OpenAI is under scrutiny in the European Union again — this time over ChatGPT’s hallucinations about people.

A privacy rights nonprofit group called noyb filed a complaint Monday with the Austrian Data Protection Authority (DPA) against the artificial intelligence company on behalf of an individual over its inability to correct information generated by ChatGPT about people.

Even though hallucinations, or the tendency of large language models (LLMs) like ChatGPT to make up fake or nonsensical information, are common, noyb’s complaint focuses on the E.U.’s General Data Protection Regulation (GDPR). The GDPR regulates how the personal data of people in the bloc is collected and stored.

Despite the GDPR’s requirements, “OpenAI openly admits that it is unable to correct incorrect information on ChatGPT,” noyb said in a statement, adding that the company also “cannot say where the data comes from or what data ChatGPT stores about individual people,” and that it is “well aware of this problem, but doesn’t seem to care.”

Under the GDPR, individuals in the E.U. have a right for incorrect information about them to be corrected, therefore rendering OpenAI noncompliant with the rule due to its inability to correct the data, noyb said in its complaint.

While hallucinations “may be tolerable” for homework assignments, noyb said it’s “unacceptable” when it comes to generating information about people. The complainant in noyb’s case against OpenAI is a public individual who asked ChatGPT about his birthday, but was “repeatedly provided incorrect information,” according to noyb. OpenAI then allegedly “refused his request to rectify or erase the data, arguing that it wasn’t possible to correct data.” Instead, OpenAI allegedly told the complainant it could filter or block the data on certain prompts, like the complainants name.

The group is asking the DPA to investigate how OpenAI processes data, and how the company ensures accurate personal data in training its LLMs. noyb is also asking the DPA to order OpenAI to comply with the request by the complainant to access the data — a right under the GDPR that requires companies to show individuals what data they have on them and what the sources for the data are.

OpenAI did not immediately respond to a request for comment.

“The obligation to comply with access requests applies to all companies,” Maartje de Graaf, a data protection lawyer at noyb, said in a statement. “It is clearly possible to keep records of training data that was used at least have an idea about the sources of information. It seems that with each ‘innovation’, another group of companies thinks that its products don’t have to comply with the law.”

Failing to comply with GDPR rules can lead to penalties of up to 20 million euros or 4% of global annual turnover — whichever value is higher — and even more damages if individuals choose to seek them. OpenAI is already facing similar data protection cases in EU member states Italy and Poland.

This article originally appeared on Quartz.

Share.
Exit mobile version