Privacy

OpenAI moves to shrink regulatory risk in EU around data privacy

Comment

Sam Altman OpenAI OpenResearch
Image Credits: David Paul Morris/Bloomberg / Getty Images

While most of Europe was still knuckle deep in the holiday chocolate selection box late last month, ChatGPT maker OpenAI was busy firing out an email with details of an incoming update to its terms that looks intended to shrink its regulatory risk in the European Union.

The AI giant’s technology has come under early scrutiny in the region over ChatGPT’s impact on people’s privacy — with a number of open investigations into data protection concerns linked to how the chatbot processes people’s information and the data it can generate about individuals, including from watchdogs in Italy and Poland. (Italy’s intervention even triggered a temporary suspension of ChatGPT in the country until OpenAI revised the information and controls it provides users.)

“We have changed the OpenAI entity that provides services such as ChatGPT to EEA and Swiss residents to our Irish entity, OpenAI Ireland Limited,” OpenAI wrote in an email to users sent on December 28.

A parallel update to OpenAI’s Privacy Policy for Europe further stipulates:

If you live in the European Economic Area (EEA) or Switzerland, OpenAI Ireland Limited, with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.

The new terms of use listing its recently established Dublin-based subsidiary as the data controller for users in the European Economic Area (EEA) and Switzerland, where the bloc’s General Data Protection Regulation (GDPR) is in force, will start to apply on February 15 2024.

Users are told if they disagree with OpenAI’s new terms they may delete their account.

The GDPR’s one-stop-shop (OSS) mechanism allows for companies that process Europeans’ data to streamline privacy oversight under a single lead data supervisory located in an EU Member State — where they are “main established”, as the regulatory jargon puts it.

Gaining this status effectively reduces the ability of privacy watchdogs located elsewhere in the bloc to unilaterally act on concerns. Instead they would typically refer complaints back to the main established company’s lead supervisor for consideration.

Other GDPR regulators still retain powers to intervene locally if they see urgent risks. But such interventions are typically temporary. They are also exceptional by nature, with the bulk of GDPR oversight funnelled via a lead authority. Hence why the status has proved so appealing to Big Tech — enabling the most powerful platforms to streamline privacy oversight of their cross-border personal data processing.

Asked if OpenAI is working with Ireland’s privacy watchdog to obtain main establishment status for its Dublin-based entity, under the GDPR’s OSS, a spokeswomen for the Irish Data Protection Commission (DPC) told TechCrunch: “I can confirm that Open AI has been engaged with the DPC and other EU DPAs [data protection authorities] on this matter.”

OpenAI was also contacted for comment.

The AI giant opened a Dublin office back in September — hiring initially for a handful of policy, legal and privacy staffers in addition to some back office roles.

At the time of writing it has just five open positions based in Dublin out of a total of 100 listed on its careers page, so local hiring still appears to be limited. A Brussels-based EU Member States policy & partnerships lead role it’s also recruiting at the moment asks applicants to specify if they’re available to work from the Dublin office three days per week. But the vast majority of the AI giant’s open positions are listed as San Francisco/U.S. based.

One of the five Dublin-based roles being advertised by OpenAI is for a privacy software engineer. The other four are for: account director, platform; international payroll specialist; media relations, Europe lead; and sales engineer.

Who and how many hires OpenAI is making in Dublin will be relevant to it obtaining main establishment status under the GDPR as it’s not simply a case of filing a bit of legal paperwork and checking a box to gain the status. The company will need to convince the bloc’s privacy regulators that the Member State-based entity it’s named as legally responsible for Europeans’ data is actually able to influence decision-making around it.

That means having the right expertise and legal structures in place to exert influence and put meaningful privacy checks on a U.S. parent.

Put another way, opening up a front office in Dublin that simply signs off on product decisions that are made in San Francisco should not suffice.

That said, OpenAI may be looking with interest at the example of X, the company formerly known as Twitter, which has rocked all sorts of boats after a change of ownership in fall 2022. But has failed to fall out of the OSS since Elon Musk took over — despite the erratic billionaire owner taking a hatchet to X’s regional headcount, driving out relevant expertise and making what appear to be extremely unilateral product decisions. (So, well, go figure.)

If OpenAI gains GDPR main established status in Ireland, obtaining lead oversight by the Irish DPC, it would join the likes of Apple, Google, Meta, TikTok and X, to name a few of the multinationals that have opted to make their EU home in Dublin.

The DPC, meanwhile, continues to attract substantial criticism over the pace and cadence of its GDPR oversight of local tech giants. And while recent years has seen a number of headline-grabbing penalties on Big Tech finally rolling out of Ireland critics point out the regulator often advocates for substantially lower penalties than its peers. Other criticisms include the glacial pace and/or unusual trajectory of the DPC’s investigations. Or instances where it chooses not to investigate a complaint at all, or opts to reframe it in a way that sidesteps the key concern (on the latter, see, for example, this Google adtech complaint).

