Aiming to mitigate regulatory risks in the European Union (EU), OpenAI, the creator of ChatGPT, has announced a significant update to its terms. The company has designated its newly established Irish entity, OpenAI Ireland Limited, as the data controller for users in the European Economic Area (EEA) and Switzerland. The change, effective from February 15, 2024, is part of OpenAI's strategy to streamline privacy oversight and navigate the complexities of the General Data Protection Regulation (GDPR).
The decision follows ongoing investigations into ChatGPT's impact on user privacy by regulatory bodies in Italy and Poland. Italy's concerns led to a temporary suspension of ChatGPT in the country until OpenAI addressed information and control issues. To address these challenges, OpenAI aims to leverage the GDPR's one-stop-shop (OSS) mechanism, allowing companies to centralize privacy oversight under a single lead data supervisory authority in an EU Member State.
OpenAI's email to users on December 28 outlined the changes, stating, "We have changed the OpenAI entity that provides services such as ChatGPT to EEA and Swiss residents to our Irish entity, OpenAI Ireland Limited."
Regarding OpenAI's engagement with Ireland's Data Protection Commission (DPC) to obtain main establishment status, a spokesperson for the Irish DPC confirmed, "I can confirm that Open AI has been engaged with the DPC and other EU DPAs [data protection authorities] on this matter."
The shift to Dublin as the main establishment reflects OpenAI's strategic move, mirroring decisions by other tech giants like Apple, Google, Meta, TikTok, and X, to make Dublin their EU home. However, the effectiveness of this move depends on OpenAI's ability to demonstrate that its Dublin-based entity can influence decision-making regarding user data.
While OpenAI positions itself for GDPR compliance, ongoing investigations in Italy and Poland may still shape regional regulations for ChatGPT. Italy's regulator has scrutinized ChatGPT's legal basis for data processing, while Poland's probe delves into complaints, including the AI bot's fabrication of personal data.
OpenAI's updated European privacy policy provides additional details on its legal bases for processing data, hinting at a potential defense of its data practices as "necessary for our legitimate interests and those of third parties and broader society."
As OpenAI navigates the intersection of data protection law and AI, its choice to establish a legal entity in Dublin may give Ireland a pivotal role in defining the future direction of generative AI and privacy rights within the EU.
Note: UK users remain excluded from OpenAI's legal basis switch to Ireland, with OpenAI specifying that they fall under the jurisdiction of its US-based corporate entity in Delaware.
