Italian data protection authority bans ChatGPT citing privacy violations

The Italian privacy watchdog mandated a ban on the popular chatbot ChatGPT and launched an investigation on its provider OpenAI for suspected breaches of EU data protection rules.

Italy’s Garante for the protection of personal data on Friday (31 March) accused the AI system of breaching the EU General Data Protection Regulation (GDPR) and failing to implement age verification systems.

The blocking of the site for Italian users is temporary and will last until the provider OpenAI respects the EU privacy framework when processing the personal data of Italian users. The Italian data protection authority has also initiated an investigation into the American tech company.

Launched in November, ChatGPT has been notorious for its unprecedented ability to generate human-like text based on prompts. The chatbot has become one of the fastest-growing internet services surpassing 100 million users in just two months.

But according to the Garante, OpenAI has failed to inform users and individuals whose personal data has been processed to train the algorithm of its data processing practices. Even more importantly, the US company allegedly has no legal basis justifying the massive collection of personal data used to train its AI models.

“If OpenAI and other companies want to deploy these chatbots and related services in the EU, they’re going to have to ensure that they’re up to speed not only with the GDPR but with all relevant EU rules or else they’ll be facing fines and other consequences,” Access Now’s senior policy analyst Daniel Leufer told EURACTIV.

On 20 March, the AI-powered chatbot suffered a data breach regarding conversations and payment information of some subscribers to its premium services, ChatGPT Plus.

The Italian authority also says that it has run some tests, following which ChatGPT has provided inaccurate replies related to personal data, another potential breach of the EU data protection rulebook.

Moreover, the decision points out that, while the internet service is directed to people older than 13 years old, there is no process in place to verify the age of the users, which might lead to children being exposed to content that is inappropriate for their level of development.

Vincenzo Tiani, a partner at the law firm Panetta & Associati, told EURACTIV that the Garante has been particularly attentive to protecting children’s data in the past years but that the point on data accuracy was more problematic to define.

“While there is a principle to data accuracy in the GDPR, it is also true that the regulation says that the controller must do everything possible to correct inaccurate data. In a system like ChatGPT, this can be technically complicated, given the unpredictable nature of algorithms,” Tiani said.

For Brando Benifei, one of the MEPs spearheading the work on the EU’s AI Act, the decision of the Italian authorities shows that Artificial Intelligence needs serious regulation.

“OpenAI must comply with the decision. The fundamental rights of European citizens must be protected,” Befiei said on Twitter.

OpenAI now has 20 days to inform the authority about the corrective measures taken in response to the decision or face an administrative fine equal to €20 million or 4% of the global annual turnover.

OpenAI did not reply to EURACTIV’s request for comment by the time of publication.

Julia Tar contributed to the reporting

[Edited by Alice Taylor]


About the author

Related Post

Leave a comment

Your email address will not be published. Required fields are marked *