ChatGPT and privacy. The theater within the theater

by Margherita Barletta e Nicolò Ghibellini

Like the spectator who watches Shakespeare's Hamlet and is confronted with the narrative technique of theater within theater, already present in the works of classical antiquity by Plautus, those reading this article will be confronted with a similar scenario. In fact, although everyone is talking about it, writing about it, and making it the subject of videos and stories on social media, what does ChatGPT (hereafter also "Chat") answer if we ask how it treats our data? How does it stand with respect to the GDPR?

For those who are now among the few who are not familiar with it, it is an advanced language model developed by Open AI, a real written conversation between the user and the model. You can ask ChatGPT to write code, an article, or a poem, you can ask for advice on how to create an attractive profile, recipes, historical research, and legal, in short, you can ask any question...

Going into our analysis now, by accessing the platform the first step we must go through to ask it our most disparate questions is to authenticate/register. This means that some of our data are stored- and thus stored- by OpenAI.

Right from the start, the interface provides some warnings/indications:

  • The goal is to get external feedback to improve and secure our systems.
  • Despite the security measures taken, the system may occasionally generate incorrect or misleading information and produce offensive or biased content. The system is not intended to provide advice.
  • Conversations may be reviewed by our artificial intelligence trainers to improve our systems.
  • You are warned not to share sensitive information in conversations.
  • The system is optimized for dialogue. You are asked for feedback about the usefulness/goodness of a particular response.
  • You are asked to share your feedback on our Discord server.

It then provides examples on how to best use the platform:

"Explain quantum computing in simple terms."

"Do you have any creative ideas for a 10-year-old's birthday?"

"How do you make an HTTP request in Javascript?"

The Model Capabilities are well-defined:

  • Remembers what the user said earlier in the conversation.
  • Allows the user to provide subsequent corrections
  • Trained to reject inappropriate requests
  • Limitations
  • May occasionally generate incorrect information
  • Can occasionally produce malicious instructions or biased content
  • Limited knowledge of the world and events after 2021

Therefore, another piece of data that Chat GPT certainly collects is the history of our conversations.

Professionals and data protection experts have early on noted what privacy risks may be associated with big data processing and language models such as ChatGPT:

1. Excessive collection of personal information.

2. Misuse of collected information.

3. Interception or theft of information by third parties.

4. Invasive profiling; discrimination based on data analysis (1)

Recently, the Privacy Guarantor Guido Scorza (2) has spoken out about ChatGPT. While reassuring users, he pointed out that such technologies must be used with the understanding that it is a commercial product, and therefore cannot be ignored that IP addresses, e-mail addresses, and chat content are information that is being collected.

To join ChatGPT you can use your Google account. This means that Google will share your name, e-mail address, language preference, and profile picture with the app. On questioning ChatGPT about this, it responds that:

  • It does not have access to your login credentials or personal information associated with your Google account. ChatGPT is designed to provide answers to your questions and provide you with virtual assistance in a secure manner that respects your privacy.
  • Registration allows you to save your previous conversations with ChatGPT to easily find information or answers to your previous questions.
  • In addition, registration may allow ChatGPT to store your preferences and offer you better assistance tailored to your needs. However, registration is not mandatory to use ChatGPT.

When the interface opens asking you what its privacy policy is, it responds:

  • As an artificial intelligence language model, ChatGPT does not collect or store any personal information or data about users.
  • However, it is important to note that ChatGPT conversations may be recorded and used by OpenAI for research and development purposes. These recordings are anonymized and used to improve the accuracy and functionality of the model.
  • ChatGPT uses cookies to improve the user experience and to track basic information such as session duration and frequency. These cookies are used to improve the performance of the model and are not used for any other purpose.
  • OpenAI is committed to protecting the privacy of its users and has taken strict security measures to prevent unauthorized access or disclosure of any personal information. If you have any concerns or questions about ChatGPT's privacy policy, please contact us at

Asking the Chat how it stands with respect to the GDPR it replies:

  • As an AI language model, I am designed to be compliant with the General Data Protection Regulation (GDPR). The GDPR is a European Union regulation that gives people more control over their personal data and how companies collect, process and store it.
  • As a language model, I do not collect personal data from users and do not have the ability to identify or track individual users. However, I do receive and process input data provided by users, and all personal data contained in that data is subject to GDPR regulations.
  • To ensure GDPR compliance, OpenAI, the organization that created and manages me, has implemented a number of privacy and security measures to protect user data, including strict access controls, encryption, and data minimization. OpenAI also allows users to delete the data they have provided me at any time.
  • Overall, the GDPR plays an important role in protecting the privacy and security of individuals’ personal data, and my goal is to operate in accordance with these regulations to ensure that user data is handled responsibly and ethically.

In short, the model gives us reassurance about our privacy, but an open question remains: how much should we trust its answers?

Certainly, with more thorough and informed use, it will provide more answers but, in the meantime, we must keep in mind that, as the Guarantor has suggested, ChatGPT is not our friend so let’s experiment with its use but with caution.

(1) P. Mancino - Between Big Data and ChatGPT: new privacy risks and new responsibilities for Data Protection Officers,

(2) Health, love, work: how much are we telling Chat GPT-3 about us? - Talk by Guido Scorza

Contact Information

Margherita Barletta

Nicolò Ghibellini

To stay updated on BMV news, publications and initiatives, subscribe to our newsletter