Canadian Regulators Find OpenAI Violated Privacy Laws
Canadian federal and provincial privacy watchdogs concluded OpenAI violated privacy laws by over-collecting sensitive personal data to train early ChatGPT models.
Federal and provincial privacy regulators in Canada concluded a joint investigation finding that OpenAI violated privacy laws during the training and launch of ChatGPT. The probe, initiated in 2023, determined that the company scraped vast amounts of personal information from websites and licensed datasets for its GPT-3.5 and GPT-4 models without valid consent. This overbroad collection included sensitive data such as health conditions, political views, and information about children, exposing Canadians to risks of data breaches and discrimination.
OpenAI disagreed with several findings and challenged the investigators' jurisdiction but has since retired non-compliant models. The company committed to new safeguards, including narrowed data collection for new models, improved user notifications, and quarterly compliance reports. While Federal Privacy Commissioner Philippe Dufresne ruled the matter conditionally resolved, provincial commissioners in Alberta and British Columbia maintained that certain provincial consent requirements remain unresolved.
In British Columbia, Commissioner Michael Harvey noted that OpenAI contravened the Personal Information Protection Act in 12 of 13 investigated areas. This has led to calls from officials, including Artificial Intelligence Minister Evan Solomon, to introduce updated federal privacy legislation. Additionally, the regulatory scrutiny coincided with a controversy regarding a mass shooting in Tumbler Ridge, British Columbia. OpenAI CEO Sam Altman apologized after it was revealed the company failed to alert authorities that the perpetrator had used ChatGPT to plan violent scenarios prior to the attack.