In this article

Sign up for our newsletter

Share this article

Hello all, and happy Thursday! 

By now I’m sure everybody is familiar with the AI chat bot ChatGPT. People have been using ChatGPT for everything from writing essays to building a business—but not in Italy. The Italian data protection authority, Garante, recently banned the use of ChatGPT temporarily due to its unlawful collection of Italian citizens’ data. OpenAI has disabled access to its chatbot in Italy as a result. 

As the public’s first experience with large language models (LLMs), ChatGPT has been processing a large amount of Italian citizens’ personal data, all without the appropriate legal basis under the GDPR to do so.  

If OpenAI wishes to allow Italians to access the tool again, they’ll need to obtain one of the GDPR’s six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Most businesses rely on consent for a legal basis, but its hard to see how that would work with an LLM like ChatGPT. LLMs are trained on a body of text sourced from books, articles, websites, digital content, and more; it’s not like OpenAI can request consent from everybody who has ever written anything online. 

If ChatGPT implemented a privacy-by-design approach to their technology and carefully curated the training data to exclude personal information, then there is a possibility that they could remain compliant with the GDPR. But that seems like a tall order. AI models cannot function without access to enough data and enough of the right kind of data—it’ll be interesting to see if a corpus of fully anonymized information can be used to train an LLM like ChatGPT. 



P.S. G2’s Spring Awards have come out recently, and we’re pleased to announce that Osano has been rated best-in-class for consent management and a rising star in both DSAR and data privacy platforms! If you’ve enjoyed your experience using Osano, why not hop over to G2 and leave us a review? 

G2 Spring 2023 email

Top privacy stories of the week

White House launches strategy to advance data privacy tech and processes 

In lieu of a federal data privacy law, the White House’s Office of Science and Technology Policy has released a set of comprehensive recommendations for public and private organizations to promote user privacy. 

Read more 

TikTok fined £12.7m for misusing children's data 

TikTok is being fined £12.7m by the Information Commissioner's Office (ICO) for allowing up to 1.4 million UK children aged under 13 to use the platform in 2020. What’s more, TikTok then used these children’s data without their parents’ consent.  

Read more 

TikTok attorney: China can’t get U.S. data under plan 

During an interview with the Associated Press (AP) at a cybersecurity conference, the top attorney for TikTok and its Chinese parent company ByteDance stated, “The basic approach that we’re following is to make it physically impossible for any government, including the Chinese government, to get access to U.S. user data.” The AP reports further on the current scrutiny facing TikTok over user privacy. 

Read more 

Italian regulators order ChatGPT ban over alleged violation of data privacy laws 

Italy’s data protection authorities have declared ChatGPT has unlawfully collected Italian’s personal data and has no means of blocking underaged users. As a result, the AI chat app’s developer, OpenAI, has disabled the app for users in Italy. 

Read more 

New York law firm gets fined $200k for failing to protect health data 

Law firm Heidell, Pittoni, Murphy and Bach (HPMB)—which represents hospitals in New York—was hacked in November 2021. As a result, 114,000 patients’ sensitive data was exposed to hackers. The law firm paid a $100,000 ransom in exchange for the promise of deletion of the data, but received no confirmation the data was in fact deleted. As a result, New York’s Attorney General has fined HPMB $200,000 and ordered the law firm to adopt stricter data protection protocols. 

Read more 

UK government resumes proposed reform of UK data protection laws 

Recently, the UK government resumed its proposed reform of UK data protection laws with the introduction to Parliament of the Data Protection and Digital Information (No. 2) Bill, a replacement to its earlier reform bill. The bill would replace the GDPR in a targeted fashion rather than serve as a wholesale replacement. 

Read more 

Meta will allow EU users to opt out of some ad targeting 

Following a $410 million in January levied by the Irish Data Protection Commission, Meta will allow EU users to opt out of some targeted advertisements. Under the GDPR, businesses may only collect and process personal data under certain legal bases. Meta is changing its basis from “Contractual Necessity” to “Legitimate Interests.” Data privacy advocacy groups already plan to challenge the proposed change.  

Read more 

California OAL Approves CPRA Regulations 

The California Office of Administrative Law (OAL) has formally approved the California Privacy Protection Agency’s (CPPA’s) first substantial rulemaking package on the CPRA. This marks the conclusion of an eighteen-month rulemaking process. 

Read more 

Listen to Osano Co-Founder Arlo Gilbert on the "She Said Privacy/He Said Security" podcast! 

On the most recent episode of “She Said Privacy/He Said Security,” Osano Co-Founder and CEO Arlo Gilbert spoke with hosts Jodi Daniels of Red Clover Advisors and Justin Daniels of Baker Donelson on how AI is advancing privacy SaaS platforms, the types of organizations developing privacy programs, and how Osano helps companies manage privacy. Listen to the episode below! 


If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you. 

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article