Key Points
- Italy fined OpenAI €15 million for improper use of personal data in ChatGPT.
- The regulator cited a lack of legal basis and inadequate transparency as primary violations. OpenAI plans to appeal, calling the penalty “disproportionate.”
- OpenAI must run a six-month awareness campaign on its data practices in Italy.
- GDPR rules enable penalties of up to €20 million or 4% of global revenue for violations.
Italy’s data protection authority has imposed a €15 million ($15.58 million) fine on OpenAI, the creator of ChatGPT, following the conclusion of an investigation into the AI platform’s use of personal data. The regulator determined that OpenAI processed user data to train its algorithms without adequate legal justification, violating transparency requirements and related obligations to inform users.
OpenAI criticized the decision as “disproportionate” and announced plans to appeal the fine. The investigation, launched in 2023, also found that the company lacked a robust age verification system to prevent children under 13 from accessing potentially inappropriate AI-generated content. This gap in compliance further heightened concerns about the platform’s adherence to privacy and safety regulations.
As part of the ruling, OpenAI must conduct a six-month public awareness campaign in Italy to educate users and non-users about how ChatGPT operates, particularly focusing on its data collection practices. The Italian authority, Garante, has become a prominent figure in the European Union’s regulatory landscape, actively ensuring that AI platforms comply with the bloc’s strict data privacy laws under the General Data Protection Regulation (GDPR).
This is not the first instance of Garante scrutinizing OpenAI. In 2023, the watchdog temporarily banned ChatGPT in Italy due to alleged GDPR violations. The service was reinstated after OpenAI, backed by Microsoft, addressed some identified concerns, including granting users the right to refuse consent for their data being used in training algorithms.
OpenAI emphasized its commitment to privacy, arguing that the fine significantly exceeded its earnings from Italy during the period in question. The company accused the regulator’s decision of potentially stifling Italy’s ambitions to foster AI development. Despite OpenAI’s cooperative stance, the regulator stated that the fine could have been higher, underlining the gravity of the violations.
The GDPR allows fines of up to €20 million or 4% of a company’s global revenue for breaches, underscoring the high stakes for companies operating in the EU’s rigorous regulatory environment.
