OpenAI has adjusted its handling of user data in the European Economic Area (EEA) and Switzerland, transferring responsibility to OpenAI Ireland Limited.
This shift complies with GDPR regulations and designates the Irish entity as the data controller for users in these regions starting February 15, 2024.
The move aligns with GDPR’s One-Stop-Shop mechanism, enabling streamlined privacy oversight under the lead data supervisor within the EU.
OpenAI’s engagement with the Irish Data Protection Commission (DPC) aims to secure main establishment status for its Dublin office.
Despite establishing an office in Dublin and ongoing hiring efforts, demonstrating influence on decision-making and ensuring robust privacy checks within the US parent company are still essential for OpenAI to attain main establishment status.
Ongoing GDPR investigations in Italy and Poland related to ChatGPT’s data processing may shape OpenAI’s regulation, despite potential future main establishment status.
Updates in OpenAI’s privacy policy outline the use of “legitimate interests” for data processing alongside commercial interests, emphasizing the need for transparency in AI model training.
The Irish DPC’s potential role as OpenAI’s lead supervisor might impact the pace and direction of GDPR enforcement on the company’s AI activities.
UK users, due to Brexit, fall under the jurisdiction of OpenAI’s US-based entity, operating under the UK GDPR, distinct from the EU’s GDPR framework.
