top of page

ChatGPT faces claim “hallucinations” break EU’s data protection rules


Noyb, the nonprofit European Center for Digital Rights founded by activist-lawyer Max Schrems, has filed a complaint with the Austrian privacy regulator, alleging that ChatGPT’s “hallucinations” had broken the EU’s General Data Protection Regulation (GDPR) in multiple ways.

The complaint centres around “hallucinations” - wrong answers provided by artificial intelligence (AI) large language models - and asks for an investigation, a fine, corrective measures, and a declaratory decision.

In the complaint Schrems says OpenAI was asked to stop ChatGPT generating an incorrect date of birth for him and was told this was impossible. It also says OpenAI didn’t disclose what data led ChatGPT to emit a false birth date, or where that data came from.

Noyb, which stands for "none of your business", issued a statement through lawyer Maartje de Graaf which said: “Making up false information is quite problematic in itself. But when it comes to false information about individuals, there can be serious consequences.

“It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around."

Noyb also accused OpenAI of failing to respond appropriately to the complainant's request for information.

EU law requires that personal data is accurate since 1995, and this principle is enshrined in the GDPR, the EU’s data privacy law.

The Italian data-protection authority warned earlier this year that OpenAI was breaching the GDPR. The European Data Protection Board (EDPB), which gathers the national privacy regulators, set up a task force on ChatGPT to coordinate national efforts.

Schrems has previously launched two lawsuits against the Facebook group Meta, twice overturning important data agreements between the United States and Europe before the European Court of Justice

Violating the EU’s GDPR can lead to a penalty of up to 4 percent of a company’s global revenue.

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit or contact:

Eastern Europe

Southern Europe

Western Europe &/or elsewhere worldwide

bottom of page