AI’s “Hallucinations” Prompt Privacy Complaint

Noyb, the Austrian independent data protection organization, and lawyer Max Schrems founded, has filed a complaint with the EU privacy authority regarding OpenAI – a violation of GDPR and failure to provide a remedy for incorrect information.

Privacy complaint filed

Schrems, a noted privacy lawyer and capable activist, has initiated some of the most important privacy complaints in the EU. OpenAI is facing the DSB (Austrian Dominance and Discrimination Society), whose challenge focuses on “hallucinations,” the wrong answers that AI (artificial intelligence) large language models tend to provide. The relief that the adjudication order requests includes an investigation of the infringement, declaratory decision, penalty, and study of corrective measures.

The company, OpenAI, is allegedly aware of the privacy breach, but it doesn’t matter. According to the press release, Noyb’s statement is in a statement announcing the filing. OpenAI did not provide Euractiv with a comment.

Large models, including ChatGPT, do calculations to predict those words that make the most sense for certain selections. There are cases when the model will select the wrong words because of its inability to notice that is the context, giving the wrong answer or “hallucination,” which is industry jargon.

This, however, is not with the individual rights in the “privacy” traditions, so for Noyb. European regulation has not gone far in stating the need for the accuracy of personal data since 1995, and GDPR, the EU’s newest privacy law, takes the duty of precise personal data protection.

Targeting AI “hallucinations”

Along this line, Noyb pointed out that the personal information of any public pundit without birth date details is available online. The ChatGPT mistakenly replied with their main date because of the mistake in the question.

OpenAI, too, was not content with their unsolicited response regarding the access and erasure of the data entailed in the request investigation carried out in December 2023. Under GDPR, data controllers must communicate to the personal information subject about their data processing and erase the subject’s data upon request, while restrictions on deletion are allowed.

Noyb, who acted as a complainant in the case, found out that the service supplied statistical data to the user; nonetheless, no information on data usage by the system was provided.

Data requests mishandled

As OpenAI said, aside from delivering an educational message, they promised to do their best to block the model from telling the birth year in response to the query; however, according to the complaint, they can’t correct the wrong displayed answer.

It, in turn, led to a more information part of the data subject being blocked from ChatGPT. This, in its meaning, would hinder the public’s right to information about this person- a known figure- whom OpenAI had reported via an objection.

The claim said, “No action from a chatbot can correct the information, no filter can selectively screen, or simply that any data subject cannot comply with this situation according to the controller.”

It is the Irish branch alone, and the headquarters still reside in the US, Noyb told EU’s antitrust chief Margrethe Vestager. This defendant was named in the suit because it is an entity of the US corporation, OpenAI OpCo LLC, which is in the company’s terms and conditions.