Italy Imposed EUR 15 million Fine to Open AI For Violating GDPR


The Italian Data Protection Authority (known as “Il Garante”) has imposed a €15 million fine on OpenAI for violations of the General Data Protection Regulation (GDPR).

This punitive measure follows an investigation into the operation of OpenAI’s ChatGPT service, initiated in March 2023, and marks a significant moment in the regulation of artificial intelligence technologies in Europe.

Findings of the Investigation

The investigation uncovered multiple GDPR breaches by OpenAI. The company failed to notify Il Garante about a data breach suffered in March 2023, violating transparency obligations.

Furthermore, OpenAI was found to have processed users’ data without establishing a valid legal basis.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The chatbot, which uses generative AI, leveraged this data to train its models without adequately informing users, breaching GDPR’s principles of transparency and accountability.

Another critical concern raised during the investigation was the absence of effective age verification measures.

This shortcoming exposed children under 13 to potentially harmful or inappropriate responses, contravening rules designed to protect minors.

Beyond the fine, Il Garante has ordered OpenAI to conduct a nationwide six-month transparency campaign.

For the first time, the authority utilized Article 166, paragraph 7 of Italy’s Privacy Code, leveraging its full powers to mandate a comprehensive public communication effort.

The campaign will span radio, television, newspapers, and the internet. Its purpose is to raise public awareness about how ChatGPT functions, including its data collection practices and users’ rights under GDPR.

OpenAI must collaborate with Il Garante to develop content that educates users and non-users about their rights, specifically regarding opposition, rectification, and deletion of data.

This initiative aims to empower individuals to make informed decisions about their data and resist the inclusion of their information in generative AI training datasets.

During the investigation, OpenAI established its European headquarters in Ireland. As required by the GDPR’s “one-stop shop” mechanism, Il Garante has transferred the case documents to the Irish Data Protection Commission (DPC).

The DPC will now act as the lead supervisory authority, continuing to investigate ongoing violations that may not have been resolved before OpenAI’s European presence was formalized.

The €15 million fine and the transparency campaign underscore the increasing vigilance of European regulators toward AI-powered services.

Il Garante’s decision reinforces the importance of GDPR compliance, especially in protecting sensitive user data from opaque processing practices.

This case also highlights the significance of child protection measures in AI services and sets a precedent for similar actions across Europe.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link