On 31 March 2023, the Italian Data Protection Authority (the “Garante per la Protezione dei Dati Personali” or GPDP) issued a statement temporarily halting the processing of personal information by the AI chatbot ChatGPT in Italy. The authority alleges that the chatbot processes user data without providing any information to users, in breach of the European Union’s General Data Protection Regulation (GDPR).
The GPDP also argues that there is “no legal basis underpinning the massive collection and processing of personal data” (which is used to train large language models such as ChatGPT), and expresses concern that the chatbot occasionally processes inaccurate personal data and does not incorporate an age-verification process to prevent minors from accessing inappropriate information.
In terms of the statement, OpenAI, the company behind ChatGPT, has 20 days from the day the statement was released to respond with evidence of measures taken to comply with the order. Failure to comply could result in the company incurring a fine of €20 million or 4% of its total global turnover. In a statement, OpenAI CEO Sam Altman said: “We of course defer to the Italian government and have ceased offering ChatGPT in Italy (though we think we are following all privacy laws).”
- The GPDP’s statement is available here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].