Italy’s data protection authority has fined ChatGPT maker OpenAI a fine of €15 million ($15.66 million) over how the generative artificial intelligence application handles personal data.
The fine comes nearly a year after the Garante found that ChatGPT processed users’ information to train its service in violation of the European Union’s General Data Protection Regulation (GDPR).
The authority said OpenAI did not notify it of a security breach that took place in March 2023, and that it processed the personal information of users to train ChatGPT without having an adequate legal basis to do so. It also accused the company of going against the principle of transparency and related information obligations toward users.
“Furthermore, OpenAI has not provided for mechanisms for age verification, which could lead to the risk of exposing children under 13 to inappropriate responses with respect to their degree of development and self-awareness,” the Garante said.
Besides levying a €15 million fine, the company has been ordered to carry out a six-month-long communication campaign on radio, television, newspapers, and the internet to promote public understanding of how ChatGPT works.
This specifically includes the nature of data collected, both user and non-user information, for the purpose of training its models, and the rights that users can exercise to object, rectify, or delete that data.
“Through this communication campaign, users and non-users of ChatGPT will have to be made aware of how to oppose generative artificial intelligence being trained with their personal data and thus be effectively enabled to exercise their rights under the GDPR,” the Garante added.
Italy was the first country to impose a temporary ban on ChatGPT in late March 2023, citing data protection concerns. Nearly a month later, access to ChatGPT was reinstated after the company addressed the issues raised by the Garante.
In a statement shared with the Associated Press, OpenAI called the decision disproportionate and that it intends to appeal, stating the fine is nearly 20 times the revenue it made in Italy during the time period. It further said it’s committed to offering beneficial artificial intelligence that abides by users’ privacy rights.
The ruling also follows an opinion from the European Data Protection Board (EDPB) that an AI model that unlawfully processes personal data but is subsequently anonymized prior to deployment does not constitute a violation of GDPR.
“If it can be demonstrated that the subsequent operation of the AI model does not entail the processing of personal data, the EDPB considers that the GDPR would not apply,” the Board said. “Hence, the unlawfulness of the initial processing should not impact the subsequent operation of the model.”
“Further, the EDPB considers that, when controllers subsequently process personal data collected during the deployment phase, after the model has been anonymised, the GDPR would apply in relation to these processing operations.”
Earlier this month, the Board also published guidelines on handling data transfers outside non-European countries in a manner that complies with GDPR. The guidelines are subject to public consultation until January 27, 2025.
“Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe,” it said. “If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies.”
