GNP Guia Naghi and Partners’ Post

The Italian Privacy Authority Issues Guidelines to Prevent AI Web Scraping The Italian Privacy Authority, the Garante, released an information note with detailed guidelines on how to defend personal data published online by public and private entities from web scraping as part of the training of artificial intelligence (AI) systems. Read the article from my DLA Piper colleague, Tommaso Ricci on the topic. #webscraping #ai #ailaw #garente #dataprivacy #gdpr https://lnkd.in/dMnS_WvH

🚨 Targeting AI Hallucinations: NoyB's GDPR Complaint Puts Accuracy Principle to the Test 🚨 NoyB filed today a complaint with the Austrian DPA claiming that “ChatGPT keeps hallucinating - and not even OpenAI can stop it”. https://lnkd.in/e_Wv9dYw The ONG said it is acting on behalf of a “public figure”. "When asking ChatGPT to provide the data subject’s date of birth, the algorithm gives various inaccurate information … ChatGPT tries to infer his date of birth, but it does not provide accurate results”. This is claimed to breach the GDPR’s accuracy requirement & the right to request correction of inaccurate information Mikołaj Barczentewicz has published a great first comment on the complaint. He first questions NOYB’s treatment on the “one-stop-shop” mechanism: “NOYB already treats the one-stop-shop as dead for American companies and invites the Austrian authority to ignore that OpenAI is established in Ireland”. He then turns to the subject matter & concludes: “It is hard to see how LLMs like ChatGPT could be legally used under NOYB's reading of the GDPR. […] I'm afraid this is another example where NOYB is pushing in a direction of absurd and disproportionate interpretations of the GDPR”. In reality the question of whether the principle of accuracy applies to LLM outputs is already under examination by several DPAs. The President of the 🇫🇷 CNIL, for instance, stated in September 2023 that "GPAI systems, such as ChatGPT, may ‘present a patently false answer as a certain fact’’ & “it is technically impossible to implement a right of rectification on the data included in the trained model, as this would require a complete re-training of the model”. The EDPS - European Data Protection Supervisor defines a “Hallucination in AI” as the “generation of outputs that may sound plausible but are either factually incorrect or unrelated to the given context”. Given that generative models like LLMs predict the next words based on user inputs rather than retrieving specific information, there's no assurance that the outputs will contain factual data or remain consistent if asked again. LLMs, by their nature, as they stand now, do not understand the words they generate, the concepts those words represent, or their accuracy. As Mikołaj Barczentewicz points out, all LLMs, including ChatGPT, openly warn users that they produce outputs that may be inaccurate, untruthful, and potentially misleading. Given these characteristics and other elements, I personally believe that the GDPR principle of accuracy may NOT be applicable to LLM outputs and hallucinations. I plan to explore this position further in a series of upcoming articles focused on the interplay between #GPAI and #GDPR. Stay tuned for more insights. 📚🤖

I am looking very much forward to your panel CPDP Conferences discussing these issues, Theodore Christakis! An interesting aspect that noyb.eu mentioned in their complaint is point 28: "The respondent states that the only way to prevent the inaccurate information from appearing would be to block any information concerning the data subject. This would in turn violate the controller’s freedom to inform and the general public’s right to be informed, as the data subject is a public figure. Thus, the controller refused to take action." Today, the Dutch DPA issued guidance on scraping and makes an interesting comparison to search engines. While the guidance is not concerned with accuracy of outputs but with the scraping of websites, the comparison to search engines in relation to freedom of expression maybe nevertheless be of some relevance here. See https://lnkd.in/eEZgAAuY: "For instance, search engines ensure that information on the internet is easily discoverable and do not apply additional processing to the information once it has been indexed. On the other hand, scrapers often do much more with the collected data, such as analyzing patterns, evaluating financing applications, or conducting sentiment analyses. It remains uncertain whether scraping, in the same manner as search engines, can be considered to serve the freedom of information" There is still a lot to figure out as new AI services converge with other services (search) and yet some questions feel like 'déjà vu' (C‑131/12), while other and new laws to chew on (i.e., DSA) ...

