Italy Bans ChatGPT and Begins Investigating Potential GDPR Violations by OpenAI

Yesterday, the Italian Data Protection Authority (DPA) issued an order under Europe’s General Data Protection Regulation (GDPR) requiring OpenAI to immediately stop processing local user data, effectively blocking ChatGPT until OpenAI complies with European data protection laws. (English coverage by the BBC.) In its order and accompanying press release, the DPA announced that it would open an investigation into whether OpenAI violated the GDPR by (1) unlawfully processing people’s data without their consent and (2) failing to implement any age-verification or other preventive measures for minors accessing ChatGPT. OpenAI has 20 days to respond or face a penalty of up to €20 million ($21.7 million) or 4% of OpenAI’s annual turnover.

The DPA’s order comes at a time of increased scrutiny over ChatGPT and similar generative A.I. models, and because the GDPR empowers data protection agencies across the European Union to address violations of local users’ data protection rights, Italy may be the first of multiple European countries to take aim at ChatGPT. However, the GDPR violations alleged by the DPA are not limited to new generative A.I. models like ChatGPT; data processing and age verification issues extend to a wide variety of A.I. and machine-learning applications. Depending on the results of the DPA’s investigation, this order may impact a broad range of A.I. systems beyond ChatGPT.

In both the United States and Europe, EPIC has long advocated for commonsense A.I. regulations and bans on particularly dangerous A.I. applications like emotion recognition and biometric identification. This past November, EPIC urged the FTC to use its authority under Section 5 of the FTC Act to prevent unfair and deceptive commercial data practices, including practices that violate the privacy of minors and those that use A.I. systems to process user data without meaningful notice and consent.