While much has been said about the potential of artificial intelligence to revolutionize fields such as art and law, the conversation surrounding its impact on our privacy has been relatively muted. However, recent events involving ChatGPT and its clash with lawmakers in Italy have sparked a shift in this narrative. In fact, the service faced temporary suspension in the country from March 31 to April 28, compelling us to confront the significant implications it poses for our personal data protection.

The essence of the issue lies in the fact that ChatGPT's training relies heavily on data gathered from the vast expanse of the internet. Considering the immense volume of content we generate online, chances are high that ChatGPT has encountered and assimilated our words. Consequently, this includes a portion of our personal information that is buried within that vast digital reservoir.

How does ChatGPT collect your personal data?

ChatGPT acquires personal information through two primary methods, both of which raise concerns regarding consent and data usage. Firstly, personal data is gathered in bulk to train the ChatGPT model, without obtaining explicit consent from individuals. For instance, if you shared a personal story during a Reddit Ask Me Anything (AMA), OpenAI (the creator of ChatGPT) could utilize that comment to train ChatGPT, and this lack of consent is troubling in itself.

The second method involves the use of ChatGPT itself. The chatbot collects various details about your interaction with the tool, including conversations and any text you input. According to OpenAI's privacy policy, the data collected encompasses the following:

• Log data: This includes your IP address, browser type, and settings, timestamp of usage, and your interactions with CHATGPT. Moreover, the chats you have are also stored.
• Usage data: In addition to your engagement with the service, usage data involves gathering information such as your location (based on time zone and country), software version, device type, connection details, and more.
• Device information: The operating system, device, and browser information used to access CHATGPT are collected.
• Cookies: OpenAI employs cookies to store data about your browsing activities, tracking your online behavior for analytics purposes.
• User content: OpenAI retains information you upload or input into CHATGPT. This means that everything you type or upload using the tool is stored.
• Communication information: If you reach out to OpenAI support or opt-in to receive newsletters, your personal information and the messages you send are stored.
• Social media information: When interacting with OpenAI on social media, they gather the information available on your profile, which may include your phone number and email address if you have provided them.
• Account information: The details you provide when creating an account, such as your name, contact information, and payment information, are stored.

You may argue that this collection of data is not significantly different from what other websites collect, and you wouldn't be entirely wrong. However, it is crucial to draw attention to the "user content" and how ChatGPT operates. Unlike a typical search engine, ChatGPT is designed for conversation rather than delivering search results in the same way as Google. While you can use ChatGPT to search for a chocolate cake recipe, it engages in a dialogue about the recipe with you.

This distinctive approach can create a false sense of security and entice users to share information they might not usually divulge during a Google search. Unfortunately, ChatGPT's efficacy as a work tool has also led to instances where confidential information was inadvertently leaked. Samsung experienced this firsthand when employees allowed the chatbot to record meetings and access proprietary code. As OpenAI collects all user content, regardless of its sensitivity, this information is never deleted.

In a significant development, ChatGPT faced a blockade in Italy due to concerns over its handling of personal information. The country's data regulator, Garante per la Protezione dei Dati Personali, argued that OpenAI, the creator of ChatGPT, did not possess the legal authority to utilize personal data for training the chatbot. Consequently, on March 31, Italy imposed a temporary ban on ChatGPT. However, following privacy-related adjustments made by ChatGPT specifically for European users, the ban was eventually lifted towards the end of April.

ChatGPT gets blocked in Italy

Italy's actions have spurred the attention of other nations, with several countries now closely scrutinizing ChatGPT's privacy safeguards, or rather, the lack thereof. So, what were the specific objections raised by Italy?

Being a member of the European Union, Italy adheres to the regulations outlined in the General Data Protection Regulation (GDPR). The GDPR mandates explicit consent from individuals before their data can be collected. Typically, this is obtained through a pop-up that allows users to accept or reject data collection. However, OpenAI failed to implement this crucial consent mechanism, leading Italy to identify four key problems with CHATGPT's compliance under the GDPR rules:

• Lack of age controls: ChatGPT did not incorporate safeguards to prevent individuals under the age of 13 from accessing the service.
• Potential dissemination of false information: Italy expressed concerns that ChatGPT could unknowingly provide inaccurate details about individuals.
• Insufficient information disclosure: Users were not adequately informed that their personal data was being collected during their interactions with ChatGPT.

