Omer Tene’s Post

View profile for Omer Tene

Partner, Goodwin

I asked ChatGPT to draft a Privacy Policy for "my grocery shopping app". It wrote a really nice one. In two seconds (non-billable). Any idea what lawyers will do next?

  • No alternative text description for this image
Aleksandr Tiulkanov

AI, Data & Digital Policy Counsel, LL.M., CIPP/E | I help organisations navigate Digital Policy and operationalise AI and Data governance

1y

Lawyers will know to ask the app developer first about how the data are actually used. And only on that factual basis will they draft the policy. Doing it the other way around is a recipe for non-compliance and legal sanctions, not to mention the disregard of actual privacy. Creating this policy is neither the first nor the most valuable thing lawyers will spend their time on. Smart lawyers may use ChatGPT for first drafts, but will review all outputs and will be aware of the tool's limitations. This sample is not compliant with GDPR for example, as it doesn't disclose the data controller's identity first, breaching WP29 Transparency guidelines, and uses the American term "sell", which is not a thing we can do to data in Europe. A non-lawyer has no way of knowing about these limitations. Further, you may not be aware of that, but ChatGPT is known for embedding hidden falsehoods into its outputs, so no one should ever (!) take them at face value. My colleagues and I tinkered with ChatGPT, discussed our experience and looked at what other people are saying, and we all share this view. Here's more on this topic: https://www.linkedin.com/pulse/high-time-take-chatgpt-offline-aleksandr-tiulkanov/

Aside from all of the apprehensiveness already shown by people in this comment section. This Privacy Policy, which by the way is actually a Notice, or supposed to be, is going to land the grocery store in trouble. It’s not detailed. Everyone know a grocery store running an online App probably collects more data than that anyway. ChatGPT will create the context for some lawyer’s work, it will never be a susbstitute, it can support the work though.

Rebecca Shore

Privacy Executive | Speaker | VP, CPO Albertsons Companies | Ex-Under Armour

1y

In addition to knowing the business well enough to ensure fuller transparency, build a policy that speaks to the customer directly and represents the brand. I recognize the later two are rare (having read hundreds of them, I can only think of a handful that actually do this well). But a great privacy attorney will take the bones required and create something that enhances customer trust. Lawyers are missing the mark if this is the type of policies that law firms are pushing out. Simple and streamlined as this is (which is a great goal!), it more than likely misses most of what the business actually does with personal data to fulfill the services. And, that’s just not the level of transparency lawyers should strive for delivering to individuals.

Panu Pökkylä

AI and Privacy lawyer with strong experience in building teams. Founder of PrivacyPod podcast

1y

I takes me 1 second to copy and paste one from "the internet". Its as good as this one.

Lilian Edwards

Professor at Newcastle University

1y

Theyll review it to see it actually does what client wants, just like right now lawyers fill in & review decades old templates. You could argue that lawyering is already so routinised it's already practically non intelligent ie AI...

Doesnt look like a GDPR compliant privacy notice to me Omer so lawyers should be fine for the foreseeable future.

Martin Focazio

Making technology more humane.

1y

Wow. Do you know how to drive a snowplow? I hear there are lots of openings in the Snow Removal industry. 🙄

Rowenna Fielding (she/her)

Data protection, data ethics and digital privacy nerd | #ActuallyAutistic

1y

I'm not a lawyer. No-one needs a lawyer to write a privacy notice. In fact, the (few) good privacy notices are those which have not been lawyered into incomprehensibility. This privacy notice fails to meet GDPR requirements in a number of ways. For a start, it's not actually explaining the specific details of a specific organisation's processing of personal data. So it's fiction, and bad fiction at that. It equates 'use of the services' with 'agreement to the policy' which places all of the processing either on the basis of (invalid) consent or on the (invalid for some of the processing) basis of contract. It does not specify which processing of which data is carried out for which purposes and under which lawful bases - essential information for data subjects to be able to exercise their rights. It says "your privacy is important to us", and everyone knows that's always a lie Sigh. This is as vErY cLeVEr as getting an algorithm to write your business plans for you based on scrapings of Wikipedia articles about tech CEOs would be.

Maria Khan

Enabling Safe Use of Data | Data Command Center | Data Privacy Legal Manager at Securiti

1y

Firstly, this is not GDPR compliant. Secondly, ChatGPT does not remain updated on changing legal developments especially in the privacy world - right now, it has knowledge of only till 2021. So much has happened after 2021 in the privacy legal space and still happening. Thirdly, ChatGPT cannot interpret laws - it cannot read court decisions, guidances from regulatory authorities and legal texts all together to reach conclusions. So, lawyers would still remain valuable.

Stephan Engberg

Specialist in trustworthy identity, security and data sharing

1y

A classical "We don't care about your rights" kind of policy. Quite disturbing actually - if that is how OpenAI view the area

See more comments

To view or add a comment, sign in

Explore topics