Any existing GDPR probes of ChatGPT, such as by regulators in Italy and Poland, may still be consequential in terms of shaping the regional regulation of OpenAI’s generative AI chatbot as the probes are likely to run their course given they concern data processing predating any future main establishment status the AI giant may gain. But it’s less clear how much impact they may have.

As a refresher, Italy’s privacy regulator has been looking at a long list of concerns about ChatGPT, including the legal basis OpenAI relies upon for processing people’s data to train its AIs. While Poland’s watchdog opened a probe following a detailed complaint about ChatGPT — including how the AI bot hallucinates (i.e. fabricates) personal data.

Notably, OpenAI’s updated European privacy policy also includes more details on the legal bases it claims for processing people’s data — with some new wording that phrases its claim to be relying on a legitimate interests legal basis to process people’s data for AI model training as being “necessary for our legitimate interests and those of third parties and broader society” [emphasis ours].

Whereas the current OpenAI privacy policy contains the much drier line on this element of its claimed legal basis: “Our legitimate interests in protecting our Services from abuse, fraud, or security risks, or in developing, improving, or promoting our Services, including when we train our models.”

This suggests OpenAI may be intending to seek to defend its vast, consentless harvesting of Internet users’ personal data for generative AI profit to concerned European privacy regulators by making some kind of public interest argument for the activity, in addition to its own (commercial) interests. However the GDPR has a strictly limited set of (six) valid legal basis for processing personal data; data controllers can’t just play pick ‘n’ mix of bits from this list to invent their own bespoke justification.

It’s also worth noting GDPR watchdogs have already been trying to find common ground on how to tackle the tricky intersection of data protection law and big data-fuelled AIs via a taskforce set up within the European Data Protection Board last year. Although it remains to be seen whether any consensus will emerge from the process. And given OpenAI’s move to establish a legal entity in Dublin as the controller of European users data now, down the line, Ireland may well get the defining say in the direction of travel when it comes to generative AI and privacy rights.

If the DPC becomes lead supervisor of OpenAI it would have the ability to, for example, slow the pace of any GDPR enforcement on the rapidly advancing tech.

Already, last April in the wake of the Italian intervention on ChatGPT, the DPC’s current commissioner, Helen Dixon, warned against privacy watchdogs rushing to ban the tech over data concerns — saying regulators should take time to figure out how to enforce the bloc’s data protection law on AIs.

Note: U.K. users are excluded from OpenAI’s legal basis switch to Ireland, with the company specifying they fall under the purview of its U.S., Delware-based corporate entity. (Since Brexit, the EU’s GDPR no longer applies in the U.K. — although it retains its own U.K. GDPR in national law, a data protection regulation which is still historically based on the European framework, that’s set to change as the U.K. diverges from the bloc’s gold standard on data protection via the rights-diluting ‘data reform’ bill currently passing through parliament.)

OpenAI to open its first EU office as it readies for regulatory hurdles

ChatGPT-maker OpenAI accused of string of data protection breaches in GDPR complaint filed by privacy researcher

More TechCrunch

WazirX, one of India’s largest cryptocurrency exchanges, has suspended all trading activities on its platform days after losing about $230 million, nearly half of its reserves, in a security breach.…

WazirX halts trading after $230 million ‘force majeure’ loss

Featured Article

From Yandex’s ashes comes Nebius, a ‘startup’ with plans to be a European AI compute leader

Subject to shareholder approval, Yandex N.V. is adopting the name of one of its few remaining assets, an AI cloud platform called Nebius AI which it birthed last year.

From Yandex’s ashes comes Nebius, a ‘startup’ with plans to be a European AI compute leader

Employees at Bethesda Game Studios — the Microsoft-owned game developer that produces the Elder Scrolls and Fallout franchises — are joining the Communication Workers of America. Quality assurance testers at…

Bethesda Game Studios employees form a ‘wall-to-wall’ union

This week saw one of the most widespread IT disruptions in recent years linked to a faulty software update from popular cybersecurity firm CrowdStrike. Businesses across the world reported IT…

CrowdStrike’s update fail causes global outages and travel chaos

Alphabet, the parent company of Google, is in advanced talks to acquire cybersecurity startup Wiz for $23 billion, the Wall Street Journal reported on Sunday. TechCrunch’s sources heard similar and…

Unpacking how Alphabet’s rumored Wiz acquisition could affect VC

Around 8.5 million devices — less than 1 percent Windows machines globally — were affected by the recent CrowdStrike outage, according to a Microsoft blog post by David Weston, the…

Microsoft says 8.5M Windows devices were affected by CrowdStrike outage

Featured Article

Some Black startup founders feel betrayed by Ben Horowitz’s support for Trump

Trump is an advocate for a number of policies that could be harmful to people of color.

Some Black startup founders feel betrayed by Ben Horowitz’s support for Trump

Featured Article

Strava’s next chapter: New CEO talks AI, inclusivity, and why ‘dark mode’ took so long

TechCrunch sat down with Strava’s new CEO in London for a wide-ranging interview, delving into what the company is prioritizing, and what we can expect in the future as the company embarks on its “next chapter.”

