Mar 30
Danish DPA Data Protection Digital Markets Act EU-US cooperation EDPB hits Meta, the EU General Court explains the nature

ChatGPT conceded a bug exposing emails and search history, EU member states have agreed on common position as regards Data Act

ChatGPT conceded a bug exposing emails and search history, EU member states have agreed on common position as regards Data Act

Konstantin Tiazhelnikov Konstantin Tiazhelnikov
  • March 30, 2023 -

DP News – Week 13. ChatGPT conceded a bug exposing emails and search history, EU member states have agreed on common position as regards Data Act.

Open AI, the developer of ChatGPT, moved it offline for some time last week due to a bug in an open-source library. The bug allowed some users to see titles from another active user’s chat history, as well as, in some cases, the first message of a new conversation.

Further to this, Open AI admits that “the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window”. In particular, what was also exposed is, as Open AI claims, “another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time”.

Although Open AI believes that the number of affected users is very low, all of them were notified that their payment information might have been exposed. As it also claims, ‘the bug is now patched. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history’.

***

As the EU Council’s press release mentions, EU “‘member states’ representatives (Coreper) reached a common position (“negotiating mandate”) allowing the Council to enter negotiations with the European Parliament on the proposed legislation regarding harmonised rules on fair access to and use of data (data act)”.

The Council made several amendments to the initial proposal coming from the EU Commision, in particular, as regards the the scope of the act, especially with regard to Internet of Things (IoT) data, clarifications on the interplay between the Data Act and other existing legislation, such as the data governance act (DGA) and the general data protection regulation (GDPR), dispute settlement mechanisms, etc.

As for the next steps, this will “allow the Swedish presidency to enter negotiations with the European Parliament (“trilogues”) on the final version of the proposed legislation”.

See more related posts »

Related blog posts

DP News – Week 16. EDPB opinion: Pay-or-Consent models clash with GDPR consent requirements, EU Commission requested a risk assessment from TikTok, ICO launched a privacy notice generator, Catalan Data Protection Authority fines occupational health center for email confidentiality breach, Dutch chipmaker investigates data breach amidst security concerns.
  • April 18, 2024 -

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.
  • April 11, 2024 -

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.
  • April 4, 2024 -