In March 2023, the Italian Data Protection Authority, also known as Garante, launched an investigation into OpenAI’s practices concerning their AI model, ChatGPT. The investigation uncovered multiple violations of the General Data Protection Regulation (GDPR).
The key findings of the investigation included:
- Data Breach Notification Failure: OpenAI was found to have not properly informed individuals about a data breach that compromised user information. Under GDPR, organizations are required to notify affected individuals and the relevant supervisory authority within 72 hours of becoming aware of a breach.
- Lack of Legal Basis for Data Processing: The investigation revealed that OpenAI processed user data without a valid legal basis. GDPR mandates that data processing should be based on one of the six lawful bases, such as user consent, performance of a contract, or legitimate interests.
- Inadequate Age Verification Measures: OpenAI did not implement sufficient age verification measures to prevent children under the age of 13 from using ChatGPT. GDPR has specific provisions to protect children’s data, requiring parental consent for processing personal data of minors.
As a result of these findings, the Italian Data Protection Authority imposed a fine of €15 million on OpenAI. In addition to the financial penalty, OpenAI was mandated to carry out a public awareness campaign over the next six months. This campaign aims to inform the public about ChatGPT’s data collection practices and educate users about their rights under GDPR.
This ruling underscores the increasing regulatory scrutiny on AI technologies and the necessity for companies to adhere to privacy laws and protect user data.
This case also serves as a reminder for organizations worldwide to prioritize data protection and ensure compliance with applicable regulations. By doing so, they can build trust with users and mitigate the risks of hefty fines and reputational damage.
