On April 4th, 2023, the Office of the Privacy Commissioner of Canada (“OPC“) announced it had launched an investigation into OpenAI, the company behind artificial the intelligence (AI)-powered chatbot ChatGPT. The OPC said the investigation was launched “in response to a complaint alleging the collection, use and disclosure of personal information without consent”.
I thought I would have ChatGPT[1] take a shot at drafting a Report of Findings, the report that is issued by the OPC at the conclusion of its investigation. The prompt I provided to ChatGPT was:
Prepare a Report of Findings regarding an investigation into the business, OpenAI’s ChatGPT, in the style of the Office of the Privacy Commissioner of Canada based on a complaint alleging the collection, use and disclosure of personal information without consent. The Report of Findings should examine: (1) whether adequate consent was obtained for the collection, use and disclosure of personal information for the purpose of training the ChatGPT algorithm; and (b) whether the Office of the Privacy Commissioner of Canada has jurisdiction to investigate this complaint.
For the nature of the privacy complaint, I used the general allegation about lack of consent set out in the OPC’s announcement, and added in a question about the OPC’s jurisdiction to commence an investigation. The latter question was spurred by my own observation that ChatGPT does not necessarily collect, use or disclose personal information, and if it does, it may not be doing so “in the course of commercial activities’. Both of these issues are threshold issues for the OPC’s jurisdiction.
ChatGPT did an admirable job, given the limited information about the nature of the investigation. It did not play favourites, indicting its creators for lack of adequate and meaningful consent, and even making Recommendations to remedy the issues it identified.
ChatGPT generated its “Report” in under a minute, meeting the one year statutory deadline set out in PIPEDA.
ChatGPT’s “Report of Findings”:
Introduction:
This report concerns a complaint made to the Office of the Privacy Commissioner of Canada (“OPC”) regarding the collection, use, and disclosure of personal information by OpenAI’s ChatGPT without adequate consent. The complainant alleges that OpenAI collected, used, and disclosed personal information without obtaining proper consent for the purpose of training the ChatGPT algorithm. This report will examine whether adequate consent was obtained and whether the OPC has jurisdiction to investigate this complaint.
Jurisdiction:
The OPC has jurisdiction to investigate complaints concerning the collection, use, or disclosure of personal information by an organization in the course of commercial activities, except for those conducted solely for journalistic, artistic, or literary purposes. OpenAI is a for-profit organization engaged in commercial activities and is therefore subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which the OPC oversees.
Adequacy of Consent:
The collection, use, and disclosure of personal information by OpenAI’s ChatGPT are subject to PIPEDA’s requirements for consent. PIPEDA requires that an organization obtain the individual’s consent before collecting, using, or disclosing their personal information, and that the consent be meaningful, informed, and given voluntarily.
In this case, OpenAI collected personal information through the use of the ChatGPT algorithm, which relies on large amounts of text data to generate responses to user inputs. This data is collected from various sources, including online forums, social media platforms, and other publicly available sources. However, the complainant alleges that OpenAI did not obtain adequate consent for the collection, use, and disclosure of their personal information.
Upon review of OpenAI’s privacy policy, it was found that OpenAI does provide information on how personal information is collected, used, and disclosed by the ChatGPT algorithm. However, the privacy policy does not adequately explain the purposes for which the personal information is collected or the potential risks associated with the collection, use, and disclosure of personal information.
Furthermore, OpenAI does not obtain explicit consent from individuals for the collection, use, and disclosure of their personal information. While OpenAI does provide users with the option to opt-out of data collection, this opt-out process is not easily accessible, and the privacy policy does not adequately explain how to opt-out of data collection.
Conclusion:
Based on the findings of this investigation, it is concluded that OpenAI did not obtain adequate consent for the collection, use, and disclosure of personal information for the purpose of training the ChatGPT algorithm. OpenAI’s privacy policy does not adequately explain the purposes for which the personal information is collected or the potential risks associated with the collection, use, and disclosure of personal information. OpenAI also does not obtain explicit consent from individuals for the collection, use, and disclosure of their personal information.
Recommendations:
The OPC recommends that OpenAI take the following steps to address the issues identified in this report:
- Update its privacy policy to clearly explain the purposes for which personal information is collected, used, and disclosed by the ChatGPT algorithm, as well as the potential risks associated with the collection, use, and disclosure of personal information.
- Obtain explicit consent from individuals for the collection, use, and disclosure of their personal information.
- Provide users with an easily accessible opt-out process for data collection and explain how to opt-out of data collection in the privacy policy.
OpenAI is requested to report back to the OPC within 90 days of receiving this report, outlining the steps taken to implement these recommendations.
[1] ChatGPT Mar 23 Version. Free Research Preview.
For more information about this and other AI topics and how we can help, please contact the author, Kirsten Thompson.
