OpenAI’s plans to shift European data processing to Ireland represent a significant step to ensuring GDPR compliance, but questions still remain over its US influence, experts have warned.
In an email to users, OpenAI said it plans to make its Irish subsidiary the official data controller for customers that live in the European Economic Area (EEA) and Switzerland.
The announcement follows the opening of a Dublin office in September, with the data processing change due to be made on February 15.
"We have changed the OpenAI entity that provides services such as ChatGPT to EEA and Swiss residents to our Irish entity, OpenAI Ireland Limited,” users were told in an email by the firm.
There's also been a similar update to the company's privacy policy.
The move from OpenAI appears to be a concerted effort to reduce regulatory friction across the European Union. The California-based tech giant has been embroiled in a series of data protection-related battles over the last year, with Italian regulators suspending the use of ChatGPT in April 2023 amid GDPR concerns.
Similarly, Polish regulators opened an investigation into the company in September following a complaint from privacy researcher and author of Philosophy of Cybersecurity, Lukasz Olejnik.
A key point of contention is the way OpenAI processes personal data, with critics complaining that it lacks a legal basis to justify the mass collection and storage of data, along with claims that it fails to adequately protect children.
Its activities, it's alleged, breach GDPR in terms of lawful basis, transparency, fairness, data access rights, and privacy by design. Regulators in both Germany and Spain have expressed similar concerns.
In the wake of Italy's decision, the European Data Protection Board (EDPB) announced plans to launch a dedicated task force to foster cooperation and to exchange information on possible enforcement actions by data protection authorities against the company.
The enterprise’s guide for Generative AI
Discover how GenAI can change the way your organization operates
The GDPR’s “one-stop-shop” mechanism allows companies operating in the EU to have their privacy overseen by a single lead data supervisory authority, rather than having a free-for-all with each national privacy watchdog able to take action unilaterally.
By moving its European data processing to Ireland, OpenAI aims to ensure that its compliance with GDPR is monitored by the country's Data Protection Commission (DPC).
In this sense, it is following the likes of Google, Apple, Meta and TikTok.
While the DPC has investigated and issued a number of fines against big tech firms, it's widely seen as being both slow and over-lenient in its decisions.
Last year, Ireland’s data protection commissioner Helen Dixon said that while generative AI needed to be regulated, it would be unwise to rush into bans that “really aren't going to stand up”.
Speaking to ITPro, Olejnik said that the move by OpenAI will help attempts to calm regulators across the union, but questioned whether the influence of US operations could create friction further down the line.
"Having a local desk would aid in contact with the local EU regulators in various terms. It will not necessarily function as a go-to place for the needs of the EU GDPR, though," he said.
"It is the US HQ that is making the actual substantial decisions about the designs, so considering the existing way that some EU DPAs decide, it is not necessarily relevant to data processing, at least not always."
