Based on a report by the European Data Protection Board (EDPB), a taskforce was established on April 13, 2023, to coordinate investigations regarding the ChatGPT service provided by OpenAI OpCo, LLC. The taskforce was formed due to the absence of a one-stop-shop (OSS) mechanism applicable to OpenAI, as the company did not have an establishment in the EU until February 15, 2024. This taskforce aimed to foster cooperation and exchange information on possible enforcement actions concerning the processing of personal data by ChatGPT​​ .

The report outlines several key areas of investigation:

1. Lawfulness:

   • The collection, pre-processing, and training of data used by ChatGPT are under scrutiny, especially the legality of web scraping, which collects personal data from publicly available sources​​ .
   • OpenAI cites Article 6(1)(f) GDPR as the legal basis for web scraping, emphasizing the necessity of processing, relevance, and balancing of interests .
   • The processing of special categories of personal data under Article 9(2) GDPR and the safeguards implemented by OpenAI are also examined .

2. Fairness:

   • The principle of fairness under Article 5(1)(a) GDPR mandates that personal data should not be processed in a way that is unjustifiably detrimental or misleading to the data subject​​ .
   • The taskforce stresses that OpenAI must not transfer the responsibility of GDPR compliance to data subjects .

3. Transparency and Information Obligations:

   • The report highlights the need for compliance with Articles 13 and 14 GDPR concerning the provision of information to data subjects .
   • Large-scale data collection via web scraping invokes Article 14(5)(b) GDPR, while direct interactions with ChatGPT invoke Article 13 GDPR .

4. Data Accuracy:

   • Ensuring the accuracy of both input and output data is critical, especially since the purpose of data processing is to train ChatGPT and not necessarily to provide factually accurate information .
   • The report stresses the importance of transparency about the probabilistic nature of ChatGPT’s outputs and their potential biases .

5. Rights of the Data Subject:

   • OpenAI's obligations to facilitate the exercise of data subjects' rights, such as access, rectification, erasure, and objection under GDPR, are discussed .
   • OpenAI provides contact options for exercising these rights and must continue improving these modalities to comply with GDPR .

The taskforce developed a questionnaire to coordinate investigations and gather consistent information across different Supervisory Authorities (SAs). This questionnaire addresses various aspects of data processing, compliance measures, and transparency practices related to ChatGPT .