OpenAI Ordered to Pay €15M Fine and Launch 6-Month Information Campaign in Italy 

• The Italian Data Protection Authority fined OpenAI based on non-GDPR-compliant user data handling and failing to report a data breach.
• Additionally, personal data was employed for AI training without user consent or notification.
• Moreover, OpenAI is accused of lacking transparency and mechanisms for age verification.

The Italian Data Protection Authority (DPA) has concluded a detailed investigation into OpenAI, resulting in substantial corrective actions and a €15 million fine. This decision stems from a comprehensive inquiry initiated in March 2023 following a data breach and growing concerns over OpenAI's generative AI services, specifically ChatGPT.

The investigation uncovered multiple violations of the General Data Protection Regulation (GDPR) in OpenAI’s handling of personal user data. According to the DPA, OpenAI failed to notify them of a data breach that occurred in March 2023—a critical lapse in compliance. 

Additionally, OpenAI processed personal data to train ChatGPT without establishing an appropriate legal basis for this use, further contravening GDPR requirements.

The Authority also highlighted OpenAI's lack of transparency. Users were not sufficiently informed about how their personal data was being collected or processed, nor were they made aware of their rights to object, rectify, or delete their data. 

Furthermore, OpenAI's systems lacked mechanisms for age verification, which posed the risk of exposing children under 13 to inappropriate content that may surpass their developmental and cognitive understanding.

The DPA has imposed comprehensive corrective measures under Article 166(7) of the Italian Privacy Code to address these significant breaches. These include a mandated 6-month institutional communication campaign to be carried out via radio, television, newspapers, and the Internet. 

OpenAI must collaborate with the Authority to ensure the content appropriately informs the public about how ChatGPT processes user and non-user data, especially for model training purposes. 

The DPA calculated the €15 million fine in consideration of the severity of the violations while also recognizing OpenAI’s cooperative approach during the proceedings.

During the investigation, OpenAI established its European headquarters in Ireland, requiring the transfer of procedural oversight to the Irish Data Protection Commission (DPC), which sanctioned LinkedIn and Ryanair this year.

Social media giant X (formerly Twitter) also faces complaints in Europe for allegedly using personal data from over 60 million EU/EEA users to train its AI technologies without notice or asking for their consent.