Italy

[IT] The Italian Data Protection Authority orders the temporary limitation of the processing activities undertaken by OpenAI LLC in relation to its ChatGPT services in the Italian territory

IRIS 2023-5:1/19

Laura Liguori & Eugenio Foco

Portolano Cavallo

Through Decision No. 112 of 30 March 2023 (“the Decision”) the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority — “the Authority”) ordered the temporary limitation of the data processing activities carried out in relation to ChatGPT services. The Decision was rendered against U.S. based company OpenAI LLC (“OpenAI”) in its capacity as data controller of the personal data processed through its ChatGPT services.

In particular, following vast media coverage of the ChatGPT service over the last few months, and the recent data breach involving users’ personal data and chat queries, the Authority initiated an urgent ex officio investigation and found that:

i. OpenAI was failing to provide information notices to users and data subjects whose personal data was being collected and processed through ChatGPT services;

ii. there was no proper legal basis in relation to the collection of personal data and its processing for the purpose of training the algorithms underlying the functioning of ChatGPT services;

iii. the processing of personal data of data subjects was inaccurate because the information provided through ChatGPT services did not always match actual data;

iv. there was an absence of any age-verification mechanism with reference to ChatGPT services which, according to the terms and conditions published by OpenAI, should be reserved only to users who were at least 13 years old. To that end, according to the Authority, the absence of filters for children under the age of 13 exposed them to responses that were totally inappropriate for their degree of development and self-awareness.

According to the Authority, its findings amounted to infringements of Article 5 (principles relating to processing of personal data), Article 6 (lawfulness of processing), Article 8 (conditions applicable to child’s consent in relation to information society services), Article13 (information to be provided where personal data are collected from the data subject) and Article 25 (data protection by design and by default) of the GDPR.

For that reason, the Authority ordered, on an urgent basis, and as a temporary measure pending the completion of the investigation, the temporary limitation of all processing activities undertaken through ChatGPT services concerning data subjects established in the Italian territory under Article 58(2)(f) GDPR. Such limitation was effective as of the moment the US based company, OpenAI, received the Decision.

The Authority also requested OpenAI to provide, within 20 days from when it received the Decision, any information concerning the steps it had undertaken to comply with the prescriptions set out in the Decision as well as to provide any other useful information justifying the contested infringements.

As a result of the temporary limitation, OpenAI has blocked access to Chat GPT services to users in Italy and has formally confirmed to the Authority its immediate willingness to cooperate in order to comply with the GDPR and to find a shared solution to address the alleged violations.