Italy: Garante bans ChatGPT due to data protection violations

The Italian data protection authority (‘Garante’) announced, on 31 March 2023, that it had issued, in line with its corrective powers under Article 58(2)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), a temporary limitation on the personal data processing by OpenAI, L.L.C., which manages ChatGPT, in relation to data subjects established in Italy due to violations of Articles 5, 6, 8, 13, and 25 of the GDPR.

Background

In particular, the Garante conducted an investigation into ChatGPT’s data processing activities.

Following its investigation, the Garante outlined several privacy concerns regarding ChatGPT’s services, including:

  • that there is no information provided to users, nor to interested parties whose data is collected by OpenAI and processed through the ChatGPT service;
  • an absence of suitable legal bases in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the functioning of ChatGPT;
  • that the processing of personal data of interested parties is inaccurate as the information provided by ChatGPT does not always correspond to the real data; and
  • the absence of any verification of the users’ age in relation to the ChatGPT service which, according to the terms published by OpenAI, is reserved for individuals who are at least 13 years old.

Outcomes

In light of the above, the Garante concluded that the processing of users’ personal data, including that of minors, by ChatGPT is in violation of Articles 5, 6, 8, 13 and 25 of the GDPR. Importantly, the Garante confirmed that the ban will have immediate effect and that OpenAI must communicate within 20 days the measures undertaken to implement the provisions and to provide any element deemed useful to justify the violations.

You can read the press release here and the order here, available in Italian.

UPDATE (6 April 2023)

OpenAI meets with Garante, presents commitments for protecting Italian users

The Garante announced, on 6 April 2023, that, in the course of a meeting, OpenAI confirmed its willingness to cooperate in order to address the concerns raised by the Garante regarding ChatGPT, while also outlining that OpenAI believes it is complying within applicable personal data protection laws. In particular, the Garante reported that OpenAI is committed to enhancing transparency in the use of data subjects’ personal data and existing mechanisms to exercise data subject rights and safeguards for children. Importantly, the Garante highlighted that OpenAI had undertook to provide the Garante with a document setting out the measures to address the requests laid out by the Garante.

You can read the press release, available in Italian and English, here.

UPDATE (13 April 2023)

Garante announces halt of temporary ban if OpenAI implements required measures

The Garante announced, on 12 April 2023, that OpenAI will have until 30 April 2023 to comply with the Garante’s requirements and thus obtain a halt of the temporary ban imposed on OpenAI to process the personal data of Italian data subjects, so that ChatGPT will be available once again from Italy. In particular, the Garante detailed that, among other things, OpenAI will have to draft and make available, on its website, an information notice describing the arrangements and logic of the data processing required for the operation of ChatGPT along with the rights afforded to data subjects, and make these rights, such as the right to retification, the right to deletion, and the right to object to the processing of their personal data, available through useful tools to such data subjects. Moreover, the Garante asked OpenAI to immediately implement an age-gating system for the purpose of signing up to the service and to promote an awareness-raising campaign through radio, TV, newspapers, and the internet.

You can read the press release, available in Italian and English, here.

UPDATE (2 May 2023)

Garante authorises OpenAI to reinstate ChatGPT

The Garante announced, on 28 April 2023, that it had received a letter from OpenAI, describing the measures the latter had implemented regarding ChatGPT, in order to comply with the order issued by the Garante. In particular, the Garante noted that OpenAI, among other things:

  • expanded the information provided to EU users and non-users;
  • amended and clarified several mechanisms and deployed solutions to enable users and non-users to exercise their rights, such as the right to opt-out of processing of personal data for training of algorithms; and
  • added, in a dedicated page reserved to Italian registered users, a button that allows the same to confirm that they are at least 18 years of age prior to gaining access to the service, or alternatively that they are aged above 13 and have obtained parental consent.

Based on the actions taken by OpenAI, the Garante authorized the reinstatement of ChatGPT for Italian users.

You can read the press release, available in Italian and English, here.