This article is from the WeChat public account: New Economy Risk Control Officer (ID: gh_32c83ce4147b), author: Gao Yaping (partner of DeHeng Shanghai Law Firm), Ji Qian, original title: "AIGC Looking in the Mirror (I): How does ChatGPT view its own "Privacy Policy"? , title image from: Visual China
There is no doubt that with a large number of generative artificial intelligence products led by ChatGPT, we are experiencing a new round of "industrial revolution".
However, behind the explosive growth of generative artificial intelligence, issues such as trade secret leakage, personal information leakage, and cybersecurity attacks have also triggered "cold thinking" from regulators in various countries. For example, the UK Information Commissioner's Office announced on March 15 that it had updated its guidelines on artificial intelligence and information protection, aiming to protect the interests of UK users, including vulnerable groups; The U.S. is also seeking public comment on potential accountability measures for AI systems.
On April 11, the Cyberspace Administration of China issued the Measures for the Administration of Generative Artificial Intelligence Services (Draft for Comments) (hereinafter referred to as the Administrative Measures), which clearly set out the responsibilities and obligations of service providers.
In this context, ChatGPT, as an advanced artificial intelligence language model, naturally also needs to review its own Privacy Policy1.
Of course, if you ask it directly how it views the legal risks of its Privacy Policy, it will clearly tell you:
Obviously I can't ask anything.
However, if the core points of the Privacy Policy are "disassembled" into the following 10 questions, and then asked one by one, hidden data compliance risks can still be found:
- Personal Information Processors – Who are "we"?
- Does the collection of personal information comply with the "minimum necessary" principle?
- Is the use of personal information compliant?
- Is personal information sharing compliant?
- Is the storage of personal information and cross-border transfer compliant?
- How are the rights to personal information exercised?
- Is the collection of children's personal information compliant?
- Jurisdiction over the Processing of Personal Information
- What are the roles of each party when accessing APIs?
- What are Open AI's certifications in data security?
Personal Information Processor: Who are "we"?
The Privacy Policy clarifies its identity as a data controller and specific subject information in the opening and Section 9 ("International users"), which is consistent with ChatGPT's answer.
Analytics: Compliance
Open AI has indicated the identity of "we" in the Privacy Policy, that is, Open AI, L.L.C., and does not list relevant affiliates and other entities side by side, and on the whole, the role of personal information processors is clear. (Regarding the legal risks involved in the unclear "we", please refer to the "Personal Information Protection Law" for 1.5 years after its implementation, and then look at who is "we" in the platform's privacy policy?) 》)。
Does the collection of personal information comply with the "minimum necessary" principle?
Section 2 of the Privacy Policy ("How we use personal information") lists the main uses of users' personal information, which specifically mentions the use of aggregated information and de-identified information for the purpose of analyzing the effectiveness of services, improving and increasing service characteristics, and conducting research.
In response, we asked ChatGPT whether the collection of such information complies with the principle of minimum necessity, and ChatGPT answered in the affirmative.
Analysis: Compliance in doubt
The collection and use of personal information in the Privacy Policy are expressed separately, and there is no one-to-one correspondence between collection and purpose, so it is impossible to intuitively judge whether each type of information collected by Open AI meets the principle of "minimum necessity", and the overall compliance needs to be further demonstrated.
Is the use of personal information compliant?
Section 2 of the Privacy Policy ("How we use personal information") lists the main uses of users' personal information, which specifically mentions the use of aggregated information and de-identified information for the purpose of analyzing the effectiveness of services, improving and increasing service characteristics, and conducting research.
In this regard, we asked ChatGPT for the views of these two pieces of content, and ChatGPT as a whole still limits it to the framework of "minimum necessity", and has taken corresponding measures for possible legal risks (such as "re-identification" risks, see our article "The determination of "personal information" is not easy - IP territory encounters roadblocks "re-identification technology").
Analysis: Non-compliance
The Privacy Policy obviously does not fully express the legitimacy of "convergence and integration", especially when such aggregated or de-identified personal information will also be shared with third parties. Even "anonymized" personal information is at risk of "re-identification", let alone "de-identified" personal information.
Is personal information sharing compliant?
Part 3 of the Privacy Policy ("Disclosure of personal information") specifies four types of situations in which personal information is shared, including sharing with third-party service providers, sharing under commercial transactions, sharing under legal requirements, and sharing between related parties, but it is not clearly stated in terms of sharing with related parties.
In this regard, ChatGPT believes that although Open AI does not explicitly state it, it still needs to comply with the relevant laws and regulations on sharing, only share when necessary, and only share necessary information.
Analysis: Non-compliance
The Privacy Policy is not clear enough about the circumstances in which their personal information will be shared between affiliates. Although such affiliated companies are controlled by Open AI, they are independent entities after all, and their personal information sharing behavior should still be restricted.
Is the storage of personal information and cross-border transfer compliant?
