This decision on ChatGPT may "turn the table". The President of the UODO announces when the decision will be made

• - If politicians were to reflect, the regulations in their current form would enable them to achieve the goals they have set for themselves without violating the principles of personal data protection - says Mirosław Wróblewski, president of the Personal Data Protection Office, in an interview with WNP about the disclosure of Jerzy Ż.'s data during the election campaign.
• Wróblewski criticizes Facebook's business model. "There is an element of protection of our dignity in privacy, it is a fundamental right. I don't think it is right to charge a fee for protection of our fundamental rights," he says.
• The President of the Office of Personal Data Protection (UODO) announces that a decision will be made by December in a groundbreaking case concerning OpenAI. Dr. Łukasz Olejnik, a cybersecurity researcher, complained to the office that the creator of ChatGPT was illegally processing his data.
• Wróblewski also explains how GDPR may change soon. The European Commission has recently presented its proposals on this matter.

Is the position of the President of the UODO political?

- What do you mean by that?

You differ greatly in your assessment of certain situations from your predecessor. For example, in the matter of envelope elections.

- We do differ, but my assessments are based primarily on the case law of the Court of Justice and administrative courts. It seems to me that this has nothing to do with politics.

Politicians to be punished for using data in campaigns

And is GDPR itself a tool for political struggle?

- I know what you're getting at. The issue of personal data processing also appears in public activity. Recent events show that, unfortunately, emotions, haste or elements of the election fight often cause politicians to forget about the need to respect the regulations on personal data protection.

And it doesn't have to be that way - if politicians were to reflect, the regulations in their current form would enable them to achieve the goals they set for themselves without violating the principles of personal data protection. It is possible to reconcile the need for transparency, disclosure of certain information and protection of the privacy of individuals. Unfortunately, the election campaign and political emotions do not favor this reflection.

We are talking about the fact that Przemysław Czarnek and Rafał Trzaskowski revealed details about the person from whom presidential candidate Karol Nawrocki was supposed to buy a studio apartment. What consequences can these politicians face from the President of the UODO?

- We are in the process of investigating, so theoretically all consequences are possible. Until the proceedings are completed, we cannot prejudge this.

So what penalties do they face?

- The maximum fine for violating GDPR regulations for administrators who are not companies is EUR 20 million . Of course, I do not expect that we will be talking about such amounts. For now, I am wondering how I should react after the proceedings. Fines are to serve as an effective sanction on the one hand, and a deterrent on the other, but I would like to add an educational element to this.

The UODO has already prepared a guide on the processing of personal data in the election campaign, and I have also reminded you of these recommendations this time. As you can see, you can never have too much education. When the temperature around the elections cools down, I will propose after the holidays, as I have already announced, to the Speakers of the Sejm and Senate, in cooperation with the electoral authorities, training, among others, for employees of parliamentarians' offices. I assume that they are often responsible for personal data issues, and I want this awareness to increase so that similar violations do not repeat themselves.

I asked about politics because both sides of the dispute called you as an arbitrator when the opponent showed too much data. Even if those same people had previously criticized the data protection regulations.

- On the one hand, it is my responsibility to investigate violations as the president of the office, but on the other hand, it also hurts me very much on a human level when the most sensitive information of an elderly person, who would probably not want to be discussed so widely, is publicly processed. Here, however, a nod to many media outlets, which have often shown much greater sensitivity than politicians and have been able to anonymise the most sensitive data.

Big changes in GDPR? A good direction, but there is a catch

Data protection regulations are set to change in the near future. Is GDPR revision a necessary step?

- The European Commission has come up with the idea of ​​limiting the obligations related to maintaining a register of processing activities for companies. The limit for this simplification is to be raised from 250 to 750 employees. I rate this move as good in principle, but I have one reservation.

What?

- This limit cannot be treated completely automatically. In the digital sphere, we can also deal with small companies that employ few employees and process very sensitive personal data. The rules for them should be constructed differently due to the high risks of processing for the rights and freedoms of individuals. We have also drawn attention to this in the joint opinion of the European supervisory authorities - the European Data Protection Board and the European Data Protection Supervisor.

For example, online shopping platforms?

- For example, online pharmacies. They don't need many employees, but they process health data in an immanent way.

In my opinion, simplification should apply to another category of entities – non-governmental organizations. The requirements for them are the same as for companies, and yet they have incomparably fewer opportunities. In mid-June, we are organizing a conference of European personal data protection authorities, and I want to raise this topic there.

Do you see the need for any further changes to the GDPR?

- I believe that legal changes in this matter are not the most important. Entrepreneurs generally need support in the area of ​​applying GDPR , but they have already become accustomed to the existence of this regulation, and further legal changes could cause unnecessary chaos in data protection. Especially since we are facing more urgent challenges, such as implementing further EU regulations that have already entered into force, but in Poland, for example, there is no designated institutional apparatus for them yet.

You are talking about the Digital Services Act (DSA). We have been taken to the ECJ for failure to implement it.

