Data Protection aspects when using the ChatGPT-API

In the wake of current developments in the AI sector, the activities of OpenAI, the developer behind the AI platform ChatGPT, are increasingly coming under the scrutiny of data protection authorities.

The Italian data protection authority (Garante per la protezione dei dati personali) has accused OpenAI of violating the EU General Data Protection Regulation (GDPR).

This notification was made in a press release dated January 29, 2024, available at Garante Privacy. OpenAI was given 30 days to respond to the allegations made. It is not known whether and how OpenAI responded to this letter within the deadline.

The European Data Protection Board ("EDPB") announced the establishment of a task force in a press release back in April 2023. The aim of the data protection task force is to promote cooperation and the exchange of information on possible measures by data protection authorities regarding OpenAI and ChatGPT. These developments show the increased attention and willingness of European data protection authorities to more carefully monitor the compliance of OpenAI and other AI service providers with data protection regulations.

In light of recent developments, it is important to carefully plan the integration of the GPT API not only from a technical perspective, but also from a comprehensive regulatory and data protection perspective. This is particularly important when implementing the GPT API in business-critical business processes.

The increased attention and willingness of European data protection authorities to scrutinize - and intervene if necessary - underlines the need for forward-looking planning and consideration of GDPR requirements when implementing the new technology. In this article, we describe how you can implement OpenAI's GPT API in compliance with the GDPR.

OpenAI's "GPT API" is an interface that gives developers access to the latest versions of OpenAI's Generative Pre-trained Transformer (GPT), currently GPT-4.

These models support a wide range of applications:

• Text creation: Creation of content such as articles, reports, code and e-mails.
• Creative work: Generating and editing ideas for creative content.
• Linguistic interactions: Development of chatbots and virtual assistants for complex dialogs.
• Text analysis: summarizing, reviewing and translating large amounts of text.

The GPT API thus enables developers to integrate advanced AI functions into their applications without having to train extensive models themselves. Through the API, applications can gain direct access to the latest models from OpenAI, which can be used for a wide range of tasks.

In addition to text processing, OpenAI's offering includes other models such as DALL-E for image generation and Whisper for speech recognition.

However, this will also regularly mean that company data and personal data will be transmitted to OpenAI during use. This raises the question of which data protection requirements apply to companies when integrating the GPT API.

OpenAI offers various options for using the ChatGPT API

Use of ChatGPT and the OpenAI API platform: The use of GPT-3 or GPT-4 is possible for both individuals and companies.

Individuals can choose between a free basic version and a paid subscription, which offers extended functions.

For individual users:

Free: This free offer is aimed at individuals who are just starting out with ChatGPT. It includes unlimited messages, interactions and history as well as access to the GPT-3.5 model and is available on Web, iOS and Android.

Plus: For $20 per month, this subscription offers everything in the Free package plus access to GPT-4, OpenAI's most powerful model. In addition, it includes advanced tools such as DALL-E, browsing, advanced data analysis and more.

There are two specific offers for companies:

Team: For teams that want to intensify their collaboration, this offer starts at $25 per user per month when billed annually (or $30 when billed monthly). It extends the Plus offer with higher message limits, the ability to create and share GPTs within the workspace, and an administration console for managing the workspace. Team data is not used for training by default.

Enterprise: This model is designed for larger organizations looking for a secure, scalable deployment and requires direct contact with sales. It includes all the benefits of the Team subscription and adds unlimited, fast access to GPT-4 and advanced tools, extends the context window for longer inputs, offers SAML SSO, exclusive data retention windows and admin controls, as well as priority support and ongoing account management.

Contractual relationships between companies and OpenAI

The contractual terms between users and OpenAI therefore differ depending on whether it is a company account or an individual account.

OpenAI's "Business Terms" set out more detailed provisions for corporate customers (including an order processing agreement included in the contract).

The contractual relationships with companies therefore differ significantly from the more general terms of use and data protection provisions that apply to individual users.

While individual terms can often be negotiated for corporate contracts, the terms for individual users are based on standard contracts that apply to all users of the platform.

Further details:

https://openai.com/pricing
https://openai.com/policies

If a company integrates ChatGPT into its products and services via the API, it is itself a controller within the meaning of data protection law, as it determines the "purposes and means" of data processing (Art. 3 GDPR).

When integrating the API, OpenAI generally becomes a processor as a service provider (Art. 28 GDPR), which acts on the instructions of the company using the API and processes personal data in this context.

If a company integrates ChatGPT into its products and services via the API, it is the data controller under data protection law, as it determines the "purposes and means" of the data processing (Art. 3 GDPR). When integrating the API, OpenAI generally becomes a processor as a service provider acting on the instructions of the company using the API and processing personal data on its behalf (Art. 28 GDPR).

