OpenAI Slapped with over $15 Million Fine by Italy
Italy's Data Protection Authority, also known as the Garante, has imposed a fine of €15 million ($15.7 million) on OpenAI and instructed the company to launch a six-month public awareness campaign.
The directive follows an in-depth investigation into how OpenAI collects and processes user data for its flagship AI model, ChatGPT.
In a statement issued on 20 December, the Garante outlined several violations uncovered during the probe.
It found that OpenAI had failed to notify the regulator of a significant data breach that occurred in March 2023, in which user conversations and payment information were exposed.
Additionally, the investigation revealed that OpenAI processed users' personal data to train ChatGPT without establishing an adequate legal basis for doing so.
This omission, according to the watchdog, contravened principles of transparency and violated obligations to inform users about how their data is collected and used.
#GarantePrivacy#IntelligenzaArtificiale Provvedimento correttivo e sanzionatorio nei confronti di #OpenAI in relazione alla gestione del servizio #ChatGPT: la società dovrà realizzare una campagna informativa di 6 mesi e pagare una sanzione di 15 mln € https://t.co/mhUb3Wlxlapic.twitter.com/nIAVgcSjUO
— Garante Privacy (@GPDP_IT) December 20, 2024
a
The fine and mandated awareness campaign are part of a broader effort by the Garante to ensure compliance with Europe's stringent data protection regulations.
The agency stressed that the six-month campaign must be designed to educate the public on ChatGPT's data practices, including how user information is collected, stored, and utilised in AI training.
OpenAI has been given specific instructions to clearly communicate its data practices and implement safeguards to better protect user privacy going forward.
OpenAI to Conduct Awareness Campaign
The Italian Data Protection Authority (IDPA) has concluded its investigation into OpenAI, revealing inadequate age verification measures to prevent underage users from accessing its services.
The IDPA noted:
“Furthermore, OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness.”
As a corrective measure, OpenAI has been mandated to launch a six-month public awareness campaign across radio, television, newspapers, and online platforms.
The campaign aims to educate the public on how ChatGPT operates, as well as inform users about their rights under the European Union's General Data Protection Regulation (GDPR), including how to oppose the use of their data for AI training.
The IDPA said:
“In particular on the collection of data from users and non-users for the training of generative artificial intelligence and the rights exercisable by the interested parties, including those of opposition, rectification and cancellation.”
Under the GDPR, companies face potential penalties of up to €20 million or 4% of global turnover for non-compliance.
The IDPA acknowledged OpenAI's "collaborative attitude" during the investigation, which led to a reduced fine.
During the inquiry, OpenAI relocated its European headquarters to Ireland, transferring oversight to the Irish Data Protection Authority (DPC) as the lead supervisory body for ongoing investigations.