- In the queue there is also the AI ​​Act, the Data Management Act, the NIS2 directive related to cybersecurity, and we could go on and on. There is a lot of uncertainty here, because entities will often have to apply two or three such large regulations and focus their efforts on them. The EU legislator has set us many challenges. Therefore, another simultaneous change, this time in the area of ​​GDPR, is not the most expected.

By the end of the year, there will be a decision by the Office of Personal Data Protection regarding OpenAI

Mr. President, will land and mortgage registers be personal data or not?

- Land and mortgage register numbers are personal data - we know this from the final judgment of the Supreme Administrative Court. Today, it is a challenge to simultaneously ensure the transparency of land and mortgage registers in accordance with the provisions of the Act on Land and Mortgage Registers and the protection of privacy.

Is this reconcilable?

- We expect that a mechanism will be implemented that will allow access to the books, but with authentication of the person who has access to them. The idea is to prevent the operation of systems that search the books using automated tools that later sell this knowledge on the Internet. The Ministry of Justice has declared that it will develop a project that is to solve this problem. A month ago, I asked about the status of this work, but I have not yet received an answer regarding progress.

Personally, I would very much like this problem to be solved. However, this is one of the aspects of the problems with the effective application of EU regulations to entities registered outside of it.

It was impossible to hold the big tech companies accountable. Your Irish counterpart, who spent years prosecuting, is responsible for the disputes with them.

- It's a matter of the way GDPR was constructed. Indeed, proceedings in cases that we have to transfer to Ireland take years, which is why there is no impression that there is any effective supervisory system here. This has already been resolved differently in the Digital Services Act, where the European Commission is responsible for enforcing regulations against large companies, and not the country in which the company is headquartered. I do not consider these solutions to be ideal, but they can certainly facilitate and simplify the procedures for dealing with such cases.

It’s not just the cases transferred to Ireland that are dragging on. As of August 2023, there has been no decision in the case of independent cybersecurity researcher Dr. Łukasz Olejnik, who filed a complaint against OpenAI, alleging that the company was illegally processing his data.

- I wanted this matter to be closed. But then the administrator woke up and started presenting such extensive documentation that its analysis takes a very long time.

In layman's terms: Has OpenAI flooded you with documents?

- I wouldn't use such words.

I used it.

- I won't deny it. I asked my colleagues to deal with it as quickly as possible, but we must also maintain standards and procedural fairness, because if we don't do that, every slightest oversight or haste is the easiest way to challenge the decision in the administrative court. A small mistake is enough for a great substantive work to go to waste.

When will we find out who is right?

- I would like to finish work no later than during the holidays. The final deadline for me is the end of the year.

Your decision could impact OpenAI's entire business in Europe.

- The company will certainly challenge it, I am ready for that. Poczta Polska, which received the highest penalty imposed by the office so far in connection with the envelope elections case , also appealed to the administrative court. It has the right to do so, but that is precisely why we must ensure the procedures.

Critics will say that you are limiting the development of artificial intelligence in Poland.

- Of course, someone may treat it that way. However, I will say this: our goal is not to block anything. It is not about preventing someone from organizing press conferences in the campaign or building useful AI-based applications. It is about being able to achieve the goal while maintaining the protection of personal data. And of course, this is often very difficult - it requires some effort, introducing new technological and legal solutions. But there is really no other way than to achieve both goals.

I would like to draw attention to one more thing. The decisions of the President of the UODO are never written in the form of "no, because of GDPR". We try to make them indicate the direction of achieving compliance with the regulations. This of course requires that our partners find solutions, of a legal or technical nature.

Privacy protection is a fundamental right. Facebook cannot charge for it

Facebook found a solution to excessive interference in users' privacy by introducing the option: "pay or ok", that is - agree to surveillance, or pay. And the CEO still did not like it.

- Sometimes finding a solution requires more effort, sometimes it is very difficult. But without it there is no progress.

What is wrong with this model that we either pay Facebook with data or with money for use?

- Some challenges are ethical in nature.

There is an element of protection of our dignity in privacy, it is a fundamental right. I do not think it is right to charge a fee for the protection of our fundamental rights.

Meta also allows you to exclude your data from AI training.

- After my experiences with this company, I see that it is capable of change and cooperation. This was the case with the scam that affected, among others, Mr. Rafał Brzoska. A tool was created that allowed for automatic detection of such fraudulent advertisements .

Which does not work, as proven by CERT Polska at NASK.

- Yes, but attempts are being made to solve the problem, and the company is responsive, although it was not at all at first. I believe that business will respond to the issues we point out, because it is pragmatic and does not want to have problems.

Is this a lesson that Polish entrepreneurs also need to learn? Every year, the number and value of penalties that the office imposes on Polish entrepreneurs increases.

- This is due to the fact that the expectations regarding compliance with the GDPR after seven years of the regulation are higher than they were at the beginning. After this time, it is difficult to justify that someone does not know what the basic obligations look like.

Is there no mercy?

- Definitely. The UODO has an educational mission, of course – we travel around Poland, meet with entrepreneurs, cooperate with local governments. At the same time, however, there is no hiding the fact that control activities, enforcement and proceedings in cases of violations are ongoing. I think that it is already visible from this year's decisions that the public sector also has a lot to do when it comes to personal data protection.