A PYMNTS Company

Italian Regulator Finds ChatGPT Violates EU Data Privacy Laws

 |  February 6, 2024

The Italian data protection authority regulator, known as “Garante per la protezione dei dati personali,” has issued a stern notification to OpenAI, asserting that ChatGPT, the widely-used AI chatbot, has run afoul of the European Union’s stringent data protection regulations.

This declaration comes in the wake of a series of investigations into ChatGPT’s operations, which began in early April 2023. At that time, the Italian Data Protection Authority imposed a temporary ban on ChatGPT due to multiple infractions, including the illegal collection of personal data and the absence of mechanisms to verify the ages of minors engaging with the platform.

The Italian watchdog, Garante, emphasized that OpenAI failed to adequately inform users that their personal data was being collected, thus breaching crucial aspects of the General Data Protection Regulation (GDPR), a cornerstone of EU privacy legislation.

Moreover, the Authority criticized the lack of a legal basis justifying the extensive collection and processing of personal data purportedly for training ChatGPT’s algorithms. Tests conducted by the Authority revealed discrepancies between the information provided by ChatGPT and actual factual circumstances, indicating the processing of inaccurate personal data.

Related: OpenAI Proposes Remedies On ChatGPT To Italian Watchdog

One particularly alarming finding was that ChatGPT frequently delivered responses unsuitable for minors, despite the platform’s stated design for users above the age of 13. This exposure of minors to potentially inappropriate content raised significant concerns among regulators.

OpenAI responded to the initial ban by assuring the Italian data protection authority that it would address the identified shortcomings by the given deadline of April 30. Consequently, the ban on ChatGPT was lifted.

However, the conclusion of Garante’s fact-finding endeavors led to the determination that ChatGPT had indeed violated provisions outlined in the GDPR. This outcome underscores the pressing need for stricter adherence to data privacy regulations, especially in the realm of AI-driven technologies where the potential for misuse and infringement on user rights is significant.

Source: Security Affairs