Italy Fines OpenAI €15 Million for ChatGPT GDPR Data Privacy Violations

Avatar
Italy’s data protection authority has fined ChatGPT maker OpenAI a fine of €15 million ($15.66 million) over how the generative artificial intelligence application handles personal data. The fine comes nearly a year after the Garante found that ChatGPT processed users’ information to train its service in violation of the European Union’s General Data Protection Regulation (GDPR). The authority

Italy’s data protection authority has fined ChatGPT maker OpenAI a fine of €15 million ($15.66 million) over how the generative artificial intelligence application handles personal data.

The fine comes nearly a year after the Garante found that ChatGPT processed users’ information to train its service in violation of the European Union’s General Data Protection Regulation (GDPR).

The authority said OpenAI did not notify it of a security breach that took place in March 2023, and that it processed the personal information of users to train ChatGPT without having an adequate legal basis to do so. It also accused the company of going against the principle of transparency and related information obligations toward users.

“Furthermore, OpenAI has not provided for mechanisms for age verification, which could lead to the risk of exposing children under 13 to inappropriate responses with respect to their degree of development and self-awareness,” the Garante said.

Besides levying a €15 million fine, the company has been ordered to carry out a six-month-long communication campaign on radio, television, newspapers, and the internet to promote public understanding of how ChatGPT works.

This specifically includes the nature of data collected, both user and non-user information, for the purpose of training its models, and the rights that users can exercise to object, rectify, or delete that data.

“Through this communication campaign, users and non-users of ChatGPT will have to be made aware of how to oppose generative artificial intelligence being trained with their personal data and thus be effectively enabled to exercise their rights under the GDPR,” the Garante added.

Italy was the first country to impose a temporary ban on ChatGPT in late March 2023, citing data protection concerns. Nearly a month later, access to ChatGPT was reinstated after the company addressed the issues raised by the Garante.

In a statement shared with the Associated Press, OpenAI called the decision disproportionate and that it intends to appeal, stating the fine is nearly 20 times the revenue it made in Italy during the time period. It further said it’s committed to offering beneficial artificial intelligence that abides by users’ privacy rights.

The ruling also follows an opinion from the European Data Protection Board (EDPB) that an AI model that unlawfully processes personal data but is subsequently anonymized prior to deployment does not constitute a violation of GDPR.

“If it can be demonstrated that the subsequent operation of the AI model does not entail the processing of personal data, the EDPB considers that the GDPR would not apply,” the Board said. “Hence, the unlawfulness of the initial processing should not impact the subsequent operation of the model.”

“Further, the EDPB considers that, when controllers subsequently process personal data collected during the deployment phase, after the model has been anonymised, the GDPR would apply in relation to these processing operations.”

Earlier this month, the Board also published guidelines on handling data transfers outside non-European countries in a manner that complies with GDPR. The guidelines are subject to public consultation until January 27, 2025.

“Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe,” it said. “If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Inside Operation Destabilise: How a ransomware investigation linked Russian money laundering and street-level drug dealing

Next Post

U.S. Judge Rules Against NSO Group in WhatsApp Pegasus Spyware Case

Related Posts

Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

A security flaw has been disclosed in OpenWrt's Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages. The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the
Avatar
Read More

4 Reasons Your SaaS Attack Surface Can No Longer be Ignored

What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third party risk. Learn how you can protect this sprawling attack surface in 2025. What do identity risks, data security risks and third-party
Avatar
Read More

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)

⚠️ Imagine this: the very tools you trust to protect you online—your two-factor authentication, your car’s tech system, even your security software—turned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn’t fiction; it’s the new cyber reality. Today’s attackers have become so sophisticated that they’re using our trusted tools as secret pathways,
Avatar
Read More