The Italian Data Protection Authority (known as “Il Garante”) has imposed a €15 million fine on OpenAI for violations of the General Data Protection Regulation (GDPR).
This punitive measure follows an investigation into the operation of OpenAI’s ChatGPT service, initiated in March 2023, and marks a significant moment in the regulation of artificial intelligence technologies in Europe.
The investigation uncovered multiple GDPR breaches by OpenAI. The company failed to notify Il Garante about a data breach suffered in March 2023, violating transparency obligations.
Furthermore, OpenAI was found to have processed users’ data without establishing a valid legal basis.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
The chatbot, which uses generative AI, leveraged this data to train its models without adequately informing users, breaching GDPR’s principles of transparency and accountability.
Another critical concern raised during the investigation was the absence of effective age verification measures.
This shortcoming exposed children under 13 to potentially harmful or inappropriate responses, contravening rules designed to protect minors.
Beyond the fine, Il Garante has ordered OpenAI to conduct a nationwide six-month transparency campaign.
For the first time, the authority utilized Article 166, paragraph 7 of Italy’s Privacy Code, leveraging its full powers to mandate a comprehensive public communication effort.
The campaign will span radio, television, newspapers, and the internet. Its purpose is to raise public awareness about how ChatGPT functions, including its data collection practices and users’ rights under GDPR.
OpenAI must collaborate with Il Garante to develop content that educates users and non-users about their rights, specifically regarding opposition, rectification, and deletion of data.
This initiative aims to empower individuals to make informed decisions about their data and resist the inclusion of their information in generative AI training datasets.
During the investigation, OpenAI established its European headquarters in Ireland. As required by the GDPR’s “one-stop shop” mechanism, Il Garante has transferred the case documents to the Irish Data Protection Commission (DPC).
The DPC will now act as the lead supervisory authority, continuing to investigate ongoing violations that may not have been resolved before OpenAI’s European presence was formalized.
The €15 million fine and the transparency campaign underscore the increasing vigilance of European regulators toward AI-powered services.
Il Garante’s decision reinforces the importance of GDPR compliance, especially in protecting sensitive user data from opaque processing practices.
This case also highlights the significance of child protection measures in AI services and sets a precedent for similar actions across Europe.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Cross-strait tensions have escalated into a new domain as China and Taiwan engage in unprecedented…
The penetration testing community has received a significant upgrade with the release of Kali Linux…
Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced the…
Despite sustained international pressure, sanctions, and public exposures over the past two years, the sophisticated…
Microsoft 365 users across Asia Pacific, Europe, the Middle East, and Africa are experiencing significant…
A sophisticated new attack method called "SmartAttack" that can breach supposedly secure air-gapped computer systems…