Google’s AI chatbot, Bard, has finally been launched in the European Union (EU) after addressing privacy concerns and making changes to enhance transparency and user controls. However, privacy regulators in the EU continue to closely monitor Bard, and important decisions regarding the enforcement of data protection laws on generative AI are yet to be made.
The Irish Data Protection Commission (DPC), Google’s lead data protection regulator in the region, will maintain engagement with the tech giant regarding Bard even after its launch. Google has agreed to conduct a review and submit a report to the DPC after three months of Bard being operational in the EU. This implies that regulatory attention on the AI chatbot will increase in the coming months, although a formal investigation has not been initiated yet.
The European Data Protection Board (EDPB) has also established a task force to examine AI chatbots’ compliance with the pan-EU General Data Protection Regulation (GDPR). Initially focused on OpenAI’s ChatGPT, the task force will now include Bard matters to coordinate actions among different data protection authorities (DPA) for harmonized enforcement.
According to Graham Doyle, the Deputy Commissioner of the DPC, Google made several changes before Bard’s launch to enhance transparency and user controls. The DPC will be part of the EDPB task force, which is exploring various issues related to AI chatbots.
The EU launch of Google’s ChatGPT rival was postponed due to the Irish regulator’s request for information that Google had not provided, including a data protection impact assessment (DPIA). Failure to provide a DPIA raised significant regulatory concerns.
The DPC has now reviewed a DPIA for Bard, which will be included in the three-month review, along with other relevant documentation. DPIAs are living documents subject to change.
Google has engaged proactively with experts, policymakers, and privacy regulators to address the expansion of Bard, according to an official blog post. Specific steps taken to reduce regulatory risks in the EU were not immediately disclosed.
Regarding transparency and user control, Google has introduced changes to Bard’s privacy features. Users aged 18+ with a Google Account can access Bard, and a new Bard Privacy Hub provides explanations of available privacy controls. Legal bases for Bard include performance of a contract and legitimate interests, with an emphasis on the latter for most associated processing.
Users have the option to control how long Bard stores their data, with default storage of up to 18 months in a Google Account. The spokesperson also mentioned web forms for reporting problems, legal issues, requesting content removal, and asking for corrections or objecting to data processing.
Google’s approach to transparency and user control with Bard seems similar to changes made by OpenAI for ChatGPT following regulatory scrutiny in Italy. The Italian Data Protection Authority required OpenAI to suspend the service temporarily and implement privacy disclosures, opt-out options for data processing, deletion requests, and age-gating.
The EDPB task force may help reduce regulatory uncertainty and establish common enforcement positions on AI chatbots among EU DPAs. However, differences in approach are likely to persist, as some authorities have already outlined their strategies for protecting publicly available data and addressing scraping practices.