The process for concluding a Data Processing Addendum (DPA) with OpenAI begins with the registration for a company account, such as the "Team Business Account".

https://openai.com/de/policies/eu-terms-of-use (Valid from: December 14, 2023)

Since February 15, 2024, new terms of use and data protection regulations for OpenAI services have been in force, which are specifically tailored to users in the European Economic Area (EEA), Switzerland and the UK. The latest changes have resulted in the following adjustments:

Responsible company: OpenAI Ireland Limited is now the designated service provider for users in the EEA and Switzerland.

For companies based in the EU that use the OpenAI APIs or ChatGPT Business, the contract is therefore concluded with the following company:

OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Center, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

No DPA is available for consumer services such as ChatGPT or DALL-E Labs, so companies should use business accounts instead of personal accounts, as the data processing agreement is required for the transfer of personal data to OpenAI Ireland Ltd.

OpenAI's DPA is available at the following link: https://openai.com/policies/data-processing-addendum

Companies can request the DPA by clicking on the "Execute Data Processing Agreement" button at the bottom of the page.

The process to complete the Data Processing Addendum (DPA) includes the following steps:

1. Fill out online form: Companies complete an online form in which they must provide their full legal company name and organization ID, among other information. For companies in the European Economic Area (EEA) or Switzerland, the location must also be specified.

2. Select OpenAI entity: Companies in the EU should select OpenAI Ireland Ltd. as their contracting party.

3. Provide contact details for signing: The email address and position of the person signing the DPA on behalf of the company must be provided.

4. Review and accept DPA: After submitting the form, the parties involved will receive an email request to review and electronically accept the agreement. This email will contain a link to the digital platform where the contract can be viewed and signed. After the electronic signature, both parties receive a confirmation and access to a saved, digitally signed PDF copy of the DPA. The DPA becomes legally binding as soon as it is accepted by the company. The DPA received by email should then be stored in a suitable place in order to be able to prove compliance with data protection requirements (Art. 5, 28 GDPR).

According to Art. 28 GDPR, clients are obliged to check their service providers. The risk of the processing activity in question must be taken into account. Factors such as the type of customer data processed play a role in the risk assessment. The higher the risk to the rights and freedoms of natural persons, the stricter the requirements for the contractual provisions in the DPA should be ("risk-based audit approach").

We have audited the DPA of OpenAI with regard to the requirements of Art. 28 GDPR as an example. This audit serves as a reference for similar assessments and can generally be used as a template for own audits within the scope of Art. 28 GDPR. The assessment should be adapted individually, taking into account the specific risks of the respective project. The template with the table can be downloaded at the end of this article.

The controller must make data processing transparent to its users when using OpenAI services. This is regularly done via data protection notices as an expression of the information obligations applicable under Art. 13 and Art. 14 GDPR.

However, it is not sufficient for the controller to simply refer to OpenAI's privacy policy. Rather, the controller must independently provide information on how and for what purposes the user's data is processed by the controller and its processors, how long it will be stored and when it will be deleted.

It is also necessary to make it transparent to users how they can exercise their data subject rights. In addition, the controller and OpenAI must agree on how compliance with data subject rights can be ensured by service providers such as OpenAI.

A sample formulation for the corresponding processing activity in the privacy policy of a company using the GPT-API could be as follows

Example data protection notice for the integration of the GPT API in the customer chatbot

Type and purpose of processing:

Our website uses a customer chatbot powered by OpenAI's GPT API to process requests efficiently and interactively. When you use the chatbot, the following types of personal data may be processed Text entries in the chat, which contain information about your request, and technical data such as IP address and usage times. This data is required to understand your requests, respond accordingly and improve our service.

Legal basis:

The transfer of data to OpenAI for the use of the GPT API in the context of our customer chatbot is based on Art. 28 GDPR, which regulates the use of processors. Your interactions with the chatbot and associated data processing serve to effectively respond to your inquiries, which is carried out as part of pre-contractual measures in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR and our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to improve our customer service.

Retention period:

The data collected as part of the use of the customer chatbot will only be stored for as long as is necessary to process your inquiries and then deleted in accordance with statutory retention obligations.

Transfer to third parties and place of processing:

Your data may be shared with OpenAI, the provider of the GPT API, and OpenAI affiliates. The exact location of data processing depends on the geographical allocation by OpenAI.

If data processing when using the ChatGPT API is associated with high risks for the data subjects, a data protection impact assessment (DPIA) must be carried out (Art. 35 GDPR).

The body of German data protection supervisory authorities (Data Protection Conference - DSK) has published a so-called positive list of processing activities for which a DPIA is mandatory. Item 11 of the list (customer support using artificial intelligence) and item 13 (telephone call analysis using algorithms) are particularly relevant here.