My current thinking: The Accuracy principle under GDPR should not apply to AI. The trouble is, this runs headlong into the question of whether companies should be held liable for what their AI chatbots say. I think the distinction between answering information about individuals (the #AI question brought by NoyB) and a company chatbot answering questions about the company, is very important. If the Accuracy principle applies to #AI chatbots, companies will need to instruct those chatbots not to answer questions about PII. Indeed, they really already should be doing that. Putting an AI chatbot on your website is much more than just writing some code. You need to ensure that the instructions to the bot (the context of every question posed) are not going to leave your company at risk. #privacy #gdpr

Looking at the overlap of data protection and AI? The new guidlines from EDPS are for EU institutions but they can be helpful for companies too! https://lnkd.in/eK2RTWft #AI #Privacy

The use of artificial intelligence (AI) technologies has exploded in recent years, with businesses eager to harness the power of machine learning and data analytics. However, the rapid adoption of AI has raised significant privacy concerns, leading to increased scrutiny from regulators. In this Insight article, Iain Borner, Chief Executive Officer at The Data Privacy Group, explores the intersection of privacy and AI, unraveling the complexities surrounding responsible implementation in the ever-evolving regulatory landscape…

📢 I'm thrilled to share my latest guest article on the intersection of Privacy and AI Governance for OneTrust DataGuidance! 🚀 In this piece, I explore the complexities surrounding the responsible implementation of AI in the ever-evolving regulatory landscape. I delve into key privacy regulations like GDPR, CCPA, and the upcoming AI Act, providing insights on building a strong foundation for AI governance. 🧠💼 Let's continue the conversation on the important topics of #Privacy, #AI, #Governance, #DataProtection, and #Compliance. Join me in exploring the fascinating world where privacy and AI meet! https://lnkd.in/dEqvzGCm

What do companies need to consider from a data protection regulator perspective when using AI? In our latest Hogan Lovells Engage article, Martin Pflüger, Anna Theresa Vogel and I provide a summary of the German DPAs' new guidance on AI deployment. https://lnkd.in/eBtM7cRR #GDPR #DataProtection #Privacy #ArtificialIntelligence #AI

Looking for a summary of the new guidance from German data protection authorities on privacy requirements for deployers of AI technology? See our latest publication, written together with my colleagues Anna Theresa Vogel and Dr. Henrik Hanssen #AI #AIAct #GDPR #DataProtection #DSK #GermanDPAs #AIGovernance

noyb.eu, European Center for Digital Rights, a not-for-profit organisation active in the field of the protection of data subjects’ rights and freedoms with its registered office in Goldschlagstraße, has filed a #GDPR complaint against #OpenAI on behalf of a single user, raising concerns about personal data processed by ChatGPT, the AI-powered chatbot. 🔏 🔗 The source post is here: https://lnkd.in/eHpgGkin The heart of the matter lies in ChatGPT's apparent incapacity to rectify erroneous information it produces concerning particular persons, an action that purportedly contravenes a fundamental tenet of the GDPR. "Since 1995, EU law requires that personal data must be accurate. Currently, this is enshrined in Article 5 GDPR. Individuals also have a right to rectification under Article 16 GDPR if data is inaccurate, and can request that false information is deleted. In addition, under the “right to access” in Article 15, companies must be able to show which data they hold on individuals and what the sources are." The complaint underscores the widespread problem of AI systems handling huge volumes of personal data, sometimes scraped from the Web without clear consent. This lack of #transparency calls into question the #accountability of AI companies regarding data #privacy. Noyb's complaint against OpenAI tackles these concerns, aiming to guarantee that systems like ChatGPT uphold GDPR principles, especially those safeguarding the accuracy and control of personal data. 🗣️Maartje de Graaf, data protection lawyer at noyb: “The obligation to comply with access requests applies to all companies. It is clearly possible to keep records of training data that was used at least have an idea about the sources of information. It seems that with each ‘innovation’, another group of companies thinks that its products don’t have to comply with the law.” ✅ "Complaint filed: noyb is now asking the Austrian data protection authority (DSB) to investigate OpenAI’s data processing and the measures taken to ensure the accuracy of personal data processed in the context of the company’s large language models. Furthermore, we ask the DSB to order OpenAI to comply with the complainant’s access request and to bring its processing in line with the GDPR. Last but not least, noyb requests the authority to impose a fine to ensure future compliance. It is likely that this case will be dealt with via EU cooperation." 💡Just yesterday I quoted a 𝐓𝐄𝐃 𝐓𝐚𝐥𝐤𝐬 of Mustafa Suleyman, "𝑾𝒉𝒂𝒕 𝒊𝒔 𝒂𝒏 𝑨𝑰 𝒂𝒏𝒚𝒘𝒂𝒚?": "we can't control what we don't understand". The funny stuff is, despite that... we keep going 🤷 ENTE NAZIONALE per l'INTELLIGENZA ARTIFICIALE - E.N.I.A.® #DataProtection #Europe #UserRights #AI #ArtificialIntelligence #IntelligenzaArtificiale #bots