Absence of a "legal basis" for data collection: Italy raised objections regarding the lack of a lawful justification for gathering personal information used in training ChatGPT.
Italy's temporary ban on ChatGPT marked a significant milestone, as it represented the first instance of a Western nation taking action against this generative AI tool. Given the increasing focus on privacy issues, it is likely that similar actions may follow in the future.

ChatGPT flimsy privacy policy

Let's delve into some key privacy concerns surrounding ChatGPT:

Extensive data collection by ChatGPT:

As mentioned earlier, ChatGPT has the capability to collect a vast amount of user data. It is important to highlight this once again. Anything that you input into ChatGPT has the potential to be stored in its database, including sensitive information such as confidential meeting transcripts or client data that lawyers may want to incorporate into legal documents.

Transparency and GDPR compliance:

One of the primary grievances raised by Italy was the lack of transparency regarding the collection of personal data by ChatGPT. Italy also questioned the legal basis for gathering and storing personal information utilized in training the platform's algorithms. While ChatGPT has provided a description of the personal data used for AI training algorithms and introduced the option to opt out, experts have pointed out the need for a stronger legal foundation for processing individuals' information. Additionally, OpenAI has made the privacy policy more visible on their homepage.

• Opting out of personal data collection: In response to Italy's ban, ChatGPT has made efforts to facilitate the exclusion of user content from being used to improve AI model performance. They have also introduced a new form for EU users to object to the use of their personal data for training models. However, concerns have been raised about ChatGPT's ability to comply with the "right to be forgotten" rule under GDPR, as separating inadvertently shared information from the training algorithms may be extremely challenging.
• Phone number registration: When signing up for ChatGPT, users are required to provide a phone number and enter a verification code. While this measure serves to verify human users and prevent spam bots from misusing the platform, it raises concerns about the lack of anonymity for users.
• Age controls: Various countries have regulations in place to protect the use and collection of children's data. Under GDPR rules, processing the data of children under 16 without parental consent is deemed unlawful, although member states can lower the age limit to 13. In OpenAI's terms of use, they state that ChatGPT users "must be at least 13 years old." As part of the changes made in April, an age confirmation button was added for Italian users to verify their compliance with the age requirements. However, enforcing age restrictions on platforms is challenging, and young children's data can still be inadvertently collected.

These privacy concerns highlight the need for continuous scrutiny and improvement in ensuring the protection of user data and compliance with privacy regulations.

Here are some practical tips on safeguarding your privacy when using ChatGPT:

• Keep sensitive information to yourself: Sensitive information should be kept confidential for a reason. It's advisable to refrain from sharing any personal or work-related sensitive details when interacting with ChatGPT, as everything you input into the system is stored on OpenAI's servers. It's best to assume that this data could potentially be accessed by someone else. In the event of a security breach, your private information may end up in the wrong hands.
• Use a VPN: Using a Virtual Private Network (VPN) when connecting to ChatGPT can provide an extra layer of protection. A VPN encrypts your internet traffic to and from ChatGPT's servers, making it harder for malicious individuals to intercept or tamper with your data. Additionally, a VPN helps enhance your anonymity by masking your IP address and location, minimizing the amount of personal data exposed to ChatGPT.
• Exercise control over personal data processing by ChatGPT: In response to increased scrutiny, OpenAI has introduced new data controls for ChatGPT. You can disable the storage of your chat histories by adjusting your account settings. This ensures that your conversations with ChatGPT will be deleted after 30 days. However, it's important to note that this action does not necessarily prevent your data from being used to train ChatGPT. To specifically opt out of having your personal and private information utilized for training the AI model, you can complete the OpenAI Data Opt Out Google form. If you fall under the coverage of GDPR rules in Europe, there is another form available through which you can request OpenAI to remove your personal data.

By following these steps, you can take proactive measures to protect your privacy while using ChatGPT and minimize the potential risks associated with data storage and processing.