Italy’s data protection authority, the Garante, has imposed a €15 million ($15.66 million) fine on OpenAI for multiple GDPR violations related to ChatGPT’s handling of personal data. The decision follows an investigation that revealed several compliance issues with EU privacy regulations.
Key Violations:
– Unauthorized processing of personal data for AI training
– Failure to report a March 2023 security breach
– Lack of transparency in user information handling
– Absence of age verification mechanisms for users under 13
Mandated Actions:
OpenAI must conduct a six-month public awareness campaign across various media platforms to inform users about:
– ChatGPT’s data collection practices
– Types of information gathered from users and non-users
– User rights regarding data management (deletion, rectification, objection)
OpenAI’s Response:
The company plans to appeal the decision, stating the fine is disproportionate and approximately 20 times their Italian revenue during the period in question. They maintain their commitment to privacy-compliant AI development.
Background Context:
Italy previously implemented a temporary ban on ChatGPT in March 2023, which was lifted after OpenAI addressed initial concerns. The European Data Protection Board has clarified that AI models using anonymized data post-processing do not violate GDPR, though initial unlawful data collection remains problematic.