Italian regulators have informed OpenAI that its ChatGPT artificial intelligence chatbot has allegedly breached the European Union’s strict data privacy regulations, known as the General Data Protection Regulation (GDPR). The country’s data protection authority, Garante, initiated an investigation into ChatGPT last year, temporarily banning the chatbot in Italy. Following its “fact-finding activity,” Garante concluded that there were breaches of GDPR provisions.
OpenAI, headquartered in San Francisco, has been given 30 days to respond to the allegations. The company expressed its intention to collaborate with Italian regulators, asserting that its practices align with GDPR and other privacy laws. OpenAI stated that it actively works to minimize personal data in training systems like ChatGPT and rejects requests for private or sensitive information about individuals.
Last year, OpenAI claimed to have fulfilled conditions set by Garante to lift the ChatGPT ban. The ban was imposed due to concerns about exposed user messages and payment information, the lack of age verification, enabling inappropriate responses for children, and uncertainties regarding the legal basis for collecting massive amounts of data to train ChatGPT.
Generative AI systems like ChatGPT are facing increased regulatory scrutiny globally. The U.S. Federal Trade Commission recently launched an inquiry into the relationships between OpenAI, Anthropic, and tech giants Amazon, Google, and Microsoft. EU and UK competition regulators are also examining Microsoft’s investments in OpenAI. Additionally, the EU is finalizing the AI Act, the world’s first comprehensive rulebook for artificial intelligence, expected to be endorsed by member states.