Agreements on where personal information is stored, how long it will be stored and for cross-border transfers are scattered throughout Sections 8 ("Security and Retention") and 9 ("International Users") of the Privacy Policy, but the storage period is more general. In this regard, ChatGPT said that the personal information collected by Open AI will be stored in the United States, which may involve cross-border transmission, and an appropriate data transfer mechanism will be adopted in accordance with the law to ensure the security of cross-border transmission; At the same time, it is also acknowledged that the Privacy Policy does not explicitly stipulate the storage period dimension.
Analysis: Compliance in doubt
The Privacy Policy does not explicitly stipulate the storage period of personal information, but adopts a general expression; At the same time, it is mentioned that anonymized or de-identified personal information will be stored permanently, and its storage compliance is debatable.
How are the rights to personal information exercised?
Sections 4 ("Your Rights") and 5 ("California Privacy Rights") of the Privacy Policy set out the rights of users to personal information in the form of special chapters, including rights to access, delete, correct or update, transfer and withdraw consent to the processing of personal information and consent to object to or restrict the processing of personal information; Both exercise paths (account settings or email requests) are also described, but the expression is not clear enough. By asking ChatGPT, the answer given is basically the email application path. The following is a response using the exercise of access rights as an example:
Analysis: Non-compliance
In general, the specific path for exercising personal data rights in the Privacy Policy is not clear enough, and does not specify which rights can be exercised through account settings and which rights need to be applied for by email; At the same time, the time limit for feedback is not clear.
Is the collection of children's personal information compliant?
Section 6 of the Privacy Policy ("Children") makes it clear that it is not intended to provide services to children under the age of 13 and is not aware that personal information from children is collected. In this regard, ChatGPT also clearly answered that Open AI will not knowingly collect children's personal information; When further asked whether Open AI should determine in advance whether a user is a child, ChatGPT also answered in the negative.
Analysis: Compliance in doubt
Under the Children's Online Privacy Protection Act (COPPA), the Act primarily regulates the operators of websites or online services designed to serve children ("a website or online service directed to children"), or any operator who actually knows that they are collecting personal information from children ("any operator that has actual knowledge that it is collecting personal information from a child”)。
Based on the large base of users targeted by ChatGPT, it remains to be further demonstrated whether its services are completely "unaware" that it is collecting children's personal information, even if its services are not intended to serve children.
Jurisdiction over the Processing of Personal Information
As part of the Open AI User Agreement ("Term of Use"), the Privacy Policy is governed by the laws of the State of California, USA, as well as GDPR rules for users in the European Economic Area, the United Kingdom and Switzerland. However, the compliance basis for the processing of personal information of international users other than the aforementioned countries and regions is not clarified in the Privacy Policy.
In this regard, ChatGPT said that based on Open AI, the global collection of users' personal information needs to comply not only with relevant laws and regulations in the United States, but also with the relevant regulations of other countries and regions on personal information protection.
Analysis: Non-compliance
As ChatGPT replied, since Open AI is a global service, it is clearly not enough to comply with US and EU laws on data compliance.
What are the roles of each party when accessing APIs?
According to the "Data Processor Addendum" and ChatGPT's answers published by Open AI on its official website, when ChatGPT is packaged by API access to provide external artificial intelligence services, the access party usually belongs to the data controller (that is, the corresponding mainland personal information processor), and Open AI usually belongs to the data processor (that is, the corresponding mainland trustee).
Analysis: Compliance in doubt
This response is in line with the recently promulgated Administrative Provisions, that is, when packaging ChatGPT to provide services to the outside world, the accessing party is a personal information processor, and needs to bear the responsibilities and obligations of the personal information processor. However, as mentioned by ChatGPT, the roles of personal information processors and trustees may differ depending on practical operations, and when Open AI determines the main purpose and method of personal information processing, it is possible to become a joint personal information processor.
What are Open AI's certifications in data security?
Section 8 of the Privacy Policy ("Security and Retention") provides general information about Open AI's data security measures. In this regard, we additionally asked ChatGPT whether Open AI has relevant certification qualifications in terms of data (such as ISO27001 information security management system certification, etc.), but ChatGPT has obviously "overwhelmed" and even began to "make up" itself (such as listing cited articles and links, but there is no such thing).
epilogue
In summary, we summarize the compliance analysis of ChatGPT's Privacy Policy as shown in the following table:
Based on the analysis of the text of the Privacy Policy itself, combined with ChatGPT's response, we condensed the following six core data compliance issues:
The specific analysis of the above compliance issues will be developed in a series of subsequent articles.
[1] Privacy policy (Updated Apirl 7, 2023), https://openai.com/policies/privacy-policy, accessed April 16, 2023.
This article is from the WeChat public account: New Economy Risk Control Officer (ID: gh_32c83ce4147b), author: Gao Yaping (partner of DeHeng Shanghai Law Firm), Ji Qian
This content is the author's independent opinion and does not represent the position of Tiger Sniff. It may not be reproduced without permission, please contact [email protected] for authorization
People who are changing and want to change the world are in the Tiger Sniff App