On November 2, 2024 the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) published its long-awaited decision regarding ChatGPT, the well-known AI platform that emulates and processes human conversations. In its decision, the Garante levied a fine of 15 million Euros and ordered the company OpenAI L.L.C. (“OpenAI”) to implement a six-month campaign to raise public awareness about ChatGPT and specifically about the collection of personal data to train generative artificial intelligence and the rights of data subjects.
The fine took into account OpenAI’s cooperative approach and reflects implementation of different measures requested by the Garante.
The decision followed an investigation undertaken in 2023 after a data breach involving ChatGPT subscriber conversations and payment information. At that time, the Garante imposed an immediate temporary block on ChatGPT processing Italian users’ personal data. That block was later suspended on the condition that OpenAI carried out certain activities, including publishing an updated privacy policy and implementing adequate age-verification systems.
The Garante found OpenAI responsible for the following forms of data protection infringement:
- failure to report the March 2023 data breach to the Garante;
- processing users’ personal data to train ChatGPT without a legal basis;
- failing to inform users adequately about the processing of their personal data, including using that data to train its AI model;
- lack of adequate age-verification mechanisms when the service was launched;
- failing to implement the campaign to raise awareness prescribed by the 2023 order;
- infringing the accuracy principle: despite the adopted measures, OpenAI cannot guarantee the accuracy of the output data. Such data is based on statistical mechanisms, with no oversight of its content or meaning (i.e., based on user queries, ChatGPT provides answers including the most likely string of words) and it is often incorrect.
OpenAI has 30 days to pay the fine and 60 days to submit a plan for the awareness campaign to the Garante. The campaign must start within 45 days of being approved by the Garante. Within 60 days of the end of the campaign, OpenAI must provide the Garante with information to assess its impact.
Finally, during the investigation, Open AI established its European headquarters in Ireland. Therefore, the Irish Data Protection Authority (DPC) is Open AI’s lead supervisory authority. In compliance with what is known as the one-stop-shop mechanism, the Garante forwarded the documents for the proceeding to the DPC, which will be responsible for investigating any further infringement.
