The Italian data protection authority, Garante, has initiated an investigation into OpenAI, the company behind the AI platform ChatGPT, for alleged breaches of privacy legislation.
This move follows a multi-month scrutiny of ChatGPT, the AI chatbot’s operations by Italy’s data protection authority.
While specific details of the findings have not been disclosed, the Garante has notified OpenAI of the allegations and granted the company a 30-day window to respond and defend against the accusations. The potential breaches of the pan-European privacy regulations could lead to fines of up to €20 million or 4% of OpenAI’s global annual turnover.
The investigation primarily focuses on OpenAI’s compliance with the General Data Protection Regulation (GDPR), particularly concerning the processing of personal data for training ChatGPT’s algorithms. The Garante had previously imposed a temporary ban on ChatGPT’s local data processing, citing concerns about the lack of a suitable legal basis for data collection and processing, as well as issues related to data accuracy and child safety.
Despite OpenAI’s efforts to address some of the concerns raised by the Italian authority last year, the investigation has now progressed to preliminary conclusions suggesting violations of EU law. Of particular concern is OpenAI’s reliance on the legal basis for processing personal data, with questions raised about its compliance with GDPR requirements.
The Garante’s statement indicates that OpenAI may have violated several articles of the GDPR, including those related to data processing legality, consent, and legitimate interests. The authority’s scrutiny extends beyond Italy, with similar investigations underway in Poland following complaints about ChatGPT’s inaccurate information production and OpenAI’s response to such incidents.
In response to increasing regulatory risks across the EU, OpenAI has taken steps to establish a physical presence in Ireland. The company aims to obtain “main establishment” status in Ireland, which would streamline its GDPR compliance assessments under the one-stop-shop mechanism. However, these efforts do not absolve OpenAI from ongoing investigations, including those initiated by the Italian and Polish data protection authorities.
While the European Data Protection Board seeks to coordinate oversight efforts through a task force, individual authorities retain the autonomy to issue decisions within their jurisdictions. As a result, the outcomes of the current probes into the operations of ChatGPT are uncertain, with potential implications for OpenAI’s compliance and business operations in the EU.
OpenAI has yet to provide an official response to the Garante’s notification of violations, pointing to the beginning of a legal process that could reshape the future of AI regulation and data privacy enforcement in Europe.
