- Italian Data Protection Authority fines OpenAI €15 million for processing personal data without a legal basis
- OpenAI failed to inform users about data usage for training ChatGPT, breaching GDPR rules
- OpenAI ordered to run a six-month educational campaign to inform users of their data rights
The Italian Data Protection Authority (Garante per la protezione dei dati personali, GPDP) has imposed a €15 million fine on OpenAI, the company behind ChatGPT, following an investigation into its handling of personal data.
The GPDP concluded that OpenAI processed users’ data without a lawful basis and failed to meet transparency requirements regarding how the data was used.
According to the Authority, the violations occurred in 2023 when the company utilised personal data to train its generative AI model, ChatGPT, without obtaining proper legal consent or adequately informing users about the process.
In addition to the lack of transparency, the GPDP criticised OpenAI for not implementing age verification measures.
The Authority argued that this omission risks exposing children under 13 to inappropriate content that may not align with their developmental stage and self-awareness.
As part of the penalty, OpenAI has been ordered to conduct a six-month public awareness campaign across multiple platforms, including radio, television, newspapers, and the Internet.
The campaign, which must be developed in collaboration with the GPDP, aims to educate the public on how ChatGPT collects and processes user and non-user data.
It will also highlight individuals’ rights under the General Data Protection Regulation (GDPR), including the right to object, rectify, or delete personal data used for AI training.
“The campaign should empower users and non-users to effectively exercise their GDPR rights, enabling them to prevent their personal data from being used for generative AI training,” the GPDP stated.
This is not the first time OpenAI has faced scrutiny in Italy. In 2023, the GPDP temporarily banned ChatGPT over alleged GDPR violations, including improper data processing and inadequate user consent mechanisms.
The service was reinstated only after OpenAI addressed key concerns, including allowing users to refuse data processing for algorithm training.
The €15 million fine reflects the seriousness of the violations, though the GPDP acknowledged OpenAI’s cooperative attitude during the investigation.
This case underscores the growing regulatory focus on data privacy in the age of generative AI and the importance of complying with transparency and user protection standards.
Irish DPC fines Meta €251 million over 2018 global personal data breach
Meanwhile, TheRadar earlier reported that the Irish Data Protection Commission (DPC) fined Meta €251 million in Europe over a 2018 personal data breach that affected 29 million Facebook users globally.
The DPC announced the fine on Tuesday, December 17, noting that the breach in September 2018 was reported by Meta Platforms Ireland Limited (MPIL), with approximately three million out of the 29 million affected users based in the EU.