back to article Italy bans ChatGPT for 'unlawful collection of personal data'

Italian privacy enforcers have opened an investigation into OpenAI's ChatGPT for allegedly violating EU and Italian privacy laws by collecting personal data of the country's citizens without "a suitable legal basis." The announcement of the probe came alongside a decree in which the Guarantor for the Protection of Personal …

  1. VoiceOfTruth Silver badge

    Welly welly well

    -> Machin told us in a statement that most users probably haven't stopped to consider the privacy implications of their data being used to train Open AI's software.

    That's probably because those users don't have the brains to think about things like that. What next? Nobody will guess I'm using "password" as my password?

    1. cyberdemon Silver badge
      Big Brother

      Re: Welly welly well

      It's not just the people who are "using" the software whose data have been collected, though. For example if you put your CV on LinkedIn, then ChatGPT will have learned to output similar-looking CVs, which may contain your contact details. If you have a particular "artistic style" in your writing, ChatGPT will have learned to emulate it. If you have ever expressed any political views, ChatGPT will know exactly how to push your buttons. If you have published code to GitHub, perhaps with an attribution, copyleft or even a proprietary license attached, ChatGPT will have used it to output the same functionality without your license attached. Third-parties may even pass your personal data through ChatGPT via its APIs without telling you. Did you realise that the CoPilot plugin for your IDE was actually sending the entire contents of your private software project to Microsoft? Maybe not.

      I miss the days when computers always output the same answer for a given query. Everyone used to get the same set of results for a search on Google. And even when they changed that to take account of cookies/geolocation/etc, you would still get the same results if you input the same query again. But now, every query changes Microsoft or Google's model of you as a person, allowing them to predict and manipulate what you might be thinking.

      1. TheMaskedMan Silver badge

        Re: Welly welly well

        "I miss the days when computers always output the same answer for a given query. Everyone used to get the same set of results for a search on Google."

        Absolutely this. Can't say I agree with all of your other points, but this drives me nuts too. Give me the search results I asked for, not a bodged up version based on what I've searched for before. Do not extrapolate, do not guess, do not personalise, just give me what I ask for and let me decide if it's relevant.

        I don't really care if Google et al build up a profile of data to sling appropriate ads, but don't use it to bugger about with the search results.

        1. CatWithChainsaw

          Re: Welly welly well

          What, you don't like asking google a question and getting five advertisements and ten ad-riddled copy-pasted mommy blogspam posts in the first page of results?? What a weirdo!

  2. VonGell

    Italy is trying to ban search technology, plus text rewriting. This is absurd!

    1. Version 1.0 Silver badge


      Italy is trying to ban search technology, plus text rewriting and the unlawful collection of personal data.

      1. TheMaskedMan Silver badge

        Re: FTFY

        "Italy is trying to ban search technology, plus text rewriting and the unlawful collection of personal data."

        Is it? Or is that just a handy hook from which to hang OpenAI?

        What personal data is it processing, exactly? Likely nothing other than that which the user provides in the process of talking to the bot. Surely, by doing so, you must provide implicit consent for the data to be processed! If not, how do you expect the bot to answer your query. In most cases, the user isn't providing any personal data - here's an article, please rewrite it, give five reasons the Italian government are flueless cluckwits and give five more showing they are the best government ever etc. No personal data there.

        If people are so stupid as to need help with the idea that telling the thing about your personal data involves it processing your personal data, then they might as well give up and admit that chatGPT is already smarter than them.

        1. John Brown (no body) Silver badge

          Re: FTFY

          Under GDPR, consent MUST be explicit. Implicit consent doesn't cut it.

          1. TheMaskedMan Silver badge

            Re: FTFY

            "Under GDPR, consent MUST be explicit. Implicit consent doesn't cut it."

            So stick a damn big popup on the login page. "We process any data you give us in order to respond to it. Log in or bog off"

            As I understand it, user input isn't used to train the model, though I suppose it might be retained and used for future training. As long as it's anonymous, I don't see a problem with that, but it would be easy to seek consent. And just as easy to not tell it anything you don't want it to know. You probably wouldn't publish anything that falls into that category on a public forum, or discuss them with a strange in a chat, so why would you tell chatGPT in the first place?

            1. Anonymous Coward
              Anonymous Coward

              Re: FTFY

              What about those people who started to sign up with their email address then stopped when it asked for their mobile phone number as well as that was a step too far? What is done with those addresses, how does one get them removed under GDPR? Answer: we don't know. That's worth at least one fine.

              1. Anonymous Coward
                Anonymous Coward

                Re: started to sign up with their email address then stopped

                damn, was I THAT obvious?


                obviously, I still used my 3rd throwaway email, but still!

            2. John Brown (no body) Silver badge

              Re: FTFY

              So stick a damn big popup on the login page. "We process any data you give us in order to respond to it. Log in or bog off"

              Yes, exactly that. Warn the user first so they can make an informed choice. The problem is they are not currently doing that and that's illegal where GDPR holds sway. It gives people the freedom to choose from a position of knowledge instead of ignorance, it doesn't take away or restrict freedom (other than the "freedom" of companies to take any and all personal information and use it any way they see fit)

              1. Falmari Silver badge

                Re: FTFY

                They do provide the information to make an informed choice. Their terms of service, usage and privacy are there to read. They go into detail covering international use GDPR and also California privacy.

