Garante, (Italy’s data protector) has fined ChatGPT’s OpenAI for processing users’ personal information “to train ChatGPT without having an adequate legal basis and violated the principle of transparency and the related information obligations towards users.” The fine is 15 million euros. In addition to the fine, OpenAI will have to comply with a six-month information campaign. A machine translation of the Garante’s press release:
The Guarantor for the protection of personal data has recently adopted a corrective and sanctioning measure against OpenAI in relation to the management of the ChatGPT service.
The provision, which ascertains the violations previously contested to the Californian company, comes at the end of an investigation started in March 2023 and after the EDPB (European Data Protection Board) published the opinion with which it identifies a common approach to some of the most relevant issues relating to the processing of personal data in the context of the design, development and distribution of services based on artificial intelligence.
According to the Guarantor, the US company, which created and manages the generative artificial intelligence chatbot, in addition to not having notified the Authority of the data breach suffered in March 2023, processed users’ personal data to train ChatGPT without first identifying an adequate legal basis and violated the principle of transparency and the related information obligations towards users. Furthermore, OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness.
The Authority, with the aim of ensuring, first and foremost, effective transparency in the processing of personal data, has ordered OpenAI, using for the first time the new powers provided for by Article 166, paragraph 7 of the Privacy Code, to carry out a 6-month institutional communication campaign on radio, television, newspapers and the Internet.
The contents, to be agreed with the Authority, will have to promote public understanding and awareness of the functioning of ChatGPT, in particular on the collection of data from users and non-users for the training of generative artificial intelligence and the rights exercisable by the interested parties, including those of opposition, rectification and cancellation.
Thanks to this communication campaign, ChatGPT users and non-users should be made aware of how to oppose the training of generative artificial intelligence with their personal data and, therefore, be effectively placed in the position to exercise their rights under the GDPR.
The Guarantor has imposed a fine of fifteen million euros on OpenAI, also calculated taking into account the company’s collaborative attitude.
Finally, given that the company, during the investigation, established its European headquarters in Ireland, the Guarantor, in compliance with the so-called one-stop shop rule, transmitted the documents of the procedure to the Irish Data Protection Authority (DPC), which has become the lead supervisory authority pursuant to the GDPR, so that it can continue the investigation in relation to any violations of a continuing nature that did not end before the opening of the European establishment.
Rome, December 20, 2024