Italy fined OpenAI €15 million ($15.66 million) for violations of personal data privacy in its ChatGPT application according to Reuters. The Italian data protection authority, Garante, concluded that OpenAI processed user data unlawfully and failed to ensure adequate age verification. The fine, stemming from a 2023 investigation, emphasizes the seriousness of data privacy compliance under EU regulations.
Italy fines OpenAI €15 million for data privacy violations
The penalty follows the Garante’s investigation, which revealed OpenAI’s processing of user personal data without a sufficient legal basis. Additionally, the company did not uphold transparency principles as required by the EU’s General Data Protection Regulation (GDPR). OpenAI’s previous failure to report a security breach in March 2023 also contributed to this decision.
“Inadequate mechanisms for age verification” heighten the risk of exposing children under 13 to inappropriate AI-generated content, the Garante noted. In response to the fine, OpenAI criticized the ruling as “disproportionate” and announced plans to appeal. The company argues that the penalty is nearly 20 times its revenue in Italy during the investigation period.
As part of the ruling, OpenAI is mandated to conduct a six-month awareness campaign across various media outlets to explain how ChatGPT functions. This campaign will specifically address data collection practices, including how both user and non-user data is utilized for training algorithms, and outline users’ rights to object, rectify, or delete their personal information.
ChatGPT search is now free and it’s coming for Google
Italy’s proactive regulatory stance marks it as one of the EU’s leading authorities in enforcing compliance with data privacy rules. This fine is not the first action taken against OpenAI; the Garante temporarily banned ChatGPT in March 2023 over similar concerns before access was restored when OpenAI addressed the issues related to user consent for data usage.
OpenAI defended its practices, emphasizing its commitment to privacy and asserting that the ruling undermines Italy’s ambitions in artificial intelligence.
“When the Garante ordered us to stop offering ChatGPT in Italy in 2023, we worked with them to reinstate it a month later,” an OpenAI spokesperson told Associated Press. “They’ve since recognized our industry-leading approach to protecting privacy in AI, yet this fine is nearly 20 times the revenue we made in Italy during the relevant period.”
The Garante assessed OpenAI’s fine size considering the company’s cooperative approach during the investigation, suggesting that the penalty could have been significantly higher.
In conjunction with the fine, further guidelines from the European Data Protection Board (EDPB) clarify the implications of unauthorized personal data processing in AI models. It states that if anonymization occurs prior to any operational phase of the AI model, then GDPR violations may not apply to that model’s subsequent operations. However, if personal data is reprocessed after anonymization, GDPR does apply.
Featured image credit: Zac Wolff/Unsplash