In this context, the purposes for which the service is to be used are of decisive importance. For example, if the chatbot is to be integrated into the customer support of a health insurance company, health data can be processed quite quickly and it would have to be analyzed as part of the DPIA how the risk of disclosure of sensitive information and health data can be effectively handled or excluded.

The DPIA aims to identify and assess the risks for the data subjects in a structured manner and to determine how these risks can be handled with technical and organizational measures and reduced to an acceptable level. At this point at the latest, an in-depth examination of a security concept for OpenAI is likely to be necessary.

For companies, the integration of OpenAI models into the Azure cloud infrastructure through Azure OpenAI from Microsoft offers interesting opportunities. Users gain access to extensive AI models such as GPT-4 and DALL-E via REST API, integrating the functionalities of OpenAI into the Azure cloud platform.

Azure OpenAI offers two billing models: Firstly, usage-based billing (pay-as-you-go, "PAYG"), where costs are incurred according to actual usage, and secondly, billing based on pre-provisioned throughput capacity (Provisioned Throughput Units, "PTUs"), which reserve a fixed amount of resources.

The availability of certain OpenAI services varies depending on the location. In Europe, for example, GPT-3.5 and GPT-4 (Preview) are currently available. Access to Azure OpenAI is currently limited; Microsoft is focusing on working with existing customers for low-risk applications that commit to risk mitigation measures. New customers must submit an application for use.

Since the integration of OpenAI is part of Microsoft's preview functions, the extended terms of use ("Terms of Use") for preview functions apply to the use of Azure OpenAI.

Microsoft also offers a guide to data, data protection and security. According to these documents, the possible uses of the data are regulated restrictively: Customer data is not accessible to other customers or to OpenAI and may not be used to improve OpenAI models or Microsoft products. However, there is the option to use your own data for training or individual fine-tuning of your own models.

Data transmitted to Microsoft during the use of Azure OpenAI is processed for content generation, creation of individual models and abuse monitoring. Microsoft emphasizes that customer data and generated content is stored to monitor and prevent misuse, with content including prompts being stored on special servers for 30 days.

If misuse is detected by the monitoring system, data is flagged and EU support staff decide on the next steps. Customers can object to data storage using a Microsoft form, but must submit a request that must be approved by Microsoft.

It is important to note that data that is integrated via Azure OpenAI is not stored on OpenAI, but on Microsoft's Azure cloud servers. For users in the EU, this means that their data is processed on EU servers, whereby the data residency principle is intended to ensure that this data is not transferred to third countries.

Despite the growing regulatory attention and the discussions about bans and risks, it is clear that the integration of AI-based services is possible in accordance with the data protection regulations of the GDPR. This finding underlines the importance of proactively monitoring technological and legal developments in order to be able to react to new regulatory requirements in a timely manner.

Data protection measures and compliance

OpenAI's Data Processing Addendum (DPA) provides a solid foundation that meets the key requirements of the GDPR. Nevertheless, it is important to closely monitor the future attitude of the data protection authorities towards OpenAI. For companies planning to use OpenAI services, it is advisable to strategically consider data protection aspects from the outset (privacy by design). The implementation of basic data protection practices enables the legally compliant use of OpenAI services in accordance with Art. 28 GDPR, especially when using the GPT-API in products and services.

The essential steps include

• Checking the service provider and concluding an order processing contract.
• Updating the list of procedures.
• Drafting or revising the privacy policy.
• (Carrying out a data protection impact assessment, if necessary).

Integration in Azure Cloud and future availability

The use of OpenAI models via Azure OpenAI is another option for companies that already use Azure Cloud services from Microsoft. This integration can help to minimize certain data protection risks, especially in connection with the transfer of data to third countries. However, given the currently limited availability of Azure OpenAI, it is unclear when this option will be available to a wider user base.

Recommendations

In view of the careful scrutiny by data protection supervisory authorities, it is advisable to involve data protection officers in the use of OpenAI services at an early stage. In addition, it can be advantageous to consult the expertise of lawyers specializing in data protection for specific issues.

This strategy not only ensures compliance with applicable data protection regulations, but also strengthens the company's position with regard to future changes in the area of data protection law. It also helps to prepare the company for possible audits by data protection authorities and to proactively manage potential risks in the use of AI technologies.

The integration of AI technologies such as the OpenAI API holds great potential, but also presents companies with significant data protection challenges. Simpliant focuses on helping you to integrate AI language models such as GPT into your business processes in a data protection-compliant manner. If you need support in overcoming the complex data protection challenges in the AI sector, please contact us via our contact form.