As ChatGPT faces privacy investigations in Europe, OpenAI strategically relocates its legal entity providing services to European residents to OpenAI Ireland Limited. The move aims to comply with the EU’s General Data Protection Regulation (GDPR) and streamline privacy oversight, potentially reducing regulatory risks.
The Dublin-based subsidiary will become the data controller for users in the European Economic Area (EEA) and Switzerland starting February 15, 2024. OpenAI’s updated Privacy Policy outlines this change, emphasizing compliance with GDPR regulations.
The GDPR’s one-stop-shop mechanism allows companies to centralize privacy oversight, limiting the ability of privacy watchdogs in different EU countries to act unilaterally. OpenAI’s move follows a trend among tech giants, including Apple, Google, Meta, TikTok, and X, establishing their EU base in Dublin.
OpenAI’s engagement with the Irish Data Protection Commission (DPC) indicates efforts to secure main establishment status under the GDPR, allowing the DPC to oversee privacy enforcement. The hiring of local staff in Dublin, particularly a privacy software engineer, suggests OpenAI aims to demonstrate influence and privacy safeguards.
Despite ongoing GDPR probes in Italy and Poland concerning ChatGPT’s data processing, OpenAI’s legal maneuver seeks to align with GDPR requirements and potentially shape the direction of generative AI and privacy rights in Europe. The move prompts questions about OpenAI’s intention to defend data harvesting practices, using a claimed “legitimate interests” basis.
The UK, excluded from the legal entity shift, remains under OpenAI’s US-based jurisdiction. As OpenAI navigates privacy challenges, the move to Dublin raises the stakes for Ireland’s DPC, which may play a pivotal role in defining the future of AI and privacy in the region.