The RIPD is a coalition of 12 countries (Portugal, Uruguay, Brazil, Peru, Panama, Costa Rica, Colombia, Chile, Argentina, Spain, Andorra, and Mexico), and of 16 local data protection authorities. The RIPD seeks to promote the development and implementation of legislation that safeguards personal data and data privacy rights in the region.
On April 8, 2023, the RIPD issued a statement expressing its concerns with OpenAI’s ChatGPT, the chatbot that has sparked vast intertest around the world. ChatGPT is alleged to ingest vast amounts of data from the internet, including personal data, particularly for training the AI model on which it runs, and in the RIPD’s view this collection and processing of personal data may create risks to users' data protection rights and freedoms. The statement goes on to mention instances that the RIPD has identified as potentially problematic from a personal data perspective, including the legal basis for such processing, the information provided to users about the processing of their data, their rights as data subjects, possible transfers of personal data to third parties without consent, the lack of age control measures, and uncertainty about ChatGPT’s security measures.
The statement further indicates that the local DPA’s that are part of the RIPD have set out to monitor and oversee ChatGPT within the scope of their respective powers, and to coordinate their actions within the framework of the RIPD, and in the meantime warrants users of ChatGPT to be cautious and to be sure to review the applicable privacy policy and related documents.
This is the first time that the RIPD has announced a coordinated effort of this nature, so it remains to be seen how it will be implemented. The RIPD's 2021-2025 Strategic Plan nonetheless proposes, as a goal, to have greater presence in the judicial field to ensure the protection of personal data.
The RIPD’s statement and proposed course of action presumably follows the lead of the Italian DPA, which on March 31, 2023, issued an order for OpenAI to stop processing data of Italian citizens through ChatGPT, citing concerns over possible breaches of the EU's General Data Protection Regulation (GDPR).
Considering that the Colombian DPA has historically been very active in enforcing compliance with Colombian data privacy laws, and that in the past it has launched inquires against global tech companies after media coverage and wide attention from the public, we will be closely monitoring the situation and provide updates.