Italy’s Data Protection Authority, known as “Il Garante,” fined OpenAI €15 million for breaking GDPR rules. This decision followed an investigation into ChatGPT, OpenAI’s AI-powered chatbot, which began in March 2023.
Key Findings from the Investigation
- Data Breach Notification Failure: OpenAI did not inform Il Garante about a data breach in March 2023, violating transparency rules.
- Unlawful Data Processing: OpenAI processed user data without valid legal permission and failed to inform users how their data was used to train the chatbot.
- Lack of Age Verification: OpenAI did not have proper checks to prevent children under 13 from accessing ChatGPT, exposing them to harmful or inappropriate content.
Transparency Campaign Ordered
Beyond the fine, Il Garante ordered OpenAI to run a six-month public awareness campaign. The campaign will educate users about:
- ChatGPT’s data collection practices.
- Their rights under GDPR, including opposing, correcting, and deleting data.
The campaign will appear on radio, TV, newspapers, and online. OpenAI must work with Il Garante to create clear and accurate content for this effort.
Future Oversight
OpenAI recently set up its European headquarters in Ireland. As a result, the Irish Data Protection Commission (DPC) will now oversee ongoing investigations under GDPR’s “one-stop shop” rule.
Importance of GDPR Compliance
This €15 million fine sends a strong message about the importance of protecting user data. It highlights the need for AI companies to ensure transparency, follow legal data processing rules, and safeguard children using their services.
This case sets an example for regulating AI across Europe, ensuring that innovation respects users’ privacy and rights.
Source: cybersecuritynews
