Italy's watchdog clashes with ChatGPT, Google's Bard raises eyebrows & UK's ICO wields AI to hunt rogue cookies

Show Notes

In this week's Privacy Corner, Robert Bateman discusses three major privacy developments. The Italian regulator Garante contesting Chat GPT's GDPR compliance; Google's plan to incorporate its large language model 'Bard' into its messaging app, potentially raising e-privacy issues; and the ICO's update on its cookie sweep and the development of an AI tool to identify cookie violations. The video also delves into the history of OpenAI's allegations, the repercussions of Google's plan, and the ICO's interaction with non-compliant websites.

Transcript

0:00

Hello, I'm Robert Bateman. And this is the privacy corner where I talk you through my top three picks for privacy developments each week. And thank you, as always, to Privado AI for sponsoring these videos. So this week, OpenAI is having more trouble with the Italian regulator, the Garante over Chat, GPT and the GDPR. Google is planning to integrate Barred into its messaging app, which has caused some concerns around the e privacy directive and the ICO has provided an update on its cookie sweep and plans to use its own AI tool to find further solutions. cookie violations. So first up, uh, the Garante, the Italian DPA, has alleged that CHAT GPT falls short on GDPR compliance in a number of areas. We don't know which ones, but let's go back in time to March 2023. When this whole saga began. So at that time, uh, the Italian DPA said that open AI was violating the GDPR in, well, lots and lots of ways, as we'll see, and they instituted a temporary ban on the processing of personal data within Italy. Now, lots of people said this was a ban on chat GPT. Technically not, but I mean, there's no real way they could comply with that order without pulling out of Italy. So that's what they did. Sam Altman said that he deferred to the Italian government. Guarante is not technically the government, but we can forgive him. And they've ceased. offering a chat GPT in Italy, although they thought they were following all privacy laws. And the GDPR technically isn't a privacy law either, but we can forgive him that too, I suppose. So the, uh, the, the group had a meeting with OpenAI and gave a small extension to the deadline as they rushed to put some. data protection improvements in place. And actually, uh, the, the, the company managed to satisfy the Italian DPA. I was quite surprised by that at the time, because there are some irreconcilable issues, I think, with large language models. and the GDPR. Um, so let's have a look at what OpenAI did to make the Italians happy. There was a new information notice, they call it, I guess that's a kind of just in time notice under Article 13 describing the types of personal data OpenAI process and what they're doing with them. I mean pretty basic stuff there. They also expanded their general privacy policy and put it in front of users at signup. So the Italian DPA liked that. They gave European users and non users of ChatGPT the right to opt out from the processing of the data for the training of algorithms. So the inputs into ChatGPT could be, uh, well, you could opt out from having those recycled as training data to further improve the model. And they also. Provided a way for individuals to correct inaccuracies in the outputs. Now, this is a bit tricky because the training data has already impacted OpenAI's algorithm. There's really no going back from that without retraining the model entirely, which costs millions of dollars and a lot of CO2. Uh, but nonetheless, that was enough to satisfy the Italian DPA for a bit. They also reassessed their legal bases and put some under contract, some under legitimate interests, uh, which seemed to be okay. And the Open AI was ordered to kick under 13s off the platform and find a way to ensure that under 18s had obtained parental consent for using it. Now, I thought at the time this would be an issue. Age gating is hard, especially if we're expected to comply with the GDPR's rules around data minimization. There's no obvious solution. to that problem. And regulators have not been terribly clear in how people are expected to meet these potentially conflicting requirements. So there were a couple of loose ends back in April when OpenAI was allowed to start. Backup in Italy, including this age verification stuff and also an information campaign they promised to conduct among Italian media outlets, telling people about how they train their eye and so on. So we don't know what the new issues are, whether they are an extension of these old issues, which I suspect they might be. But, uh, chat GPT, well, OpenAI has 30 days to respond, so this battle is not over yet. Next up, Google. It's, uh, rather unimpressive large language model, BARD, will be deeply integrated into Android users devices. soon. This is the plan. They're going to put Bard into their messages app, which, well, I'm an Android user, and they're constantly trying to force me to make that the default. So this could potentially be a problem for Google from a privacy law perspective. So this came from a Forbes article, which I recommend you read. There'll be a link in the newsletter down below. Basically, Google intends to scan messages and derive information about, uh, what does it say here? Conversations, tone, and interest to help tailor responses to your mood and vibe and personalize responses based on who you're talking to based on relationship dynamics. These responses apparently came directly from Bard itself from the Ford. Uh, the Forbes journalist's, uh, inputs. So, you know, maybe we can't entirely trust them. But I guess this is the idea. Scanning messages to derive information to personalize the AI's outputs. Now, Alexander Hanf has published an open letter to the Irish Data Protection Commission pointing out that this could be a problem under Article 5. 1 of the e Privacy Directive, or rather the national laws implementing that, that directive. And that part of the e Privacy Directive says that member states should prohibit listening, tapping, storage, or interceptional surveillance of communications and the related traffic data by persons other than users. without the consent of the units, users concerned. Slightly unclear provision here, but what I think it's getting at is that you don't just need the consent of the user of the device, you also need the consent of the people with whom they have been having conversations. So if I message my friend, And I say to Google, it's okay for you to process that conversation to train your AI model. What about my friend? Are they going to ask him to? Presumably not. So this could be a problem for Google. And it's not doing terribly well in the AI race with other tech giants, given Microsoft's influence in open AI and so on. So next up, the ICO has announced a new, method to find non compliant cookie banners based off a, uh, well, I hesitate to call it an enforcement sweep, but a letter that it sent out to website publishers last November. So let's go a couple of months back in time again to see what they said at the time. They wrote to the, well, among the top 100 websites accessible in the UK, they found 53 that were allegedly not compliant with the UK's implementation of the e privacy directive and the GDPR. And they said you need to make it as easy to reject as possible. Accept consent. So essentially, put a reject all button on the first layer of your cookie banner. And we had an update last week. Of the 53 organisations they contacted, 38 have changed their cookie banners. Four have committed to do it within the next month and several others are working to develop alternative solutions. So the ICO calls this an overwhelmingly positive response. I guess so, I mean 70 percent ish of organizations did what they were told, and the rest didn't. Now the ICO did say it would publish the names of the non compliant, uh, websites in January. Uh, it's February now, and they haven't done that, so not following through on, on that particular threat, but they have said that they're now looking at the next top 100 websites, uh, so I guess that's the top 200. So far, and then they'll be looking at the 100 after that, and they're using or developing an AI solution to help them do this. And there'll be running a hackathon events, uh, early this year to explore how it might work. So we don't have details of that, but presumably. Uh, it will help them to find the offending websites and bring them in line with actually what is quite a strict interpretation of the law. If you want to understand what the ICO says about the cookie, uh, banners and the rules around those, then they published a position paper last year jointly with the CMA, the Competition and Markets Authority, uh, that sets it out quite clearly. So I've linked to that in the newspaper as well. So that's it from me this week. Thanks so much for your time, and thank you again to Privado for their support, and I'll see you next week.