Italy’s data protection authority has fined OpenAI €15 million (approximately $15.7 million) for violating privacy laws, including failing to notify authorities about a data breach and processing users’ personal data without adequate legal justification. The Italian Data Protection Authority (IDPA), known locally as the Garante, also mandated that OpenAI conduct a six-month public awareness campaign to inform the public about how ChatGPT collects and uses data.
Data Breach and Lack of Transparency
In its December 20 statement, the IDPA revealed that OpenAI had not informed the agency about a data breach that occurred in March 2023. The investigation also found that OpenAI used personal data to train its AI models without establishing a sufficient legal basis, in violation of the European Union’s General Data Protection Regulation (GDPR). According to the IDPA, this breached the principle of transparency, as OpenAI failed to provide users with the necessary information about how their data was being used.
The watchdog also highlighted that OpenAI lacked effective age verification mechanisms, potentially allowing minors to access the service. This raised concerns about exposing children under the age of 13 to inappropriate or harmful content, considering the AI’s ability to generate responses not tailored for younger audiences.
Six-Month Public Awareness Campaign
As part of its corrective measures, the IDPA has ordered OpenAI to launch a six-month campaign to raise awareness about how ChatGPT functions, with a focus on its data collection practices. The campaign will run across various media channels, including radio, television, newspapers, and the internet, and will aim to educate both users and non-users about the rights they have under GDPR, such as the right to object, correct, or delete their data.
The IDPA emphasized that by the end of the campaign, users should be well-informed about how to exercise their rights and how to opt out of having their data used for training OpenAI’s AI models.
Collaborative Attitude Reduces Fine
Despite the violations, the IDPA acknowledged OpenAI’s “collaborative attitude” throughout the investigation, which helped reduce the final fine. The company has also moved its European headquarters to Ireland, which places it under the jurisdiction of the Irish Data Protection Authority (DPC). The DPC will now take over as the lead authority in any further investigations involving OpenAI in the European Union.
A History of Scrutiny in Italy
The IDPA’s investigation dates back to March 2023 when Italy became the first Western country to temporarily block ChatGPT over privacy concerns. At that time, regulators raised alarms about potential violations of EU data protection laws, prompting a thorough investigation into OpenAI’s practices.
After the temporary ban, which lasted for several weeks, the IDPA and OpenAI reached an agreement on several transparency measures, allowing the chatbot to return to Italy on April 29, 2023.
Potential GDPR Violations and Penalties
Under the GDPR, companies that violate data protection laws can face penalties of up to €20 million ($21.5 million) or 4% of their global turnover, whichever is greater. Although OpenAI’s fine is substantial, it is lower than the maximum penalty, thanks in part to the company’s cooperation during the investigation.
The IDPA’s decision reflects the growing scrutiny over AI models and the personal data they process. As the use of generative AI technologies like ChatGPT continues to rise, regulators across the EU and beyond are increasing their focus on how these technologies handle user information.
Looking Ahead
The regulatory actions taken against OpenAI come as part of a broader trend of increasing oversight on AI technologies and their implications for privacy and data protection. While OpenAI has made changes to address some of these concerns, the ongoing scrutiny by European regulators will likely continue to shape the future of AI governance, especially in terms of transparency and user rights under the GDPR.
In the meantime, companies operating in the AI space will need to ensure compliance with stringent data protection regulations, or they risk facing heavy penalties and damaging their reputation in the marketplace.
