Latest Posts

Shedding Light on ChatGPT – The Legal Considerations

Love or hate the idea (and many people fall into the latter category), AI language and text to image models have arrived. Now anyone can create prose, programmes, and pictures in mere seconds simply by entering a few instructions on a website. You may be thinking “wonderful, no more dull report and contract writing”. However, there are serious concerns around the accuracy of the information ChatGPT is producing. In addition, the lawsuits by artists, engineers, and other creatives against AI language and art model developers are mounting. There are also potential legal issues for users of ChatGPT, such as copyright infringement and defamation.

Before exploring these legal challenges, it is useful to explain what AI language and art models are. For ease of reference, I will refer to the most well-known, ChatGPT, but the basic principles apply to most other chatbots such as Meta’s Llama, and Google’s Bard.

What Is ChatGPT?

ChatGPT, which stands for “Chat Generative Pre-trained Transformer”, was created by Open AI and launched in November 2022. It is considered the most significant technological development since the launch of the Apple iPhone in 2007. It can produce human-like responses to a vast range of questions and is often (but not always) accurate.

ChatGPT works by predicting the next word in a series of words. It is underpinned by an enormous language model, created by Open AI feeding into it some 300 billion words systematically scraped from the internet in the form of books, articles, websites, and blog posts. ChatGPT used the data provided to learn how to predict the next word. Eventually, it became sufficiently trained to produce human-like responses to tasks given to it via the front-end ‘Chat’.

Preston Gralla provided a brilliant analogy for how AI language and text to image models operate in a recent article:

“To do its work, AI needs to constantly ingest data, lots of it. Think of it as the monster plant Audrey II in Little Shop of Horrors, constantly crying out “Feed me!”

Open AI and other developers of AI text and image-generating models did not seek permission to use third-party words and art to feed their creations. This fact forms the basis of several class legal actions currently underway around the world.

The basis for legal claims against ChatGPT and other language and image-generating models fall into several categories:

  • Intellectual property infringement – lawsuits have been launched in several countries, including the UK and US, concerning AI developers scraping content from the internet to train their models without asking permission from the original creators. For example, Stability AI, the London-based company behind the text to image model Stable Diffusion, is being taken to court by Getty Images, which is arguing that Stability AI “unlawfully copied and processed millions of images protected by copyright and the associated metadata” to train Stability Diffusion. There is also a class action lawsuit being brought against several text to image generators, including Stable Diffusion, DeviantArt, and Midjourney, by several US-based artists who claim their original work was scraped from the Internet without permission and used to train a text to image tool.
  • Defamation – the mayor of Hepburn Shire, 120km northwest of Melbourne, Australia, at the time of writing was threatening to sue Microsoft for defamation after ChatGPT (which is incorporated into Microsoft’s search engine, Bing), falsely named him as a guilty party in a foreign bribery scandal involving a subsidiary of the Reserve Bank of Australia in the early 2000s.
  • Breach of open-source code licences – a class action lawsuit has been brought against GitHub, Microsoft, and OpenAI (and others). The Claimants’ allege that the Defendant’s violated open-source licencing terms and conditions and breached copyright when they used code created by others to build and train Copilot, an AI coding assistant.
  • Privacy and data protection breaches – the scraped data used to train ChatGPT scooped up enormous amounts of personal information without the consent of data subjects. Potentially, this breaches privacy and data protection regulations around the world, including the UK and EU GDPR and the California Privacy Rights Act (CPRA). On 31 March 2023, Italy’s data regulator, Garante per la Protezione dei Dati Personali, said it would block ChatGPT and investigate whether the AI model complied with the EU GDPR. The watchdog stated no legal foundation to justify “the mass collection and storage of personal data for the purpose of ‘training’ the algorithms underlying the operation of the platform” had been provided. It also voiced concern over the fact that ChatGPT does not verify user’s ages, and therefore “exposes minors to absolutely unsuitable answers compared to their degree of development and awareness”. At the beginning of May, Italy reactivated ChatGPT and said it would carry on its “fact-finding activities regarding OpenAI under the umbrella of the ad-hoc task force that was set up by the European Data Protection Board.”

What Are The Risks For Businesses Using ChatGPT?

