Il Guarantor for the protection of personal data ha imposed a €15 million fine on OpenAI, the company that created ChatGPT (from yesterday Also available on WhatsApp), for the improper data processing personal data of users. The decision closes an investigation which has developed over the course of more than a year and a half and which had raised questions about the management of data in the field of artificial intelligence and compliance with the GDPR, the European regulation that protects privacy. The fine, which took into account the company's cooperation, is accompanied by an order to OpenAI to launch a six-month institutional communication campaign, using various means of communication.
The Guarantor's objections to OpenAI
The investigation, which began in March 2023 following reports of privacy violations, highlighted two main violations: the poor transparency in data processing and the lack of an adequate legal basis for the processing of personal data. In particular, the company has not provided clear information on how the data were used to train the artificial intelligence model, creating confusion among users and violating the transparency principles required by the GDPR.
Additionally, OpenAI has employed the practice of “web scraping”, or the collection of public data from the web without asking for users' consent. This practice was not justified by an adequate legal basis, violating the principle that requires a clear and legitimate justification for the use of personal data.
The Guarantor also underlined that OpenAI did not notify the data breach suffered in March 2023 and processed the data without legal justification. Also contested was the lack of measures to verify the age of the users it exposed children under 13 to inappropriate responses for their development and self-awareness.
OpenAI's collaboration with authorities
Despite initial violations, OpenAI has proven to be collaborative, trying to adapt to the requests of the Guarantor and making changes to the service, such as the introduction of a “incognito” version which allows users to disable history conversations and limit the use of their data to train the model. These adjustments helped reduce the size of the fine.
The Guarantor uses a new tool: mandatory information campaign for 6 months
With this investigation, the Guarantor has introduced a novelty using a tool never used before. The Authority has in fact Article 166 of the Privacy Code applies, which allows impose mandatory information campaigns to those who violate data protection regulations. In this case, OpenAI was ordered a six-month campaign in major media outlets (radio, television, newspapers and the Internet) to ensure that ChatGPT users and non-users are adequately informed of their rights, including the possibility to object to the use of data for training artificial intelligence, as provided for by the GDPR.
The “One-Stop-Shop” principle and European responsibility
Since OpenAI has established its own European Headquarters in Ireland during the investigation, the Guarantor, in line with the “one stop shop” principle has forwarded the case to the Irish Data Protection Authority (DPC). This principle allows companies to resolve privacy issues in one country, where their headquarters are located, with the certainty that the solution will be valid throughout the EU. TheIrish Authority, therefore as the lead supervisory authority under the GDPR, the investigation will continue to verify any ongoing violations that were not resolved prior to the opening of the European facility.
The ChatGPT Case: A Global Privacy Case
The conflict between the Italian Guarantor and OpenAI began on March 31, 2023, when the Italian Authority decided to temporarily suspend processing of data from Italian users of ChatGPT, following a data leak. This intervention marked thestart of a series of measures also adopted by other countries, including Canada and Spain, which have adopted similar measures. In response, OpenAI temporarily suspended the service in Italy, only to reactivate it after introducing changes, such as the “incognito” version.
Over the course of the year, OpenAI has continued to cooperate with the authorities to address the issues that arose, but the initial violations were not fully remedied, ultimately leading to the sanction.
The EU and its fight to regulate AI
The OpenAI fine comes in a critical moment for artificial intelligence and privacy, while European authorities are trying to define a clear regulatory framework. This includes the approval of theTo the Acts, the first EU regulation (approved in March 2024) that comprehensively regulates artificial intelligence. Consisting of 85 articles, the Ai Act aims to ensure that theAI respects European rights and values, such as security, privacy, transparency, non-discrimination and social and environmental well-being.
In parallel, the European Data Protection Board has recently published an opinion which analyses the relationship between privacy and AI, underlining the need to ensure that personal data is not used in a way that identifies or tracks individuals. In this context, emphasis is placed on the fact that AI models must be designed to minimize the risk of user identification and on the importance of verifying the legitimacy of data processing.
