Update: ChatGPT‘s improvements to data protection and the latest progress on the AI Act in EU Parliament

The Italian data protection authority Garante has lifted the block on OpenAI's ChatGPT in Italy. The block had been imposed at the end of March after concerns arose about the lack of transparency in the handling of user data and the insufficient protection of minors (we reported). After intensive negotiations with the developer OpenAI, ChatGPT was re-enabled in Italy at the end of last week "with improved transparency and rights for European users".

One of the conditions of the Italian authority that was met is the more self-determined handling of the data entered into the chatbot. As of late, all users have the option to object to the storage of chats in the chat history and thus to the use of their data for training purposes in the settings. For users in the EU, a form has been made available that enables the objection even without deleting the chats. In addition, an age check for new users in Italy has been provided. The Italian data protection authority welcomed OpenAI's willingness to cooperate, but announced that it would not close the proceedings yet. 

The company is responding to growing data protection concerns with more education and more and more new functions. For example, "ChatGPT Business" is to be introduced in the next few months, which allows an initial opt-out for the use of data for training purposes. This setting, which so far only exists for the OpenAI API, is intended to create additional security for the use of AI in companies. Other providers are also taking the opportunity to launch more privacy-friendly designs of the GPT language model. For example, the developer Private AI enables users to automatically filter out personal data from user prompts with its PrivateGPT tool. Microsoft is also working on a business version of ChatGPT that will run on its own servers, especially for privacy-sensitive industries such as banking or healthcare.

The rapid development of ChatGPT has meanwhile attracted the attention of legislators and regulators across Europe. In particular, recent developments have had a major impact on the European Commission's AI Act.

According to media reports, the responsible negotiators of the EU Parliament agreed on the final points of the draft for the further procedure at the end of last week.

The recently heavily discussed question of whether generative AI (in particular AI systems such as ChatGPT, Midjourney, etc.) should be classified per se as so-called high-risk AI systems (we reported) was answered at the expense of such a blanket classification, according to the reports. Basically, the mechanics of classification as a high-risk AI system seem to have been somewhat defused with an additional "step", so that now possibly AI systems that should automatically be classified as high-risk AI systems as part of the defined categories in Annex 3 of the regulation will only receive this classification if the system also poses a significant risk to health, safety or fundamental rights.

Nevertheless, the discussion around generative AI systems probably led to a "last-minute" addition to the draft. It is reported that another article with increased obligations for the developers of such AI systems will apply. Such AI systems are to be reviewed according to the risks they pose and, if necessary, appropriate countermeasures are to be taken. Certain data quality and cyber security requirements are to be met. In addition, the data used to train the systems must be documented. At this point in time, reporting still differs in part on the very concrete requirements.

If this were actually decided, this would of course not mean that such generative AI would in principle not be classified as a high-risk AI system in the sense of the regulation - it would rather depend on the concrete area of application of the respective system and the above-mentioned classification under Annex 3 in the individual case.

On 11 May, the responsible committee is to take its final vote and it is expected that the final text will be voted on in plenary in mid-June.