Background on the Investigation
In December 2023, Italy’s data protection agency, also known as the Garante, announced that it had fined OpenAI, the maker of the popular AI chatbot ChatGPT, a staggering 15 million euros (approximately $15.7 million). This fine was imposed after an extensive investigation by the Italian Data Protection Authority (IDPA) into the company’s data collection practices.
IDPA’s Findings and Consequences
According to the IDPA’s statement, their investigation revealed that OpenAI had failed to notify the agency about a significant data breach in March 2023. Moreover, the watchdog found that OpenAI processed users’ personal data to train its AI model without first identifying an adequate legal basis for this action, thereby violating key principles of transparency and related information obligations towards users.
Age Verification Mechanisms
The IDPA’s investigation also highlighted a major concern regarding age verification mechanisms on OpenAI’s platform. The agency found that the company did not have sufficient measures in place to prevent underage individuals from using its services, exposing minors under 13 to potentially unsuitable content.
Quoting the IDPA:
"Furthermore, OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness."
Corrective Measures
In response to the IDPA’s findings, OpenAI will be required to conduct a six-month public awareness campaign across various media platforms (radio, television, newspapers, and internet) with the primary goal of promoting public understanding and awareness of ChatGPT’s functioning. This includes:
- Data Collection and User Rights: The campaign will educate users on how their data is collected from both users and non-users for training generative AI.
- Rights under GDPR: Specifically, it will inform users about their rights to oppose the training of generative AI with their data and exercise other rights under the European Union’s General Data Protection Regulation (GDPR).
Consequences of Non-Compliance
Companies that violate the GDPR can face significant fines, up to $20 million or 4% of their global turnover.
Quoting the IDPA:
"Companies that violate the GDPR can be fined up to $20 million or 4% of their global turnover."
OpenAI’s Cooperation and Shift in Leadership
During the investigation, OpenAI demonstrated a collaborative attitude, which the IDPA noted positively. As a result, this cooperative approach contributed to reducing the size of the fine.
Interestingly, during the investigation period, OpenAI relocated its European headquarters from Italy to Ireland. This move ensured that any ongoing investigations would now be handled by the Irish Data Protection Authority (DPC), which has become the lead supervisory authority in such matters.
Related Developments
OpenAI recently faced another challenge when Apple’s update combined Siri with ChatGPT, leading to an outage for some users.
Italy was the first Western country to temporarily block ChatGPT due to privacy concerns. The IDPA announced an investigation into suspected breaches of data privacy rules, which eventually led to the lifting of the ban once OpenAI met several transparency measures.
Conclusion
The fine imposed on OpenAI by Italy’s data protection agency serves as a clear reminder of the importance of complying with data protection regulations in the AI and tech industry. As technology continues to evolve, ensuring transparency and protecting users’ rights will be paramount for companies like OpenAI.
Sources:
- Garante Privacy
- The IDPA’s statement on their website