Italy

[IT] The Italian Data Protection Authority blocks ClothOff

IRIS 2025-9:1/10

Laura Liguori & Chiara Ciapparelli

Portolano Cavallo

On 1 October 2025, the Italian Garante per la Protezione dei Dati Personali (Data Protection Authority - the Authority) adopted an urgent order against the company AI/Robotics Venture Strategy 3 Ltd., based in the British Virgin Islands, declaring unlawful the processing of personal data that the company carried out through its website ClothOff and immediately limiting the processing of personal data for Italian users.

ClothOff offers a generative AI service that allows users to digitally remove clothing from photos depicting people: users upload images of people and receive their fake nude versions. The service offers various editing options, such as pose changes and face swapping, creating sexually explicit content without consent from those pictured.

The Authority found that this service seriously threatens the fundamental rights and human dignity of data subjects, also violating the EU General Data Protection Regulation (GDPR). It identified three main violations:

First, the company failed to adopt effective measures to prevent minors from using the service or stop users from uploading photos of children.

Second, the company violated the GDPR’s principles on lawfulness, fairness and accountability by failing to implement proper technical and organisational measures for collecting and processing personal data, including biometric data of the people shown in the uploaded images.

Third, the watermark meant to show the AI-generated nature of the pictures was found inadequate by the Authority: according to the latter, the word “Fake” has such opacity as to be barely visible, making it easily removable. This violates the GDPR’s principles of fairness and accountability. Interestingly, the decision also mentions Recitals 133 and 134 of the EU Artificial Intelligence Act, which refer to Article 50 of the regulation, under which providers of AI systems must indicate that content is AI-generated. However, these provisions of the AI Act are not yet in force and the powers to sanction violations of the AI Act have been provided to the Italian Cybersecurity Agency according to the new Italian AI law. This approach shows the close intersection between the GDPR and the AI Act and the Authority's interest in generative AI-related matters.

In conclusion, the Authority's order sets another precedent in applying the GDPR to high-risk generative AI services, requiring companies to implement safeguards proportional to the risks they create.