Italy’s privacy regulator has informed OpenAI that its AI-based chatbot, ChatGPT, violates data protection laws. This announcement comes as the regulator, known as Garante, progresses with an investigation initiated last year.
Garante, recognized for its active examination of AI platforms under the EU’s data privacy framework, previously halted ChatGPT due to purported non-compliance with EU privacy regulations.
The investigation revealed issues related to the accumulation of personal data and safeguards for minors, given that ChatGPT operates by processing vast quantities of internet data.
OpenAI, the creator of ChatGPT, has been given a 30-day period to present its counterarguments. Italy has been particularly strict regarding ChatGPT’s data protection, having been the first Western nation to suspend the service in March 2023 over privacy concerns.
The service was reinstated about a month later, with OpenAI asserting it had resolved or elucidated the concerns highlighted by the Italian Data Protection Authority (DPA).
The DPA’s ongoing “fact-finding activity” has identified violations of data privacy, particularly the extensive gathering of user data for algorithm training and potential exposure of minors to unsuitable content.
Violations of the EU’s General Data Protection Regulation (GDPR) could result in fines of up to 4% of a company’s worldwide revenue.
The Italian DPA collaborates with the European Data Protection Board, which established a task force in April 2023 to oversee ChatGPT.
Despite welcoming OpenAI’s compliance measures upon ChatGPT’s reinstatement, the Italian regulator has urged for more stringent actions, including the implementation of an age verification system and a public awareness campaign about personal data processing rights and opt-out provisions.
