Italy’s data protection authority, Garante, has fined OpenAI €15 million ($15.58 million) following an investigation into the use of personal data by its generative AI application, ChatGPT.
The penalty marks a significant enforcement of the European Union’s strict privacy laws.
The watchdog concluded that OpenAI processed user data to train ChatGPT without a sufficient legal basis, breaching transparency requirements and failing to meet information obligations under the EU’s General Data Protection Regulation.
The authority also criticized OpenAI for its lack of an adequate age verification system, exposing children under 13 to potentially inappropriate AI-generated content.
OpenAI, which is backed by Microsoft, called the decision “disproportionate” and announced plans to appeal. The company argued that the fine is “nearly 20 times the revenue we made in Italy during the relevant period” and accused Garante of taking an approach that could harm Italy’s AI development ambitions.
“They’ve since recognized our industry-leading approach to protecting privacy in AI, yet this fine undermines progress,” OpenAI said in a statement.
As part of the resolution, Garante has ordered OpenAI to launch a six-month public awareness campaign in Italian media to educate users about how ChatGPT collects and processes data. This directive aims to improve transparency, particularly for non-users whose data may also be used to train algorithms.
This is not the first time OpenAI has faced regulatory challenges in Italy. Last year, Garante temporarily banned ChatGPT, citing privacy concerns. The service was reinstated after OpenAI made changes, including allowing users to refuse consent for their data to be used in training the platform’s algorithms.
The €15-million fine reflects OpenAI’s cooperative stance during the investigation, the regulator noted, implying that penalties could have been higher. Under GDPR, violations can result in fines of up to €20 million or 4% of a company’s global turnover, whichever is greater.
Garante’s decision underscores its proactive role in ensuring compliance with EU privacy laws, particularly in the fast-evolving field of artificial intelligence.
