BEERG Newsletter - AI: EU privacy regulators target Chatbot/AI

Derek Mooney writes: At their meeting last week, Europe’s data protection authorities (EDPB) collectively agreed to set up a dedicated task force on ChatGPT, a move which Reuters called “a potentially important first step toward a common policy on setting privacy rules on artificial intelligence.”  In a statement* issued afterwards, the EU’s Data Protection Board (EDPB) said: 

The EDPB members discussed the recent enforcement action undertaken by the Italian data protection authority against Open AI about the Chat GPT service. The EDPB decided to launch a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.

As Politico commented in an article entitled: “ChatGPT is entering a world of regulatory pain in Europe”: 

OpenAI, the organization that created ChatGPT, is walking with a target on its back: It has not set up a local headquarters in one of the European Union’s 27 countries, which means any member country's data protection authority can launch new investigations and enforce bans. 

In a separate, but related development, members of European Parliament’s civil liberties committee (LIBE) voted against a draft of the latest EU-U.S. deal on personal data transfers. According to the committee chair, Fernando López Aguilar MEP, while the proposed EU-U.S. Data Privacy Framework is an improvement, MEPs feel it is still not good enough to justify an adequacy decision. The matter will go to a full plenary vote, however the EU Parliament just has a consultative/ scrutiny role with the Commission and Council (member state governments) finally deciding whether to adopt an adequacy decision.

Looking further afield, we are happy to share this most comprehensive, but succinct, analysis of the data protection situation across the African Union. Written by the Kenya based data policy analyst Mercy King’ori, it is entitled: The African Union’s Data Policy Framework: Context, Key Takeaways, And Implications For Data Protection On The Continent and appears on the Future of Privacy forum 

* N.B. The EDPB statement also recorded that they had agreed the Irish data protection commission would make an order deciding the legality of Meta’s US data transfers for Facebook within a month. Though the EDPB statement didn’t specify the decision itself, just the timeframe, Helen Dixon of the Irish DPC said other regulators didn’t dispute her order to ban the data transfer mechanism (for more, see Reuters).