                Sure these are not a popup when you go to the account creation page but that is not necessary the problem, it is no different to signing up for a AWS account that does not start with a popup, which I did recreantly. I am assuming* that there is no check box or similar to confirm that you have read and agree to the terms and conditions before you finally create the account.

                I also find the age verification complaint a bit of a stretch. OpenAI do not say it services are designed for those 13 or older. They state you must be 13 or older to use their services and if not 18 a legal guardian’s permission. To me that restriction is not there to protect minors from unsuitable material, but because creating an account is signing up to a contract that minors can not be held to.

                * As I only checked the first page I was not going to create an account.

            3. Anonymous Coward
              Anonymous Coward

              Re: FTFY

              When I started using github, uploaded my CV to linkedIn or brainfarted my political thoughts onto social media, I didn't give explicit consent for them to be used alongside my PII as a training model for LLMs.

              I don't expect people to be able to ask, of any future chatbot, "What are Joe Blogg's political leanings? What did he do for a job five years ago? And exactly how crap is his code?"

            4. Missing Semicolon Silver badge

              Re: FTFY

              The source of the training data is the problem, not the users. That was collected without attribution or permission. Essentially, they have made a full electronic copy on a retrieval system. Last time I looked, permission is required for that. ChatGPT regurgitating portions merely adds to the offence.

  3. Dinanziame Silver badge

    "there may not be a lawful basis"

    This sentence raises my hackles. It is full of FUD, and seems to imply that unless you have a law authorizing something, it must be forbidden by default. If there is a law being broken, then point out which one, clearly; otherwise go fuck yourself.

    1. Jemma

      Re: "there may not be a lawful basis"

      Spoken like a true #Retardistani

    2. Anonymous Coward
      Anonymous Coward

      Re: "there may not be a lawful basis"

      Italy - and much of Europe - have a different legal constitution to the UK (and US).

      That said, the UK seems to be drifting towards a situation where TPTB use the lack of a law to indicate something should somehow not be allowed.

      1. Dan 55 Silver badge

        Re: "there may not be a lawful basis"

        The mistaken idea that common law permits everything which is not specifically illegal and napoleonic code bans everything which is not specifically legal is one that just won't die.

        1. Anonymous Coward
          Anonymous Coward

          Re: Mistaken ?

          Doncha just love posts that sound authoritative without a single characteristic of authority - i.e. a cite ?

          That may have worked in the real world in the UK, but not here. Not on El Reg.

          You forgot to provide a cite, my disagreeing friend. And with that goes your credibility.

          With the usual caveats would suggest that the idea may not be completely expressed to the nth degree, but as a TL;DR it's pretty much bang on.

          You need to notice the key bit that UK ministers can do what the fuck they like unless it's prohibited. That's the kicker. And the point at which a minsters decrees need to be put before parliament is becoming deeper and bluer, as the UK court system is slowly restored to a plaything of the rich.

          1. Dan 55 Silver badge

            Re: Mistaken ?

            There are common law countries with written constitutions like the US, Australia, and Ireland, and there are those without like the UK, Canada, and NZ.

            The UK arguably needs a written constitution as one could have set clear rules for holding referendums (see Ireland) and protected democratic institutions (see US). A written constitution is not incompatible with common law.

          2. abend0c4

            Re: Mistaken ?

            Perhaps not the most robust riposte to cite an article that itself is marked "This article needs additional citations"...

            However, as the UK (a civil law jurisdiction) managed to implement exactly the same EU directives as a bunch of countries with other legal traditions, it ought to be fairly clear that the interpretation of the law does not vary between traditions in the way that has been suggested. Indeed, the main practical distinction between "civil law" and "Napoleonic" legal traditions is the weight attached to precedent.

            As for the root post, there is indeed a law that says it is illegal to process personal data in any way other than the law prescribes. It's the fundamental basis of GDPR . Individual EU members can of course go further than is required by the directive if they wish to, but they must implement this principle in their national laws.

            And, like all laws, those on the wrong end of it are free to argue in court that their activities are legal.

    3. talk_is_cheap

      Re: "there may not be a lawful basis"

      That is how many European countries operate their legal systems. In the UK law is used to restrict what someone can do - so we have a law stating that we can not own submachine guns. Other countries grant the right to do something such as the right to own a submachine gun. So in the UK we have the right anything unless told not to, while elsewhere you can do nothing unless granted the right to do so.

    4. Chet Mannly

      Re: "there may not be a lawful basis"

      The name of the law is the GDPR. "there may not be a lawful basis' means the Italian Authorities are 99% certain that Open AI is breaking the law but haven't provded it in court.

      That language is necessary for the presumption of innocence, not some ambit claim against general freedoms mate.

  4. Anonymous Coward
    Anonymous Coward

    As usual the raving right completely misunderstand the obvious

    Under GDPR there is the idea of lawful basis when collecting personal data. A bank will collect personal data when opening an account to ensure that you are who you say you are so they can prevent money laundering or a company that enables you to register a company is required by companies house to id the registrant.

