EU Targets Microsoft and OpenAI in Probes

Concurrent with the AI Act's approval, the European Data Protection Board (EDPB) released a report on ongoing investigations of OpenAI’s ChatGPT across the EU. The EDPB report highlights concerns about the use of personal data in training large language models (LLMs) and emphasizes the need for compliance with both the General Data Protection Regulation (GDPR) and the AI Act. The report identifies web scraping as a risk to individuals' rights, as the data obtained often includes sensitive information, and recommends measures to protect personal data.

The EDPB also raises concerns about ChatGPT prompts and the principle of fairness, stating that users should be informed that their content may be used for training purposes. Despite the probabilistic nature of LLMs leading to biased or false outputs, the obligation of data accuracy must be upheld.

In March 2023, CAIDP filed a detailed complaint with the Federal Trade Commission (FTC), alleging that OpenAI had violated US consumer protection law and also the GDPR. In July 2023, The New York Times and The Wall Street Journal reported that the FTC had initiated the investigation CAIDP requested, but as of May 2024 there is still no outcome in the FTC matter.

In a related development, the European Commission has intensified its enforcement actions against Microsoft, issuing a legally binding request for information regarding potential GDPR breaches related to Bing's generative AI features. The request stems from suspicions of risks associated with "hallucinations," deepfakes, and automated manipulation that could mislead voters. Microsoft has until May 27 to provide the requested information or face substantial fines.