/>iAt the end of 2024 the Italian Data Protection Authority issued a 15 million euro fine in the first generative AI-related case brought under GDPR. According to Garante (the Italian authority), OpenAI trained ChatGPT with users’ personal data without first identifying a proper legal basis for the activity, as required under GDPR. The Order also alleges that OpenAI failed to notify Garante about a data breach the company experienced in March 2023. Additionally, the Order states that OpenAI did not provide proper age verification mechanisms for users under age 13.
In addition to the fine, OpenAI must also conduct a six-month public education campaign on how ChatGPT works and how data is used to train AI products. The campaign must also provide individuals with information about their rights and how to exercise their rights. OpenAI intends to appeal the decision.
This decision follows March 2023 temporary ban of ChatGPT in Italy. And in July 2023, the FTC issued a Civil Investigative Demand to OpenAI.
Putting it into Practice: While it is unclear the extent to which AI will receive the same type of scrutiny in the US that it did under the prior administration, this decision is a reminder that the EU regulators are keeping a close eye on AI activities, especially when personal data is used to train the tool.
