On July 26, South Korea’s Personal Information Protection Commission (PIPC) held a plenary meeting to impose an administrative fine of W3.6 million (US$3,000) against OpenAI OpCo for failure to comply with the notification requirement regarding a data breach incident. The PIPC also resolved to issue a set of “improvement recommendations,” a formal administrative disposition provided for in the Personal Information Protection Act (PIPA), to OpenAI to (1) implement safeguard measures to prevent recurrence of personal data breach, (2) ensure compliance with the PIPA and (3) cooperate with the future fact-gathering and monitoring program to be performed by the PIPC, according to a press release from the PIPC.

The PIPC started gathering relevant facts from March 2023 following public reports regarding data leakage involving users of OpenAI’s ChatGPT service. The PIPC also evaluated the company’s compliance with legal requirements under the PIPA.

The following explains the background and context of the investigation and the decisions made at the PIPC plenary meeting.   

Data breach related to the payment system

It was confirmed that the names, email addresses and payment details – including billing addresses, the last four digits of credit card numbers and expiration dates – of some users who were signed into the subscription-based “ChatGPT Plus” service were exposed to other users who were active simultaneously, between 5 pm on March 20 and 2 am on March 21 (between 1 am and 10 am on March 20, Pacific time). A total of 687 South Korean users were impacted by the incident.

The cause of the data leakage was identified as a bug in the open-source cache (temporary data storage) solution used to increase the service speed of ChatGPT. Upon further technical analysis, the PIPC found no sufficient ground to conclude that OpenAI had neglected its statutory responsibility to implement suitable data safeguard measures as required under the PIPA, and therefore, concluded that the company was not subject to sanction for violating safeguards requirement. However, OpenAI had failed to meet the notification requirement to report incidents of data breach which is also required under the PIPA, and this provided the ground for the fine imposed. In addition to the fine, the PIPC decided to issue improvement recommendations to the company to perform a self-inspection of its systems used to process personal data and establish appropriate measures to prevent recurrence of a similar incident.

Compliance with the Personal Information Protection Act

Upon reviewing the Privacy Policy and user sign-up process of the ChatGPT service, the PIPC found that OpenAI did not fully meet the requirements of the PIPA in a number of areas. These included, among others: absence of a Korean version of the Privacy Policy; failure to meet the statutory requirements for obtaining proper user consent; and unclear definitions and/or descriptions about data controller-processor relationship, disposal of personal data, and the representative in Korea designated to act on behalf of the company. In addition, OpenAI required a minimum age of 13 to sign up for its service, which was inconsistent with the Korean law which requires consent from a legal guardian for those aged under 14 to sign up for a service.

In the course of the investigation, OpenAI explained its position as a relatively new player just launching services to a wider global audience, and officially submitted its intention to cooperate with the PIPC and achieve compliance with the recently amended PIPA, by the time when the amended law takes effect, i.e., September 15, 2023. Taking consideration of the circumstances, the PIPC decided to provide improvement recommendations at this time, and to follow up with continued monitoring of the implementation of these recommendations and of the compliance with the PIPA’s requirements.  

Efforts to minimize the risks related to data privacy

To identify some of the privacy and data protection risks associated with new and emerging technologies used to provide services using artificial intelligence technologies, the PIPC has requested information from OpenAI regarding: its data collection and processing practices, including those on personal data; the sources of the Korean language data used to train its model(s); measures taken to address legal and ethical concerns during the model building and deployment processes; and provision of means to entertain requests from data subjects about their personal data, among others. While the company provided answers in several installments, many of these answers were general and comprehensive in nature and the PIPC was unable to undertake a thorough assessment.

Considering that there could be a lack of clarity regarding the applicable regulatory and governance frameworks for newly emerging services and systems, in particular involving large-scale, generative AI models, the PIPC determined that, for now, the focus should be laid on ensuring a high level of data protection and privacy across services employing new technologies, including AI. The PIPC will thus engage in fact-gathering and monitoring missions on some of the major AI services developed and deployed in and out of Korea, including ChatGPT, with the aim of minimizing the risks to data privacy. 

Today’s decision makes it clear that the Korean law will apply to new services if their users include users in Korea or the relevant data was collected from Korea. The PIPC also intends to publish guidance for global businesses operating in Korea. 

The PIPC is committed to supporting the safe and responsible provision of services powered by AI and other innovative technologies, with plans to release more specific measures to protect the rights of the Korean data subjects.