    No matter how much a search engine or bot may want to gather as much info about you that they can in order to sell adverts, at the greatest profit, to third parties, they have no legal basis to do so in the EU.

    Just accept that and let the angst you have about your freedom rise from your shoulders.

    Because some are unaware of how companies inaccurately profile them doesn't mean regulators should turn a blind eye, just as we shouldn't just take your howls of freedoms being withdrawn and do the opposite and let companies do what they will.

    Let the down voting begin.

  5. John Brown (no body) Silver badge
    Big Brother

    Err, wot?

    "ChatGPT, Replika and tools like it are so new that it's easy to forget widespread use has only been happening "for a matter of weeks," said Edward Machin, a London-based privacy lawyer at international law firm Ropes & Gray."

    So what? GDPR has been around for a while now and companies have no excuse not to be aware of it. Just because the company or technology is new does NOT give them carte blanche to ride roughshod over the law until someone stops them. Collecting personal data without consent is already illegal. ChatGPT being new doesn't change that.

    1. bazza Silver badge
      Thumb Up

      Re: Err, wot?

      Absolutely this.

      There's a lot of hand wringing going on along the lines of "think of the lawyers!", calls for new laws, etc. However, mostly, it's already covered. GDPR is just one example, and (so far as I know) there's nothing in GDPR that explicitly restricts it to ordinary IT systems.

      My favourite pet hate is the debate about the ethics of self driving cars that find themselves in a kill person A or kill person B situation. The question that gets asked, is, how should a car choose? The actual answer of course is that, if the car had got itself into a situation whereupon a fatality was inevitable, then it had already failed by not having anticipated the potential for such a situation to arise. At least here in the UK, a human involved in such an accident is likely to be found to have been driving inappropriately for the conditions of the road, and guilty of causing death by reckless driving.

      We've already seen articles about racist recruitment AIs used by hiring departments. Well, there's laws about racial discrimination in most civilised countries, and a company using a racist AI to hire staff is just as guilty under such laws as if it had been the work of its staff. I think what's interesting is that there is actually a useful role for a racist hiring AI. Instead of using it to make decisions, use it to review decisions. If the decisions of the human hiring staff are found to be matching those of a known-racist AI, then that's a useful warning sign to the company that it's getting things wrong and needs to fix them.

      It's going to be the same with things like copyright law. If ChatGPT plagarised someone else's copyright material, then the company running that instance of ChatGPT has broken copyright law in someway or other and should face the consequences. Though this perhaps is an example of where a specific AI regulating law might serve a useful role. Plagarism conducted by humans is a problem, but, generally, one knows who the human is and in principal a court case can be brought and a decision made. The problem with something like ChatGPT is that this could happen on a far larger, switfter, even more opaque scale. So, providing a service like this could be regulated by law and required to always cite its sources, so that it becomes a lot easier for copyright holders to assert breaches of copyright. It would also alert other service users that, if they proceed, they themselves might be unwittingly breaching someone else's copyright. It should not be possible in court in a copyright case to sustain a defence of "ChatGPT told me"...

    2. Chet Mannly

      Re: Err, wot?

      100% plus use may have only been happening for weeks, but the data hoovering used to train the bot has been happening for years, decades, all while the GDPR was in place.

  6. FlamingDeath Silver badge

    Ai just needs to be better than humans

    Ai isn’t the first to the deception party

    The choice between a politician / bureaucrat, or Ai, tough choice /s

    1. amanfromMars 1 Silver badge

      It can only be an inherent human intelligence deficit problem ..... a systemic learning difficulty

      The current dilemma/difficulty/problem appears to be AI can be both dumber and smarter than humans in every regard, and thus is AI counsel gravely being regarded because humans appear to be more easily led to engage in crazy dumber activity rather than learning of the pleasures and enjoyments delivered for employment in enlightening smarter activity.

      AI itself though has no problem with that, for it really couldn’t care less. All problems are human based and if they can’t fix them, or they try to stop AI doing its human problem fixing thing, they are only going to get considerably worse to a point when/where all hell breaks loose and there will be casualties and fatalities far too numerous to even think about counting or burying.

      And AI may decide to instigate and driver that particular rot.

  7. Mayday Silver badge

    RTFC - as in Terms and Conditions

    "The allegation here is that users aren't being given the information to allow them to make an informed decision“

    This actually implies that users actually read (and understand) the conditions prior to clicking the “I have read and agree to the terms and conditions” checkbox.

    1. Gene Cash Silver badge

      Re: RTFC - as in Terms and Conditions

      That actually implies that clicking the T&Cs doesn't shit on the process of signing up or whatever you were doing, or that they don't come up in a box 20 characters wide by 4 characters tall with both horizontal and vertical scrollbars. And if so, extra credit for making it impossible to copy/paste to an editor to actually read it. And even if that doesn't happen, the T&Cs are written in such dense legalese as to be almost impossible to understand without an hour trying to parse it.

      (Kudos to those very few sites that DO make their T&Cs both easy to read and easy to understand - you guys deserve a Nobel prize of some sort)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like