The Italian Data Protection Authority (Garante Privacy) has concluded its investigation into OpenAI’s ChatGPT, imposing a €15 million fine and mandating a six-month public information campaign.
The decision follows a series of privacy violations identified during the probe.
Findings of the Investigation
The investigation, initiated in March 2023, uncovered multiple privacy breaches by OpenAI.
The company failed to notify the authorities about a data breach in March 2023, during which users could inadvertently access others’ chat histories.
Additionally, OpenAI processed personal data to train ChatGPT without establishing a sufficient legal basis, violating transparency principles under the General Data Protection Regulation (GDPR).
Another critical issue was the lack of age verification mechanisms, which exposed children under 13 to potentially inappropriate AI-generated content.
These findings prompted corrective and punitive measures by the Garante Privacy.
Mandatory Public Awareness Campaign
For the first time, the Garante invoked Article 166 of the Italian Privacy Code to require OpenAI to conduct a six-month institutional communication campaign.
This initiative will span radio, television, newspapers, and online platforms to educate users and non-users about ChatGPT’s data collection practices and their rights under GDPR.
The campaign aims to enhance public understanding of how generative AI systems like ChatGPT operate, particularly regarding personal data usage.
It will also inform individuals about their rights to object, rectify, or delete their data from such systems. OpenAI must collaborate with the Garante to finalize the campaign’s content.
Implications and Next Steps
The €15 million fine reflects not only the severity of the breaches but also OpenAI’s cooperative attitude during the investigation.
The company has since established its European headquarters in Ireland, transferring jurisdiction over ongoing compliance matters to Ireland’s Data Protection Commission under GDPR’s “one-stop-shop” mechanism.
OpenAI retains the option to appeal or settle by paying half of the fine within 60 days.
However, this case underscores growing regulatory scrutiny over AI technologies and their compliance with privacy laws across Europe.
This landmark decision by Italy’s privacy watchdog sets a precedent for holding AI developers accountable for data protection violations while emphasizing transparency and user rights in AI-driven services.
Also Read: