Spain's data protection authority, AEPD, followed Italy's lead and announced a preliminary investigation of ChatGPT maker OpenAI for alleged breaches of the European Union's General Data Protection Regulation (GDPR).
Late last month, Italy's DPA ordered OpenAI to stop processing venue data, over a series of alleged GDPR violations, quickly leading to OpenAI geoblocking the service in Italy.
ChatGPT is still accessible via a Spanish IP address, the regulator does not appear to have issued an order to suspend processing.
In a press release about his performance, he writes: "The Spanish Agency for Data Protection (AEPD) has initiated ex officio preliminary investigation procedure against the American company OpenAI, owner of the ChatGPT service, for possible non-compliance with the regulations”.
The statement does not provide any details of the specific concerns that the AEPD has.
Italy's DPA has raised a number of GDPR-related concerns about ChatGPT, including the legality of OpenAI processing, transparency issues, as well as child protection and data access requirements.
Earlier this week, he posted a list of measures that OpenAI must implement if it wants the local suspension order lifted, giving it an end-of-month deadline to make most changes.
OpenAI has not publicly commented on the changes requested by the Italian agency.
An OpenAI spokeswoman declined to comment on the Spanish investigation.
The AEPD press release confirms that it asked the European Data Protection Board (EDPB), the governing body for the application of the GDPR, to include ChatGPT in a plenary debate this week.
He says he asked that question considering that OpenAI's "global processing operations can have a significant impact on people's rights," which he also said may require "harmonized and coordinated actions at the European level."
"The Commission has decided in today's plenary session to launch a working group to promote cooperation and exchange information on the actions of the data protection authorities," adds the AEPD.
The EDPB working group on ChatGPT will act in parallel with individual authority investigations. But ultimately, it can help coordinate GDPR enforcement on generative AI technology across the block. Although, in the short term, pioneer DPAs such as Italy and Spain may conclude their investigations and take enforcement action before the Board is in a position to offer harmonization recommendations.
A difference in approach is already in evidence: with Italy's DPA issuing a suspension order, while Spain's AEPD has only announced that it is taking a preliminary look at ChatGPT at this stage. Although that could suggest that Spain's investigation is less advanced than Italy's.
In additional public statements, the AEPD said that it "advocates for the development and implementation of innovative technologies, such as artificial intelligence." But he stressed that such development must fully comply with the EU data protection framework and the rights and freedoms that the GDPR grants to individuals.