The Italian supervisory authority for data protection (Garante per la protezione dei dati personali) has fined OpenAI 15 million euros.

What happened?

The fine is the result of an investigation launched after OpenAI failed to report a data breach that became known in March 2024 to the authority. In addition, concerns arose regarding the legally compliant processing of personal data by OpenAI. At the time, the authority had temporarily banned the operation of ChatGPT in Italy and now found that OpenAI had used user data for ChatGPT training without an appropriate legal basis and had violated transparency obligations. In addition, OpenAI had not used appropriate age verification mechanisms, meaning that children under the age of 13 were potentially exposed to inappropriate content.

What must OpenAI do now?

In addition to paying the fine, OpenAI is now obliged to carry out a six-month information campaign via radio, television, newspapers and the Internet. The campaign is intended to inform the public about how ChatGPT works, in particular about data collection and the rights of data subjects. This decision is based on Art. 166 no. 7 of the Privacy Code in Italy, according to which, in addition to a fine, the publication of the administrative decision, in whole or in part, on the website of the Garante or the order to carry out institutional communication campaigns to promote awareness of the right to the protection of personal data may be issued. 

As OpenAI established its European headquarters in Ireland during the investigation, the case was referred to the Irish Data Protection Authority, which is now responsible for further investigations.

According to media reports OpenAI describes the decision of the Garante as unreasonable and has announced its intention to take legal action against the decision.

Recommendations for practice

Companies that offer AI-based services should ensure a clear legal basis for the processing of personal data, inform their users transparently about the processing of the data and implement effective age verification.