Italy’s data protection authority has fined OpenAI €15 million ($15.7 million) and mandated a six-month public awareness campaign following an investigation into the data collection practices of the company’s flagship artificial intelligence (AI) model.
In a statement on December 20, the Italian Data Protection Authority (IDPA), also known as Garante, disclosed that OpenAI had failed to notify the authority of a data breach in March 2023.
The investigation revealed that OpenAI processed users’ personal data to train its ChatGPT model without establishing an adequate legal basis for this activity, thereby breaching transparency principles and user information obligations.
Inadequate Age Verification Measures
The IDPA highlighted that OpenAI lacked effective mechanisms to verify user age, potentially exposing minors under 13 years old to inappropriate responses unsuitable for their developmental and cognitive levels.
“To address these issues, OpenAI must conduct a six-month public awareness campaign across radio, television, print, and the internet,” the IDPA stated. This campaign aims to improve public understanding of how ChatGPT collects data from both users and non-users to train generative AI, while informing them about their rights, including the ability to object, correct, or delete data.
Compliance and Transparency Requirements
At the conclusion of the campaign, users should be equipped with clear guidance on how to oppose the use of their data for generative AI training and exercise their rights under the European Union’s General Data Protection Regulation (GDPR). Companies found in violation of GDPR face penalties of up to €20 million or 4% of global revenue.
The IDPA acknowledged OpenAI’s “cooperative attitude” during the investigation, which led to a reduction in the fine.
Relocation to Ireland
During the investigation, OpenAI relocated its European headquarters to Ireland, transferring regulatory oversight to the Irish Data Protection Commission (DPC), which will continue to oversee ongoing inquiries.
The IDPA launched its investigation in March 2023 and concluded its findings after reviewing feedback from the European Data Protection Board (EDPB) on December 18. The EDPB examined the use of personal data in developing and deploying AI models.
Historical Context of the Ban
In March 2023, Italy became the first Western nation to temporarily ban ChatGPT due to privacy concerns. The IDPA initiated an investigation into alleged violations of data privacy regulations.
The decision to ban ChatGPT drew criticism from various stakeholders. A few weeks later, regulators announced that the ban would be lifted if OpenAI implemented specific transparency measures. On April 29, ChatGPT resumed operations in Italy.