Although ChatGPT and its offshoots may seem like a productivity dream come true, caution must be taken when using it to produce written text and images for business purposes. There may be issues concerning copyright and breach of the GDPR and Data Protection Act 2018. In addition, as demonstrated by the defamation lawsuit brought by the mayor of Hepburn Shire, there may be serious legal consequences for organisations if ChatGPT makes mistakes or demonstrates bias, both of which it can do. To avoid potential claims, businesses and individuals must undertake a risk assessment before utilising ChatGPT for particular projects and establish robust due diligence checks on the accuracy and impartiality of the content it produces.

ChatGPT represents an exciting and unknown future for businesses and people alike. To discuss any of the points raised in this article, including undertaking risk assessments, please contact Ann-Maree Blake.

Read More
Protect Your Organisation from GDPR Fines

Protect Your Organisation from GDPR Fines

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that was implemented by the European Union (EU) in 2018. Its purpose is to protect the personal data of EU citizens by establishing strict rules for the collection, processing, and storage of personal information by organisations.

The GDPR applies not only to organisations based in the EU but also to any organisation that processes the personal data of EU citizens, regardless of where the organisation is located. Non-compliance with GDPR can result in significant fines and penalties.

What is the latest on GDPR fines?

According to recent research, supervising authorities across Europe have markedly increased the level of fines issued to companies found in breach of the GDPR. Latest figures show:

  • In the year ending March 2022, data protection supervisory authorities across Europe issued fines of around EUR 1.581 billion (GDP 1.403) (+1.319 billion in comparison to the 2021 figures.
  • A total number of 1,031 fines (+505 in comparison to 2021) were issued in the year ending March 2022.
  • In relation to the number of fines and average sum of fines issued, the most common compliance breach was due to “insufficient legal basis for data processing”. The second and third most reported and fined breaches were caused by “insufficient technical and organisational measures to ensure information security” and “insufficient fulfilment of data subject’s rights”.

These figures show that GDPR enforcement is here to stay and regulators are increasing the number of investigated cases and penalty levels year on year. No business can afford to be complacent when it comes to implementing GDPR policies and procedures.

Find out more in our post Five Ways To Protect Your Company from a GDPR fine

What sectors received the most GDPR fines?

The following sectors received the highest number of GDPR fines:

  • Industry and Commerce
  • Media
  • Telecoms
  • Broadcasting
  • Transportation
  • Energy

It is imperative to note that this does not mean these sectors are necessarily shirking their data protection and privacy compliance obligations, rather it is an indication that these industries are the most exposed in terms of GDPR-related risk. Although the average fines levied in the Transportation and Energy sectors were high, the number of fines issued was relatively low. This signifies that although breaches in this sector are relatively rare, when they occur they are serious and thus attract large penalties.

What are the most common types of GDPR breaches leading to fines?

The top areas of GDPR non-compliance leading to fines were:

  • Insufficient legal basis for data processing
  • Inadequate technical and organisational measures to ensure information security
  • Non-compliance with general data processing principles
  • Insufficient fulfilment of data subjects’ rights
  • Unsatisfactory fulfilment of information obligations
  • Insufficient cooperation with supervisory authority
  • Inadequate fulfilment of data breach notification obligations
  • Non-appointment of data protection officer
  • Insufficient data processing agreement

This shows that many companies are still unsure of what constitutes a lawful basis for processing personal data. The lawful foundations for processing data are set out in Article 6 of the GDPR and at least one of the following must be present whenever personal data is processed:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

If none of the above apply to your reason for processing personal data, the processing is unlawful and therefore a breach of Article 6.

Wrapping up

The data is clear – all companies, especially those in high-risk sectors such as advertising, technology, telecommunications, and general communications (for example direct marketing) need to implement consistent, proactive training programmes to ensure all employees understand what is required for GDPR compliance. As supervising authorities become more confident with enforcing data protection and privacy regulations, the scope for fines and reputational damage leading to a loss of consumer trust will continue to increase.

To find out how we can assist you on all matters relating to GDPR and data protection law, please contact Ann-Maree Blake to make an appointment.

Read More

trusted legal excellence

Get in Touch

Contact us today to discover how we can support you with legal solutions that stand out from the rest.

Get in Touch