis. The ICO has also indicated that personal data processing by AI organizations will remain a key enforcement focus in the future.

 

The second risk arises when users input personal data into ChatGPT, such as within their questions. According to ChatGPT's terms of use, the user is considered the controller of that data and is responsible for fulfilling all obligations of a data controller, including providing privacy notices to data subjects, adhering to the GDPR's data processing principles, and demonstrating accountability and implementing data protection measures. Additionally, unless explicitly opting out, users "agree and instruct" OpenAI to utilize the input data and output provided by ChatGPT to improve their services. This places the burden on the user (as the controller of the data) to ensure that the transfer and use of personal data in the inputs and outputs by OpenAI comply with data protection laws, unless they opt out of such usage. One way to mitigate this risk is for users to avoid including any personal data in their questions to the chatbot, for example, by anonymizing the input data. Interestingly, it has been reported that Microsoft has advised its employees not to submit questions containing sensitive personal data to ChatGPT.

 

The third risk relates to data protection laws requiring organizations to enter into a data processing agreement (DPA) or data processing addendum when using a third-party supplier to process personal data on their behalf. Such an agreement must contain specific mandatory provisions. ChatGPT's terms do require users acting as data controllers to enter into its standard data processing addendum when using the chatbot as a data processor. However, this agreement does not take effect automatically, and users must opt in to the DPA. Many users acting as data controllers may be unaware of this requirement and, by using ChatGPT, may inadvertently enter into unlawful controller-processor relationships.

 

Heavily qualified liability

 

The terms of use for ChatGPT aim to limit OpenAI's liability to the maximum extent reasonably possible. Users are required to indemnify OpenAI for any damages claims arising from their use of the tool, even if such use is not negligent. Additionally, ChatGPT is provided on an "as is" basis, meaning there is no warranty that the output will be accurate or suitable for the user's specific purpose. These disclaimers are broader and more extensive than what is typically found in commercial contracts, and most businesses would not willingly accept such terms in their regular course of trading. It is important to note that OpenAI currently offers ChatGPT at no monetary cost to users who subscribe to MS's ChatGPT-enabled browser, Bing. Therefore, significant exclusions of liability should not come as a surprise.

 

Even with the limited liability that OpenAI does accept, it is capped at the greater of $100 or the amount paid for the service in the previous twelve months, which is a very low limit.

Therefore, if a commercial organization intends to incorporate ChatGPT into its business model, it must be aware of the significant limitations on its ability to seek recourse against OpenAI in the event that any of the mentioned data protection risks materialize. Breach of privacy claims typically result in damages well exceeding $100.

 

Proceed with care?

 

In late March 2023, it was reported that the Italian privacy regulator, the Garante, had issued an enforcement notice to Open AI, the creator of ChatGPT, instructing the company to stop using personal data of Italian individuals in training the tool and generating output answers. The reason behind this action is the lack of sufficient legal bases for Open AI to collect and process such data, as well as the absence of effective age verification in the model. The feasibility of Open AI complying with this ban in the long term remains uncertain. It poses a challenge for Open AI to identify and remove data specifically related to Italian individuals from its vast training materials, which encompass a significant portion of the internet. Open AI responded by temporarily disabling ChatGPT for users in Italy as per the request of the data protection authority, while the Garante's investigation is ongoing.

 

In contrast to Italy, the UK Government and the Information Commissioner's Office (ICO) currently have no immediate plans to take a similar approach. This has drawn criticism from privacy experts who perceive the UK as being negligent in regulating the potential risks associated with large language models like ChatGPT. They unfavorably compare the UK's position to the more proactive approaches taken by lawmakers and regulators in the US and EU, with the latter having a draft AI Act in progress, which is the first of its kind globally. Data protection challenges, along with intellectual property issues and ethical risks, such as machine learning bias, dissemination of deliberate misinformation for fraudulent and propaganda purposes, and the ability to generate highly convincing fake photos indistinguishable from real ones, are among the prominent threats posed by this groundbreaking technology.

 

It should be noted that this article has only provided a high-level overview of the potential legal consequences related to data protection risks associated with ChatGPT. Additionally, the risks of intellectual property infringement resulting from the use of ChatGPT are equally significant, if not more so. Therefore, a cautious approach for many organizations may be to adopt a "wait and see" stance until the legal landscape concerning copyright and data protection exposure becomes clearer. Given that the use of these tools is still in its early stages, many organizations are advising their employees to refrain from using chatbots for work purposes, particularly avoiding incorporating their outputs into commissioned work paid for by clients. In fact, reports suggest that two major US organizations, JP Morgan bank and Verizon mobile phone network, have recently implemented outright bans on their staff using ChatGPT in the workplace.

 

Ultimately, people, whether they are teachers, university tutors, law firm clients, consumers of news, or consultancy customers, desire to witness the creativity of individual human beings. They value bespoke original content expressed through the irreplaceable lens of human experience, written with emotion and a sense of empathy towards fellow human beings (and perhaps with some appropriate humor as well – have you ever come across a joke written by ChatGPT?), all while considering the guidance of GDPR consultants. What they do not wish to encounter is the generic output of a machine, regardless of its factual accuracy and comprehensiveness. They are perfectly capable of generating such content themselves.

How do you rate this article?

2


EmilyGDPR
EmilyGDPR

I'm a longstanding GDPR/data protection/privacy specialist with huge experience of both in-house and private practice, gained working across a range of sectors including hi-tech science, media, publishing, higher education and IT.


GDPR in Practice
GDPR in Practice

I'm a longstanding GDPR/data protection/privacy specialist with huge experience of both in-house and private practice, gained working across a range of sectors including hi-tech science, media, publishing, higher education and IT. Here I'm sharing my thoughts on GDPR.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.