Strava’s next chapter: New CEO talks AI, inclusivity, and why ‘dark mode’ took so long

Featured Article

Lavish parties and moral dilemmas: 4 days with Silicon Valley’s MAGA elite at the RNC

All week at the RNC, I saw an event defined by Silicon Valley. But I also saw the tech elite experience flashes of discordance.

Lavish parties and moral dilemmas: 4 days with Silicon Valley’s MAGA elite at the RNC

Featured Article

Tracking the EV battery factory construction boom across North America

A wave of automakers and battery makers — foreign and domestic — have pledged to produce North American–made batteries before 2030.

Tracking the EV battery factory construction boom across North America

Featured Article

Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally

Security giant CrowdStrike said the outage was not caused by a cyberattack, as businesses anticipate widespread disruption.

Faulty CrowdStrike update causes major global IT outage, taking out banks, airlines and businesses globally

CISA confirmed the CrowdStrike outage was not caused by a cyberattack, but urged caution as malicious hackers exploit the situation.

US cyber agency CISA says malicious hackers are ‘taking advantage’ of CrowdStrike outage

The global outage is a perfect reminder how much of the world relies on technological infrastructure.

These startups are trying to prevent another CrowdStrike-like outage, according to VCs

The CrowdStrike outage that hit early Friday morning and knocked out computers running Microsoft Windows has grounded flights globally. Major U.S. airlines including United Airlines, American Airlines and Delta Air…

CrowdStrike outage: How your plane, train and automobile travel may be affected

Prior to the ban, Trump’s team used his channel to broadcast some of his campaigns. With the ban now lifted, his channel can resume doing so.

Twitch reinstates Trump’s account ahead of the 2024 presidential election

This week, Google is in discussions to pay $23 billion for cloud security startup Wiz, SoftBank acquires Graphcore, and more.

M&A activity heats up with Wiz, Graphcore, etc.

CrowdStrike competes with a number of vendors, including SentinelOne and Palo Alto Networks but also Microsoft, Trellix, Trend Micro and Sophos, in the endpoint security market.

CrowdStrike’s rivals stand to benefit from its update fail debacle

The IT outage may have an unexpected effect on the climate: clearer skies and maybe lower temperatures this evening

CrowdStrike chaos leads to grounded aircraft — and maybe an unusual weather effect

There’s a man in Florida right now who wants to propose to his girlfriend while they’re on a beach vacation. He couldn’t get the engagement ring before he flew down…

The CrowdStrike outage is a plot point in a rom-com 

Here’s everything you need to know so far about the global outages caused by CrowdStrike’s buggy software update.

What we know about CrowdStrike’s update fail that’s causing global outages and travel chaos

This serves as an example for how easy it is to spread inaccurate information online during a time of immense global confusion and panic.

From the Sphere to false cyberattack claims, misinformation runs rampant amid CrowdStrike outage

Today is the final chance to save up to $800 on TechCrunch Disrupt 2024 tickets. Disrupt Deal Days event will end tonight at 11:59 p.m. PT. Don’t miss out on…

Last chance today: Secure major savings for TechCrunch Disrupt 2024!

Indian fintech Paytm’s struggles won’t seem to end. The company on Friday reported that its revenue declined by 36% and its loss more than doubled in the first quarter as…

Paytm loss widens and revenue shrinks as it grapples with regulatory clampdown

J. Michael Cline, the co-founder of Fandango and multiple other startups over his multi-decade career, died after falling from a Manhattan hotel, New York’s Deputy Commissioner of Public Information tells…

Fandango founder dies in fall from Manhattan skyscraper

Venture capital giant a16z fixed a security vulnerability in one of the firm’s websites after being warned by a security researcher.

Researcher finds flaw in a16z website that exposed some company data

Apple on Thursday announced its upcoming lineup of immersive video content for the Vision Pro. The list includes behind-the-scenes footage of the 2024 NBA All-Star Weekend, an immersive performance by…

Apple Vision Pro debuts immersive content featuring NBA players, The Weeknd and more

Biden centering Musk in his campaign is a notable escalation, considering he spent most of his presidency seemingly pretending the billionaire didn’t exist.

Elon Musk is now a villain in Joe Biden’s presidential campaign

Waymo would need a ground transportation permit to operate at SFO, which has yet to be approved.

Waymo wants to bring robotaxis to SFO, emails show

When Tade Oyerinde first set out to fundraise for his startup, Campus, a fully accredited online community college, it was incredibly difficult. VCs have backed for-profit education companies in the…

Why it made sense for an online community college to raise venture capital

Canadian private equity firm PartnerOne paid $28.2 million for HeadSpin, a mobile app testing startup whose founder was sentenced for fraud earlier this year, according to documents viewed by TechCrunch.…

PE firm PartnerOne paid $28M for HeadSpin, a fraction of its $1.1B valuation set by ICONIQ and Dell Technologies Capital