The Italian job: chatbots and children’s personal data

Launched just over four months ago on 30 November 2022, the chatbot ChatGPT developed by Open AI – and described by Elon Musk as “scary good” – has been the fastest-growing app of all time.

Since its launch, ChatGPT has caused a buzz due to its advanced artificial intelligence (AI), enabling it to mimic human speech and writing style and present materials drawn from the internet in response to questions or instructions from users.

The chatbot has led to debates about the speed at which AI is developing, concerns over the lack of control of its development and fears that it will quickly develop in such a way as to threaten human survival and the environment we live in. There have even been calls to shut down the high-end development of AI for fear of losing control of it.

On 31 March 2023, ChatGPT was banned in Italy by the Italian data protection authority. This was due to their concerns over the mass collection of data, including personal data, by US-based Open AI. There were also alleged breaches of data protection law, as personal data of children under 13 years old has been collected and processed, with Open AI taking inadequate steps to prevent children under 13 years from using the app.

At the time of writing, it remains to be seen whether other European countries will follow suit and ban the chatbot; the Irish supervisory authority has indicated it is following up with the Italian authority to consider their position. In the UK there appears to be a reticence to ban the chatbot or to legislate against AI. Nonetheless, AI is recognised by the UK government to be a “whole revolution” and the technology requires monitoring.

Open AI have said they are compliant with data protection laws, although it is clear that for children under 13 there would need to be parental consent to processing. This appears not to have been sought by Open AI, and for the mass collection of personal data by a US-based entity, compliance remains very difficult to achieve since the undoing of Privacy Shield, the principles which previously governed the transfer of personal data to the US. In any event, Open AI and their chatbot are being investigated by the Italian supervisory authority and we will no doubt hear more.

Adapting privacy notices for children

These data protection headlines should make all providers of online apps, games or services which are likely to be accessed by children pay particular attention. Providers should note the wording isn’t “services targeted at children”, and therefore may catch services that are intended for use by adults. The emphasis is on providers to monitor their users and ensure that children are not able to unlawfully access services that process their personal data without correct safeguards in place.

Both TikTok UK and Open AI have been pulled-up for the amount of children’s personal data that has been collected and processed by them in contravention of data protection laws, with the ICO stating that TikTok did not “do enough” to monitor the data subjects using the platform and did not do enough to prevent children from accessing the platform unlawfully.

In the UK there is additional protection for children under the age of 13 – although in some other European countries, this is extended to children under the age of 16 – under data protection legislation. This means that parental or primary carer consent is required for children younger than 13 to access platforms or services online that process their personal data.

Additionally, the data protection principles require that information should be made available to all data subjects in a fair and transparent way, which in these circumstances means that privacy notices should be adapted specially to be clear and easy to understand for younger teenagers or children.

It is clear from the latest fines and findings of the ICO that this responsibility lies with the platform or service providers – not with the data subjects or their parents. A Children’s Code has been published listing 15 standards for safety online to protect young people and children, which is applicable to all online apps, games, services and platforms likely to be accessed by children.