OpenAI hit with €15M fine by Italy for privacy violations

Italy’s data protection authority has imposed a significant fine on OpenAI for privacy violations related to ChatGPT, marking a major regulatory action against the AI company in Europe.

Key enforcement action: Italy’s data protection agency has fined OpenAI 15 million euros ($15.58 million) following an investigation into ChatGPT’s handling of personal data.

• The regulator found that OpenAI processed users’ personal data to train ChatGPT without proper legal basis
• The company failed to meet transparency requirements and information obligations to users
• OpenAI lacked adequate age verification systems to protect children under 13 from inappropriate AI-generated content

Regulatory requirements: The Italian watchdog has mandated specific actions beyond the monetary penalty to address privacy concerns.

• OpenAI must conduct a six-month media campaign in Italy to educate the public about ChatGPT’s data collection practices
• The campaign must explain how the AI system uses data from both users and non-users to train its algorithms
• This follows a temporary ban of ChatGPT in Italy last year, which was lifted after OpenAI implemented certain privacy protections

Company response: OpenAI has pushed back against the regulatory action, highlighting disagreements over the scale and appropriateness of the penalty.

• The company announced plans to appeal the decision, describing it as “disproportionate”
• OpenAI claims the fine is nearly twenty times its revenue in Italy during the relevant period
• The company maintains it has implemented “industry-leading” privacy protection approaches

Regulatory context: The fine represents a significant enforcement action under EU privacy laws and demonstrates increasing regulatory scrutiny of AI systems.

• The Italian authority, Garante, has emerged as one of the EU’s most active regulators in assessing AI platforms’ compliance with privacy rules
• The fine was calculated under GDPR guidelines, which allow for penalties up to 20 million euros or 4% of global turnover
• The regulator noted that the final penalty took into account OpenAI’s “cooperative stance,” suggesting the fine could have been larger

Future implications: This enforcement action may signal heightened regulatory oversight of AI companies’ data practices across Europe.

• The case sets a precedent for how privacy regulators may approach AI systems’ data collection and processing practices
• Other European privacy authorities may follow Italy’s lead in scrutinizing AI companies’ compliance with GDPR
• The tension between AI innovation and privacy protection continues to shape the regulatory landscape for AI development in Europe